“ISO 27001 is a tick box exercise”
“ISO 27001 is worthless”
“The problem with ISO 27001 is you can scope it to only include a small office”
Sound familiar? ISO 27001 is an international standard regarding the effective implementation of an Information Security Management System (ISMS). Whilst ISO 27001 is not the most modern standard (developed in 2013) and can often be deemed as out of touch with modern IT practices, it is all about the way you implement and integrate the standard into your business and make it fit your purpose.
Bridewell have implemented and certified organisations ranging from larger organisations, with mature governance in place, through to DevOps companies with a heavy technical and agile approach. No ISO 27001 implementations have ever been implemented completely in the same manner because organisations tend to always have some form of uniqueness in the way they do things. The negative statements about ISO 27001 tend not to be against it but rather when individuals have had bad exposure to the standard, where it is not implemented effectively and in a manner that aligns with the business. The problem is not with the ISO 27001 standard itself, it is the way it’s interpreted and implemented.
We have seen organisations gain ISO 27001 certification using a tick box approach but this has also meant that the same organisation had a weak security posture and was highly susceptible to an attack. Yes, organisations need to be certified for a number of reasons such as winning new business, but by not actually improving their security posture they are operating under a false sense of security (pardon the pun). So, how does this happen? Some common themes we come across are;
- A company only wanting the certification to win new business. Organisations with this as their principal driver will look for the quickest way to achieve the certification, and not for gaining any tangible improvements. This often leads to problems in retaining ISO 27001 certification, even in the rare chances they get certified in the first place.
- Security or compliance employees not having enough technical ability but able to hit the compliance requirements enough to mislead an auditor. This can lead an organisation’s executive team or clients into a false sense of security as they believe, because they are ISO 27001 certified, they have good security in place which is often not the case.
- The scope of the certification being limited to a small segment of the organisation, which provides little value or assurance to clients that the organisation has an effective ISMS that covers their operations.
- Lack of understanding across cloud variants (SaaS, PaaS, IaaS) and the demarcation of responsibilities for security, which can often lead to unknown security risks, no understanding of responsibilities for operational security tasks, exposing additional vulnerabilities and risk.
- Lack of understanding regarding software development, agile methodologies and container technology, and how it fits into the organisation’s ISMS. This can often lead to a situation whereby there is conflict between development and security teams because the implemented ISMS processes and procedures are viewed as archaic and not aligned with the way systems are developed and maintained in modern IT.
Hopefully you don’t want to be in these categories and you’re looking for a way to gain a measured, proportionate approach to becoming ISO 27001 certified that allows you to improve your overall security posture and identify and manage your risks effectively, whilst also aligning to your organisation’s culture and business strategy. There are some great companies working across information security and then there are some very bad ones, much like any other industry. If you are looking to engage security expertise to support you in achieving ISO 27001 certification then we recommend considering some of these points and asking these key questions to weed out the cowboys.
Be Clear On Your Scope And Needs
Understand what you want or are required to certify against in terms of your organisation. This includes things like physical locations, business processes/services, systems, data, people and how the demarcation of where your technical responsibilities start and end. This is key before embarking on engaging an expert to assist you with implementing ISO 27001, as this information is often required for them to provide you with a quotation.
Questions To Cover
What is the potential provider’s approach to risk assessments and risk management? Risk assessments should be identifying quality, accurate and relevant risks across your company. This will enable you to establish a baseline of the risks you face and improve your security posture over time, whilst meeting the requirements of ISO 27001. Risk assessments should also be considering supply chain risks, project risks and integrate into ongoing risk management and remediation activity across your organisation.
How will the potential provider implement an internal audit programme? Internal audits are a key part of monitoring the effectiveness of your controls and identifying areas for improvements. They can be time consuming, so understanding how a provider will implement this is paramount. Also, always ask what relevant qualifications and experience their employees have to deliver these audits, as ensuring competences is also a requirement of ISO 27001.
If a potential provider is providing you with a quote for certification, how do they ensure impartiality in the certification audit? A consultancy implementing the standard should not be certifying you, as this is like marking your own homework. You should be seeking to have a UKAS (United Kingdom Accreditation Service) accredited audit company to deliver the certification audit and then implementation experts to support you in implementing the standard. A company claiming to do all parts of the process should serve as a minor amber warning light.
In terms of implementing the Annex A controls of the standard, how will the potential provider implement them within the quoted time and ensure you have appropriate evidence to meet the requirements of ISO 27001? Many companies promise to deliver the standard in such short time-scales and whilst we know the standard needs to be implemented proportionally, it still needs to be implemented effectively. There are 10 Clauses and 114 controls available to you and it is important to understand how they will be implemented in your organisation and how you can evidence the controls are operating effectively. There may be significant resource requirements needed from your organisation to do this and it is important that you know what will be expected of you and your teams during the process.
How will the potential provider incorporate your suppliers and help you assess security within the supply chain? Supplier security is a key part of the standard and most organisations use a number of suppliers and cloud-based systems to enable their business to operate. It is key that you have a process to assess supplier security controls, understand the risks within the supply chain and work to mitigate these risks to an acceptable level. Therefore, ask your provider to explain their approach to supplier security and how it fits into your overall risk management practices.
How will the potential provider enable you to manage the ISO 27001 framework after you have achieved ISO 27001 certification? Ensure that your chosen provider is building a management system that has clearly defined roles, responsibilities and an action plan that allows you to maintain your certification status after becoming certified. ISO 27001 is a continual process, not a one-time activity and we see so many organisation’s implement the standard as a tick box exercise and in record speed, only to crash and burn when it comes to maintaining ISO 27001 certification.
What controls will the potential provider use to ensure they integrate your cloud applications into your ISMS? If you use cloud-based systems, ask how your cloud applications are going to be assessed and integrated into their proposed ISMS implementation. Providers should be able to tell you how they assess the security of cloud applications within their overall ISMS implementation and what other controls scale out to your cloud-based applications. This is not just an ISO 27001 issue, it is a common security issue we come across which many Cloud Access Security Brokers (CASB) can assist with. Alternatively, you may require a manual approach to addressing some of the security/operational IT requirements across your cloud estate.
If you are involved in Software Development, ask the potential provider how will they apply security controls that are integrated into your development lifecycle. Agile methodologies and securing the development lifecycle is something that can be completely ignored by security consultancies implementing ISO 27001, which is mainly due to lack of understanding and experience in these areas. Ask your provider how they integrate your development processes into the ISMS. It is also worth asking them about their experience with organisations involved in software development and exposure to common systems such as BitBucket, GitHub, Kubernetes, JIRA, Confluence, Slack, Docker, OpenStack and Jenkins etc.
Lastly, Get A Break Down Of The Implementation
Any provider should be able to demonstrate to you a detailed breakdown of their proposal, which should include consulting days required. This should be deliverable based and cover the ISO 27001 requirements, highlighting explicitly what you will be getting for your money. Your provider should also be able to assist you in improving your security posture, not just produce a document set. It is always good to prepare your requirements and question any potential provider in these areas, so you have the confidence in their ability to deliver for you.
We come across companies that offer to deliver ISO 27001 certification within 5-10 days, which simply is not possible in the majority of circumstances. Whilst it is great to receive a low quotation, it is wasted money if the expertise and service you purchase is not fit for purpose and does not adequately reflect your needs. This article will provide you with the information you need to put some key questions across to potential providers and gauge how well they are able to deal with them, allowing you to make a decision before choosing a provider.