Developing an ISO 27001-Conformant Integrated Internal Control Framework

For those organisations looking to achieve certification to ISO/IEC 27001 certification, developing and implementing an integrated internal control framework is a key requirement.  Whilst identifying the controls to be implemented will be largely dictated by the mandatory risk assessment, a key question is to what degree can you take advantage of any existing control framework you may have in place?  

Before addressing this question, what do we mean by an integrated internal control framework? Simply put, it is a set of controls that are integrated into business processes, such that the controls (or measures, as you may refer to them) become part of business-as-usual (BAU) operations for your organisation.  

What are the most prominent information security frameworks?

There are a variety of frameworks intended to allow such integration, each of which have a particular focus, for example:

• COSO: internal control of information systems, predominantly geared towards external financial reporting.
• COBIT: an IT governance framework and supporting toolset intended to bridge the gap between control requirements, technical issues and business risks.
• ISO/IEC 27001: the International Standard for Information Security Management.

As per COSO, controls are integrated into business processes through 5 interrelated components; the control environment, risk assessment, control activities, information and communication, and monitoring. COBIT broadly supports this approach and whilst distinct, ISO 27001 is consistent through the establishment of an information security management system (ISMS).

As stated, the focus of this blog is on the scenario where an organisation has already implemented a control framework and how that existing framework can be used to help it conform or certify to ISO 27001.  We are assuming that you already know what constitutes internal controls and are aware of the ISO 27001:2022 Standard with its Annex A control set.

What is the most common approach to establishing an ISO 27001 framework?

As indicated above, the approach for establishing an ISO 27001 control framework is broadly consistent with COSO, focussing on the assessment of information security-related risks, with topics including:

• Implementing policies, procedures, a suitable organisational structure, job descriptions, etc.
• Establishing segregation of duties and responsibilities, authorisation and approval processes, performance monitoring and control procedures
• Managing assets and resources
• Conducting risk management
• Ensuring regulatory compliance
• Establishing an independent internal audit function.

‍

‍

‍

‍

Much of this is considered as part of establishing the information security management system (or ISMS as it is often referred to).  In order to achieve ISO 27001 certification, it is necessary to implement an ISMS that fully meets the requirements as set out in Clauses 4 to 10 of the Standard.  It is a common misconception that ISO 27001 certification covers the controls implemented, but in fact an ISO certification is a certification of the ISMS, and through this an organisation can demonstrate that the controls it has implemented address the risks faced by the organisation.

Nevertheless, in implementing the ISMS, an organisation will identify the various controls that need to be established throughout the business to address the risks identified.  Whilst ISO 27001 includes a comprehensive control set (Annex A), it is not necessary to use this control set to achieve certification.  In theory, any set of controls can be used as long as, through the ISMS, an organisation can demonstrate that the controls it has implemented address and mitigate the risks identified.

In practice, many organisations embarking on the ISO 27001 journey do not have an ISMS nor an established internal controls framework.  Thus, when setting up their ISMS they adopt the ISO 27001 Annex A control set as their starting point, perhaps trimming out a few controls that are not relevant to their organisation.  But what do you do if you already have a control framework in place?

Possible approaches if you already have an existing control framework?

Make full use of what you have

It may seem obvious, but full use should be made of what you already have in place.  If you have already made the effort to establish a control framework, you don’t really want to throw away any of that investment. So, don’t.

As we have set out above, you do not need to use the ISO 27001 Annex A control set, but for the sake of expediency in achieving certification it is advisable to demonstrate and provide evidence that you have fully considered all 94 controls and show that you have covered all the bases. Of course, the baseline in the ISMS is the risk assessment, from which you can determine which controls need to be implemented.  In all likelihood, however, most organisations will find that Annex A is an excellent starting point and, at most, there will only be a handful of control areas that are not relevant to the organisation.  It remains then to establish how many of the required controls already exist in your previously established control framework.

Mapping at the control test/guidance level

Start with a mapping exercise of what you have against the ISO 27001:2022 control set.  It is very likely that your existing controls are articulated differently than in ISO 27001:2022, which can make a mapping exercise difficult and lengthy.  A practical way to get round this is to map at a lower level.

With an established control framework in place, it is assumed that internal conformance testing (internal ISO 27001 audits) is being undertaken against the framework, so there will be detailed control tests defined for each of the controls.  These should set out the processes, procedures, techniques, technologies, mechanisms and documentation that are expected within the organisation to implement the controls.  

