There are many good reasons to implement an information security management system
(ISMS) and get it certified to ISO 27001, the International Standard for Information Security Management. The most common is that customers or clients, or in some cases stakeholders, want the assurance that an ISO 27001 certificate can provide.
At first glance, an ISMS project may seem daunting, however, there are some common misunderstandings about what is actually required and what has to be done to obtain an ISO 27001 certificate. This week’s blog addresses just that and looks at 5 common fallacies associated with ISO 27001 certification.
You might think that embarking on an ISO 27001 project is simply too large or complex a task. It is however sometimes possible to start small by limiting the scope of the information security management system (ISMS), (see previous URM blog) which can mean that the number of information assets and users, and the corresponding number of risks, is significantly smaller.
This can mean that the ISMS certification project is more manageable, and the scope of the ISMS can be extended later on, bringing more parts of the organisation into its scope. The initial certification audit, which comprises 2 stages, is often a demanding process; a scope extension is usually in one stage only and, because you’ve been through the certification audit experience once already, the extension audit is typically far easier to manage.
Certifying to ISO 27001 doesn’t mean you have to have perfect security; it means that you have processes in place that ensure that you know and enable you to manage your security risks; there will always be risks that have to be accepted. Providing you are taking a risk-based approach and you are making and executing plans to deal with those risks effectively and appropriately you can achieve certification to the Standard.
Annex A of ISO 27001 includes a list of 114 information security controls that can be used to manage risks and to reduce them to an acceptable level. It isn’t necessary to implement all 114 of these controls, but to select only those needed to reduce unacceptable risks, as well as any that are required by laws, regulations or contracts. Let’s briefly look at these three requirements. There are very few UK laws that require specific controls; some such as the Data Protection Act 2018 require ‘appropriate’ measures, or controls.
In terms of regulations, most regulated firms in the UK are required to manage risks of all types, including information security risks, but again there are very few of these that stipulate specific control types. With regard to contracts, you simply have to implement any specific controls that have been stated in the contract irrespective of ISO 27001. It is also worth noting that following your risk assessment, the controls you select to mitigate your risks and document within your risk treatment plan don’t have to be fully implemented before the certification audit.
Information security capability is simply part of the cost of doing business and, in the case of ISO 27001, certification can often be a business enabler and a market differentiator. Taking into account that the scope of the ISMS doesn’t, necessarily, need to be the entire organisation and that only necessary controls have to be selected and planned, a fresh look at the actual costs is probably a good idea. Many of the information security processes that make up an ISMS may already exist and, like any new business process or set of them, some external help may be needed initially but, in most cases, the activities needed to look after an ISMS can be accommodated by existing people in the organisation.
Of course, technical information security controls have a price, but in many cases very inexpensive controls such as policies, training and awareness can reduce risks as well as, or even better than, additional software or hardware.
The implementation of the ISMS and any selected controls are typically the most expensive elements and you are likely to need to do these things anyway to manage risk, irrespective as to whether or not you become certified. The actual certification process is relatively less expensive and simply amounts to paying for the time of a respected certification body to come and assess you and to provide a report on conformance along with a certificate.
ISO 27001 stipulates only 10 process elements that must be documented and all of these make complete sense. How you document these is entirely up to you – written document, process map etc. In addition, and whether an ISMS is in place or not, other information security processes or activities will always benefit from a written procedure or written record. It’s up to you to decide which processes you want to document in the form of a policy, procedure or record; you only need to do it if it helps.
Only 8 of the 114 information security controls listed in Annex A of ISO 27001, if selected, must be documented. Again, it’s up to you to decide whether documenting any of the others you select is beneficial.