Okay, I know I promised to delve into and discuss the requirements defined in 4 Context of the organisation. However, I realised that they are other common myths that I should dispel for those of you that are interested in implementing an Information Security Management System (ISMS) that conforms with ISO/IEC 27001:2013 (ISO 27001).
Myth Five – It’s all about IT security
This is very closely related to Myth One in the previous article (see here), many organisations believe that ISO 27001 is all about implementing IT security. This is one of the biggest misconceptions when dealing with information security in general, let alone when it comes to implementing an ISMS based on ISO 27001.
While it might seem logical to throw the standard at the IT department and ask them to ensure that you conform with it, it is unlikely to lead to a successful outcome. This is because ISO 27001 is about establishing, implementing, maintaining and continually improving a management system that ensures all security risks, not just IT security risks, are identified, evaluated and effectively managed so that they remain within the organisation’s risk appetite.
Information security risks can affect information assets held in a physical or digital format. They can be related to the people, processes and technologies used to deliver a business goal or outcome. Therefore, the implementation of an ISMS based on ISO 27001 must be treated as a business initiative.
Myth Six – It’s all about the documentation
Some organisations believe that ISO 27001 is simply about creating a standard set of documents. In fact, this myth is perpetuated by an entire industry dedicated to selling ISO 27001 documentation templates.
Although documentation is important for any organisation implementing an ISMS based on ISO 27001, the goal of the standard is not simply to create documentation for the sake of it. The goal is to implement an ISMS that includes the required documentation and evidence necessary to ensure that the organisation’s information assets are appropriately protected against all relevant information security risks and correct the activities that are found to be underperforming (i.e. continual improvement).
Having said that, there are a set of requirements for documented information that are spread throughout the standard. The following provides a summary of them by clause:
4.3 Scope of the ISMS
5.2 Information security policy
6.1.2 Information security risk assessment process
6.1.3 Information security risk treatment process
6.1.3 d) Statement of Applicability
6.2 Information security objectives
7.2 d) Evidence of competence
7.5.1 b) Documented information determined by the organisation as being necessary for the effectiveness of the ISMS
8.1 Operational planning and control
8.2 Results of the information security risk assessments
8.3 Results of the information security risk treatment
9.1 Evidence of the monitoring and measurement results
9.2 g) Evidence of the audit programme(s) and the audit results
9.3 Evidence of the results of management reviews
10.1 f) Evidence of the nature of the nonconformities and any subsequent actions taken
10.1 g) Evidence of the results of any corrective action
As discussed in the previous article, requirements presented in the standard are generic and intended to be relevant to all organisation, irrespective of their type, size or nature. Therefore, it does not prescribe exactly what the required documents listed about should include (i.e. there is no standard content, format, etc.).
Myth Seven – We just need an Information Security Policy
At the opposite end of the scale from Myth Six are the organisations that believe that they just need to have an information security policy to conform with the standard. Whilst it is a requirement of the standard to have a policy (see 5.2 in the list above), it’s certainly not the only required document.
Myth Eight – We can implement our ISMS quickly
This is closely related to Myth Six, due largely to the availability of ISO 27001 documentation templates. Sure, you can create a standardised set of documents based on templates within two to three months, but I can guarantee it won’t result in you having an ISMS that conforms with and can be certified against the requirements defined in the standard. As we’ll discuss over the series, documentation is important but it must reflect and be relevant to your business context, or you will have simply created expensive shelfware that will gather dust and be irrelevant to you and your staff.
Implementing an ISMS based on ISO 27001 takes time, it’s not easy to analyse an organisation’s business practices, determine the associated information security risks, the controls that are required to effectively manage them, gain assurance they are effective at doing so, and addressing and issues. If it was, all organisations would be ISO 27001 certified!
Myth Nine – It’s too hard to implement an ISMS based on ISO 27001
Once an organisation realises that there is significantly more to implementing an ISMS based on ISO 27001 than creating a standard document set, they occasionally decide that it’s just too hard to do and abandon the idea. While I agree it’s not easy to implement an ISMS based on the standard, it’s really not that difficult either. It requires the organisation to commitment to actually meeting all of the requirements defined in Clauses 4 – 10. As discussed in the previous article, these requirements are generic and intended to be relevant to all organisations, irrespective of their type, size or nature. That said, the size and complexity of an organisation obviously has an impact on the effort required to successfully implement an ISMS. In cases where the organisation is large and/or very complex typically I recommend taking an Agile approach to the project by limiting the scope to something more manageable. For example, by limiting the scope to a specific business capability, product/service or physical location.
Myth Ten – It’s just a marketing exercise
A very large portion of organisation merely see certifying against ISO 27001 as a marketing exercise. I agree that it is highly likely that you will gain a competitive advantage over your competitors if they are not certified, especially if your products and/or services mean you’re entrusted with sensitive information. Hell, you may even gain new clients because you can easily demonstrate to potential clients that you are able to more effectively protect their information than your competitors, leading to greater market shares and higher profits. However, this should not be the main driver for organisation’s looking to gain certification against the standard.
As discussed, the goal is to establish, implement, maintain and continually improve an ISMS that ensures all security risks are identified, evaluated and effectively managed so that they remain within the organisation’s risk appetite. If you gain market share because you have achieved certification against the standard it’s definitely a bonus, but I really must caution against using it as the primary driver for implementing an ISMS.
In conclusion, there is a large amount of information and misinformation about what implementing an ISMS that conforms with ISO 27001 available. Therefore, it’s really is important to separate the good from the bad. Hopefully this and the previous article have cleared up the main misconceptions people have about the standard.
In the next post, I promise that we’ll discuss the requirements defined in 4 Context of the organisation.