Similarly, there is extensive controls guidance set out in ISO 27002:2022, articulated in a similar manner and detailing example processes, procedures, etc, that can be put in place to achieve the objectives of each control.  By matching processes, procedures, etc. in ISO 27002 to those expected in your existing controls testing, it is relatively straightforward to match your existing internal controls to the ISO 27001 control set.

It is likely that your existing internal controls will not cover the whole breadth of the ISO 27001:2022 Annex A control set, or at least not map one-to-one with ISO 27001 controls, with the mapping likely to fall into one of three broad categories:

• ISO 27001:2022 controls that are missing from your existing internal controls.
• ISO 27001 controls that are partially covered in your existing internal controls.
• Your existing internal controls that cover multiple ISO 27001 controls, either fully or partially.

It is entirely possible, of course, that your existing control framework includes controls that are not covered in the ISO 27001:2022 control set. Such controls have no doubt been implemented for good reasons and can remain in the control framework.  Remember, the ISO 27001 certification relates to the ISMS, therefore as long as such controls address risks identified through the ISMS, they should remain.  For the purposes of this discussion, however, we can ignore these.

Plugging any gaps identified

Where ISO 27001 Annex A controls do not appear at all in your internal controls, it is a simple matter of defining new controls in the control framework.  To simplify the mapping to ISO27001, the most practical approach is simply to incorporate the ISO 27001 controls into the control framework.  This makes life a little easier downstream when defining the internal tests, since these can be developed directly from the associated ISO 27002 guidance.

It is a bit trickier for the ISO 27001 controls that are only partially covered.  In this scenario, it is necessary to define new, suitably worded controls within the framework for those parts of the ISO 27001 controls that do not map.  The mapping can then be updated with these controls, whereby two or more internal controls will map to one ISO 27001 control, though it is a good idea to include a comments field in the mapping where you can detail, for each internal control, which parts of the ISO 27001 control is covered.  Since the mapping exercise has been performed at the control test/guidance level, it should be fairly clear which parts of the ISO 27002 guidance hasn’t been covered: this again will be useful downstream for defining the testing of the new controls.

Where an internal control fully covers more than one ISO 27001 control, all that is required is to ensure the mapping clearly identifies all of the ISO 27001 controls that are covered by the internal control, so you will have one internal control mapping to multiple ISO 27001 controls.  Given the controls map fully, and the mapping has been determined at the control test/guidance level, the existing internal control testing should cover the needs of the ISO 27001 controls.

What about where existing controls map to multiple Annex A controls?

It becomes most complex where an existing internal control maps to multiple ISO 27001 controls (in some cases fully and in other cases only partially), possibly coupled with ISO 27001 controls partially covered in multiple internal controls, i.e., a many-to-many mapping.  In these cases, you need to adopt a hybrid approach between that for ISO 27001 controls partially mapped and that for internal controls mapping to multiple ISO 27001 controls.  Given the complexity, it is important to ensure that comments in the mapping make it clear which parts of which ISO 27001 controls are covered by each internal control.  Of course, as with the other cases above, since the mapping has been performed at the control test/guidance level, it is a relatively straightforward exercise to create internal control tests for any new internal controls by drawing on the guidance from the relevant parts of ISO 27002.

Through all of this it is important to remember that the mapping document (whatever form it may take) should be standalone and clearly demonstrate where each ISO 27001 control is covered by an internal control.  This will be invaluable when taking an ISO 27001 certification body (CB) assessor through the internal control coverage during your ISO 27001 certification, but will also serve as essential reference in future years.  You certainly don’t want to be embarking on such a mapping exercise for every year’s internal control test planning, so it is important to be able to refer back to this in future years.

Having completed the controls framework, you can then embark on defining tests to undertake as part of the internal audits.  As set out above, tests already defined for existing controls can largely be retained, so it will only be necessary to define tests for new controls identified as part of the mapping exercise and these can be drawn from the guidance in ISO 27002.

Would it be easier to just start again?

If you’re thinking this all sounds complex, well, yes it is.  So, wouldn’t it just be easier to throw the old controls framework away and use the ISO 27001:2022 control set?  The answer to that, unfortunately, is also complex.

Consider management buy-in to existing frameworks

To be effective, an internal controls framework needs to be endorsed by the executive leadership within the organisation, which sends the message to all members of staff that they must comply with the control framework.  It would be expected that the existing control framework has already received such endorsement, and it is unlikely to be a popular move with executive leadership to inform them that the investment they have already made in the control framework is to be discarded.  More importantly, executive leadership has already bought into the existing framework and understands why it is needed (there has undoubtedly already been an extensive investment in obtaining their buy-in), so it is likely to be easier to obtain their endorsement of modifying and enhancing the framework, rather than starting again.

