Delivering expert cyber security solutions to small and medium-sized businesses

Learn More

Connecting the Dots with ISO 27001

Connecting the Dots Part 1 by Robert Cohen

Over the last 7 years, I’ve had the opportunity to work with a plethora of clients who were either interested in implementing or obtaining an ISO 27001 certification for their Information Security Management System (ISMS). I’ve also conducted numerous internal audits and assisted clients as part of their certification and surveillance audits. If there was one key aspect of the ISO 27001 process; it’s that most folks who attempt to implement the ISO 27001 standard have the misconception that when they finish with “this one document” they write the next and don’t look back to make sure they’re developing an integrated security program.

The final piece I want to introduce you to, is that 85-90% of identified nonconformities occur, not with implementing the in-scope Annex A controls, but with the framework part of the ISMS Standard (Clauses 4-10). Those pesky documents that we write out “because we have to” in order to get certified, are more important than just a “paperwork drill”. Most companies that make the decision to complete the ISO 27001 process are technically secure; however, the real question is, is the organization truly compliant? The thought is “if the controls are in place, we can obtain a certification”. The answer is no, you can’t. A certifiable ISMS is more than technical security controls, and therefore more than an “IT problem”. Developing an ISO 27001-compliant ISMS requires an overarching security program that includes every aspect of an organization, from top management to the end user and every in-scope department. That’s why ISO 27001 is more than just a catalogue of controls, it’s the framework for a complete security program.

I thought I’d write a series of blogs, this being the first, on how to connect the dots between the ISMS framework documents and how they lead to a more effective implementation of the controls from Annex A (or any other framework from which you select your controls).

Let’s take a look at Requirements Clause 4 Context of the Organization. In Clause 4.1 the standard mentions external and internal issues.  What exactly does that mean? Where does it pop up again? (and yes, it does pop up again. More on that in a minute).

Internal and External Issues are anything that affects your ability to achieve the objectives of your ISMS. So, before you can list the issues, you need to figure out what your objectives are. By the way, objectives are auditable so keep them close by. Getting back to issues, we need to ask ourselves what are the conditions that may affect our ability to implement an ISMS? Please note the following conditions:

  • Is security understaffed and underfunded? Do you have to fight for resources because security is “an IT issue”?
  • Is your IT infrastructure 10 years old because the organization does not want to risk breaking things through upgrades?
  • Is shadow IT a problem?
  • Is the company acquiring other companies, making integration difficult?
  • Do you have vendors that do not have strong security programs?
  • Are you under legislated, regulatory, or contractual obligations for security that contradict, or change so quickly, you’re constantly in “react mode” and can’t take the time to implement properly?

If these sound like risks, you’d be 100% correct. That’s why for each identified issue, we need to determine if they should be added to our risk assessment. That is the reason why requirements clause 6.1.1 reads:

When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

  1. a) ensure the information security management system can achieve its intended outcome(s)

We have to make sure that the issues we identify are considered for inclusion in our risk assessment.

Next time I’ll talk more about objectives and how they tie into these issues.

Until next time….Cheers

CONTACT US FOR A FREE CONSULTATIONGetting started in security can be challenging. Let us help ease the burden of security and compliance with our small-mid sized business services and solutions.