From Chaos to Conformance: A series on implementing an ISMS

Dispelling some common myths.

This is a new blog series on implementing an Information Security Management System (ISMS) based on ISO/IEC 27001:2013 (ISO 27001). This is the first in a series of blog articles aimed at helping organisations understand the value of implementing an ISMS that conforms with ISO 27001.

Over the last few months I’ve seen a lot of misinformation being circulated from our industry about ISO 27001. This includes misunderstanding on what the standard is and isn’t, and what ‘complying’ with it means. I thought I’d start the series by dispelling a few of the most common misconceptions that I’ve seen recently.

Myth one – ISO 27001 is a control catalogue
The standard is not, I repeat not, a controls catalogue. Table A.1 in Annex A in ISO 27001 defines a set of control objectives and controls that are derived from ISO 27002. However, the standard is clear that Annex A (and by implication ISO 27002) is designed to be used with Clause 6.1.3 Information security risk treatment. The use of Annex A and/or ISO 27002 is not compulsory, as Clause 6.1.3 states that an organisation can select risk treatments from any source. (We’ll discuss this in more detail in the blog posts on 6 Planning and 8 Operation).

ISO 27001 provides the requirements for organisations to establish, implement, maintain and continually improve an ISMS that can help and support them in achieving their business goals and objectives. The requirements presented in the standard are generic and intended to be relevant to all organisation, irrespective of their type, size or nature. Organisations that wish to claim conformity with the standard cannot omit any of the requirements in Clauses 4 to 10. The following outlines the content of these clauses, which will be covered in future articles:

4 Context of the organisation
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement

Organisations that merely choose to define and implement a set of information security policies and controls based on Annex A (and/or ISO 27002) will not be able to claim conformance with the ISO 27001 standard or undergo certification against it. Note: I’m not saying that these organisations won’t have sufficient governance, risk and assurance practices in place to ensure that information security is effectively managed, just that they cannot claim conformity with the standard.

Myth two – ISO 27001 Certification covers everything
Organisations can define the scope of their ISMS, which means they can choose to limit its coverage to a specific business capability, product or physical location. Therefore, it is it critical that any organisation that is relying on a service provider’s or vendor’s ISO 27001 Certification to provide it with assurance, understand the scope of their ISMS. This is particularly important for organisations that are adopting cloud services. Assurance can only be achieved through the Cloud Service Provider building trust by being transparent about its scope and the outcome of its third-party certification audits.

Myth three – ISO 27001 Certification is a compliance exercise
As discussed, ISO 27001 is not a control catalogue. Therefore, there is no such thing as compliance with ISO 27001. However, organisations can achieve conformance with the standard by meeting all the requirements defined in Clauses 4 to 10. Does this really matter? Yes, I believe it does. It is important to recognise that conformance and compliance are not the same thing.

Unlike other standards like the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001 is not externally mandated. Whereas, organisation can choose to adopt the standard when developing and implementing their ISMS. ISO 27000:2014 defines the terms and definitions used in the ISO 27000 series of standards. It does not define compliance. However, it does define conformity as the fulfilment of a requirement and nonconformity as the non-fulfilment of a requirement.

Myth four – Compatibility with modern development and operations practices
Finally, I have recently had discussions with people who believe that ISO 27001 is incompatible with modern development and operational practices (i.e. DevOps). However, nothing could be further from the truth. These practices help to deliver consistency and enable organisations to meet the requirement in 9 Performance evaluation and 10 Improvement, as well as providing evidence of the intent, implementation and effectiveness of their selected risk treatments.

In conclusion, nearly all organisations are now reliant on information technology to deliver their desired business outcomes. ISO 27001 provides an effective and efficient way for organisations to establish an Information Security Management System that is tailored to their specific context, enabling the demonstration of strong information security governance, risk and assurance management.

In the next post, we’ll discuss the requirements defined in 4 Context of the organisation.