A further consideration is that it is likely the decision to extend the control framework has been prompted by a strategic decision to seek ISO 27001 certification.  Presenting executive leadership with a plan to extend the internal controls framework will naturally link to their strategic vision and building on (and therefore not wasting) any prior work.

Possibly the most compelling argument for extending an existing control framework is ensuring adoption by management within the organisation. As detailed earlier, a control framework integrates into business processes, with controls being a key component of BAU operations.  It will, no doubt, have taken a significant effort to embed the existing internal controls within the organisation, possibly including a lengthy education and awareness campaign.  As the saying goes, ‘if it ain’t broke, don’t fix it’.  Since the management team is already familiar with the controls, it makes sense to preserve as much of them as possible, then undertake an enhanced education and awareness campaign to bring the new controls into the mix and highlight the few existing controls that may have changed.

So, in short, whilst extending the control framework may require more effort up front, it is likely to be easier to get buy-in and to implement in the long run.

Additional benefits of mapping at the internal test/guidance level

By undertaking the mapping at the internal test/guidance level, you are likely to start identifying potential deficiencies in advance of performing any internal testing and assessment.  Likely deficiencies to be spotted include:

• Identifying holes in the information security policy set:  The ISO 27002 guidance refers to various topic-specific information security policies throughout the 2022 control set.  A thorough understanding of the control set, obtained through the mapping exercise, allows you to identify any that are missing (considering the requirements for such through the ISMS) from your own policy set and to start authoring these at the earliest opportunity.
• Identifying holes in the ISMS:  The ISMS will need to meet the requirements of Clauses 4-10 of ISO 27001, which includes some more esoteric requirements.  You will, for example, need to cater for the needs of interested (internal and external) parties, where the mechanisms for achieving this may not necessarily be immediately obvious.  However, the ISO 27001:2022 Annex A control set includes controls which directly relate to these requirements, such as ‘Contact with authorities’ (5.5), ‘Legal, statutory, regulatory and contractual requirements’ (5.31) and ‘Intellectual property rights’ (5.32).  By considering the ISO 27002 guidance as part of the mapping exercise, it is possible to identify functions that have not been considered in the ISMS, either because they were not considered when setting up the ISMS or because the functions simply did not exist within the organisation.  Identifying such omissions at the earliest opportunity allows for the ISMS to be augmented, or the functions established in advance of ISO 27001 certification.
• Continual improvement made easy(ier):  As with many things, the only constant in ISO 27001 is change.  The ISO 27001 Standard is subject to regular change, and it expects organisations to adopt an approach of continual improvement.  Fortunately, new versions of the ISO 27001 Standard clearly identify where changes are being made, so having a comprehensive mapping of your internal control framework to ISO 27001 will make it easier to identify where changes to your internal control framework will need to be made in order to conform with new versions.

Summary

You do not need to reinvent the wheel when seeking ISO 27001 certification.  If you already have an internal control framework established, you can undertake a mapping exercise to identify any gaps in your control framework, then plug those gaps by utilising additional controls from the Annex A control set of ISO 27001:2022.

Even if you don’t identify any missing controls when performing the mapping exercise, you will have produced a useful resource to call upon when your ISO 27001 ISMS is being assessed by your CB assessor.

Undertaking the mapping exercise at the internal test/guidance level allows you to identify new internal controls tests more easily for any new controls added to your internal control framework, saving effort downstream.

Most importantly, our recommendation is not to throw away any work previously done on your existing control framework.  There are distinct advantages in retaining as much of the existing framework as possible to smooth the path for executive management endorsement and easing the adoption by management throughout the organisation.

How URM can help

If your organisation needs assistance mapping your existing control framework to the requirements of ISO 27001, or with any other area of conformance to the Standard, URM’s large team of experienced ISO 27001 consultants can offer you reliable guidance and support.  With nearly 2 decades of ISO 27001 consultancy experience, URM is adept at supporting organisations at every stage of the Standard’s lifecycle, from conducting gap analysis and risk assessment, all the way through to implementation support and conducting the ISO 27001 internal audit. For organisations looking to transition their ISMS to the 2022 version of the Standard, we also offer an ISO/IEC 27001:2022 Transition training course, led by an experienced and practising ISO 27001 consultant.