There are many good reasons to implement an information security management system (ISMS) and get it certified to ISO 27001, the International Standard for Information Security Management. The most common is that customers or clients, or in some cases stakeholders, want the assurance that an ISO 27001 certificate can provide.
At first glance, an ISMS project may seem daunting, however, there are some common misunderstandings about what is actually required and what has to be done to obtain an ISO 27001 certificate. This blog addresses just that and looks at 5 common fallacies associated with ISO 27001 certification.
1 – “My organisation is too large or too complex”
You might think that embarking on an ISO 27001 project is simply too large or complex a task. It is sometimes possible, however, to start small by limiting the scope of the ISMS, thus the number of information assets and users, and the corresponding number of risks, is significantly smaller.
This can mean that the ISMS certification project is more manageable, and the scope of the ISMS can be extended later, bringing more parts of the organisation into its sphere. The initial certification audit, which comprises 2 stages, is often a demanding process, however, a scope extension is usually in one stage only and, because you’ve been through the certification audit experience once already, the extension audit is typically far easier to manage.
2 – “I have to resolve all of my security issues first”
Certifying to ISO 27001 doesn’t mean you have to have perfect security; it means that you have processes in place that ensure and enable you to manage your security risks; there will always be risks that have to be accepted. Providing you are taking a risk-based approach, and you are making and executing plans to deal with those risks effectively and appropriately, you can achieve certification to the Standard.
3 – “There are too many controls to implement”
Annex A of ISO 27001 includes a list of 114 (the updated standard will reduce this to 93) information security controls that can be used to manage risks and to reduce them to an acceptable level. It isn’t necessary to implement all 114 of these controls, but to select only those needed to reduce unacceptable risks, as well as any that are required by laws, regulations or contracts. Let’s briefly look at these three requirements. There are very few UK laws that require specific controls; some, such as the Data Protection Act 2018, require ‘appropriate’ measures, or controls. Due consideration of applicable EU legislation (General Data Protection Regulation- GDPR) may also be worthwhile.
In terms of regulations, most regulated firms in the UK are required to manage risks of all types, including information security risks, but again there are very few of these that stipulate specific control types. With regard to contracts, you simply have to implement any specific controls that have been stated in the contract irrespective of ISO 27001. It is also worth noting that following your risk assessment, the controls you select to mitigate your risks and document within your risk treatment plan don’t have to be fully implemented before the certification audit.
4 – “It’s too expensive”
Information security capability is simply part of the cost of doing business and, in the case of ISO 27001, certification can often be a business enabler and a market differentiator. Taking into account that the scope of the ISMS doesn’t necessarily need to be the entire organisation, and that only necessary controls have to be selected and planned, a fresh look at the actual costs is probably a good idea. Many of the information security processes that make up an ISMS may already exist and, like any new business process or set of them, some external help may be needed initially, however, in most cases, the activities needed to look after an ISMS can be accommodated by existing people in the organisation.
Of course, technical information security controls have a price, but in many cases very inexpensive controls such as policies, and training and awareness, can reduce risks as well as, or even better than, additional software or hardware.
The implementation of the ISMS and any selected controls are typically the most expensive elements and you are likely to need to do these things anyway to manage risk, irrespective as to whether or not you become certified. The actual certification process is relatively less expensive and simply amounts to paying for the time of a respected certification body to come and assess you and to provide a report on conformance, along with a certificate.
5 – “It involves too much documentation”
ISO 27001 stipulates only 10 process elements that must be documented, and all of these make complete sense. How you document these is entirely up to you – written document, process map etc. In addition, and whether an ISMS is in place or not, other information security processes or activities will always benefit from a written procedure or written record. It’s up to you to decide which processes you want to document in the form of a policy, procedure or record; you only need to do it if it helps.
The 114 controls listed in Annex A of ISO 27001 are, theoretically, all optional. Your organisation must decide whether it is going to include or exclude each control and provide a rationale for that decision. Of the controls that you decide to include, several require supporting documentation, some explicitly state a requirement for a policy statement, other areas are a little more flexible. This is a list of the key areas that suggest supporting documentation:
A5. Policies for information security. A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.
Examples of such policy topics include:
- A6.2 Mobile devices and teleworking
- A8 Information classification (and handling)
- A8.1.3 Acceptable use of assets
- A.9 Access control policy
- A.10 Cryptographic controls
- A11 Physical and environmental security
- A11.2.9 Clear desk and clear screen
- A13.2.1 Information transfer
- A12.2 Protection from malware
- A12.3 Back ups
- A12.6.1 Management of technical vulnerabilities
- A12.6.2 Restrictions on software installation and use
- A13 Communications security
- A15 Supplier relationships
- A18.1.4 Privacy and protection of personally identifiable information.
During the implementation of your ISMS, you may identify other areas that may benefit from a policy. The controls in A7, for example, relate to HR security and contain guidance on screening, onboarding, disciplinary and termination activities. Each of these elements could be a standalone policy or could be consolidated into a single ‘HR policy’. However your organisation decides to capture the relevant information, you should note that any documentation (however it is produced or whatever form it is held) in support of your ISMS will require to be controlled in the same manner as the mandatory documentation requirements of the Standard.
Due to the increased use of information technologies and the ‘human’ involvement (both malicious, accidental and incompetent!), it is inevitable we are all going to face more and more information...