Queen Essays

27

The ISO27001 audit

While some organizations might still debate the value of ISO27001 certifica- tion (arguing that what matters is the implementation of an effective ISMS rather than a badge), the market is moving against them, and a major objec- tive of this book is to help those organizations that see the value in certification to be successful in achieving it. The first three chapters clearly explained all the benefits that accrue from a successful certification, and these will not be rehearsed here; a certification audit is a practical and cost- effective way of meeting the requirement in Control 18.2.1 for an independent review of information security, and provides a means of demon- strating compliance to ISO27001.

A certification audit will tend to use negative reporting (that is, it will identify inadequacies rather than adequacies) to assess an ISMS to ensure that its documented procedures and processes, the actual activities of the organization and the records of implementation meet the requirements of ISO27001 and the declared scope of the system. The outcome of the audit will be a written audit report (usually available soon after the completion of the audit) and a number of nonconformities and observations together with necessary corrective actions and agreed time-frames.

Selection of auditors

Chapter 3 touched on some of the issues that should be taken into account in selecting an ISO27001 certification body. Of course, any organization seeking certification will want to be sure that there is a cultural fit between itself and its supplier of certification services, and there will certainly be all the normal issues of ensuring that there is alignment between the desires of the buyer and the offering, including pricing and service, of the vendor.

IT GOVERNANCE366

It is completely appropriate to treat the selection of a certification body with the same professionalism as the selection of any other supplier.

There are three key issues that need to be taken into account when making this selection. The first is a general issue, the second is relevant to organizations that already have one or more externally certified manage- ment systems in place and the third applies specifically to organizations tackling ISO27001.

The first key point is that you should only use an accredited certification body (CB, also sometimes called a Registrar), one that is formally accredited by a National Accreditation Body that is a signatory to the International Accreditation Forum (IAF). These CBs deliver internationally recognized certification services, and their certificates are recognized as valid by all other IAF members; in other words, a UKAS-accredited certificate will be recognized as equivalent to a locally issued certificate accredited by another national accreditation body elsewhere in the world. There are a small number of unaccredited certification bodies offering combined consultancy and certification services outside the recognized international scheme; as they operate outside of the internationally recognized framework it is impossible to determine their competence, or extent of independence and hence the value to put on their certificates in terms of both assurance and credibility. Avoid them.

Secondly, it is essential that your ISMS is fully integrated into your organ- ization; it will not work effectively if it operates outside of the management and operation of the organization or exists outside of and parallel to any other management systems.

Logically, this means that the framework, processes and controls of the ISMS must, to the greatest extent possible, be integrated with, for instance, your ISO9001 quality system; you want one document control system, one set of processes for each part of the organization, etc. Clearly, therefore, the certification body assessment of your management system must also be integrated: you want only one audit, which deals with all the aspects of your management system. It is simply too disruptive of the organization, too costly and too destructive of good business practice to have anything else. You should take this into account when selecting your ISO27001 certi- fication body, and ensure that whoever you choose can and does offer an integrated assessment service. However, the fact that a CB is accredited to offer ISO9001 certification does not automatically mean it is accredited for ISO27001; you will need to check with the CB. If you are currently using a CB that is not accredited for ISO27001, you will have to consider switching to one that is able to offer certification to both standards.

THE ISO27001 AUDIT 367

The third issue that you should take into account when selecting your supplier of certification services is their approach to certification itself. An ISMS is fundamentally designed to reflect the organization’s assessment of risks in and around information security. In other words, each ISMS will be different. It is important therefore that each external assessment of an ISMS takes that difference into account so that the client gets an assessment that adds value to its business (which includes positive feedback as well as non- conformities), rather than one that is merely a mechanical comparison of the ISMS against the requirements of ISO27001. Inquiring how a potential provider of ISO 27001 certification ensures its auditors are appropriately competent for your specific business is one means of helping ensure you receive a valuable service.

Once an accredited certification body has been selected and terms agreed (using the same basis of contracting as is applied to any other third-party supplier), the organization can turn to the actual process of certification. This process will be completely familiar to any organization that has already undergone certification to ISO9000 or any other management system stand- ard. The certification body will want to go through an initial two-stage process. The first stage will be a Stage 1 audit, which enables the audit body to become acquainted with the organization, to carry out a document review, to assure themselves that the ISMS is sufficiently well developed to be capable of withstanding a formal audit and to obtain enough informa- tion about the organization and the intended scope of the certification to plan their Stage 2 audit effectively. This visit is usually relatively short and, depending on the size of the organization, may require only one or two days to carry out. The certification body will use this visit to ensure it has sufficient time and the appropriate competency profile in the audit team to successfully complete the Stage 2 audit, as well as to ensure that your organization is ready for that challenge.

Initial audit

The first formal audit, known as the initial audit, will usually take place over two stages. The audit process involves testing the organization’s documented processes (the ISMS) against the requirements of the standard (Stage 1, a readiness review), to confirm that the organization has set out to comply with the standard, and then testing actual compliance by the organization with its ISMS (Stage 2, the implementation audit). The entire two- stage audit will follow a pre-ordained plan, and the auditors will have

IT GOVERNANCE368

communicated with whoever is their liaison point (usually the information security manager) about whom they will wish to interview and in what order they will want to do it. There is no defined maximum period between the Stage 1 and Stage 2 audits, although it is unusual for it to exceed three months. Some negotiation is possible here, but usually over timing and availability rather than subject matter.

Each audit will start and finish with a management meeting. The audi- tors, just like financial ones, will need a separate room for the duration of the audit and appropriate arrangements made for refreshments. Many audits will involve at least two auditors, who may have different areas of expertise. There will be a lead, or principal, auditor, who will be responsible for the overall progress of the audit. The organization being audited should ensure that its liaison is on hand to support the auditors throughout the process; this might include guiding auditors around the premises, introduc- ing them to those staff next on their list to interview, and dealing with queries and issues arising.

At the end of each day, there will usually be a brief wrap-up meeting at which (usually) any areas of nonconformity with either the standard or the ISMS are identified. This part of the process will again be completely familiar to any organization that has gone through an ISO9001 certifica- tion. Nonconformities can be either minor or major; minor ones tend to vary in usefulness but major ones could very easily mean that the organiza- tion is not (at this stage) capable of successful certification. Often, upon identification of a major nonconformity the auditors will suggest that the audit process be suspended and started afresh once the organization has had time enough to address this major issue. This can be expensive and time- consuming, and have a negative effect on morale and the commitment within the organization to achieving certification.

There are two components to carrying out successful certification audits. The first is the level of preparedness of the organization’s ISMS and the second is the way in which the employees of the organization are themselves prepared for the audit.

Preparation for audit

No audit can take place until sufficient time has passed for the organization to have in place a working internal audit and management review pro- cess and to demonstrate compliance with clause 10, the requirement for

THE ISO27001 AUDIT 369

improvement. In other words, auditors will be looking for evidence that the ISMS is continuing to improve, not merely that it has been implemented. This means that a period of time will have to elapse between completion of the implementation and commencement of audit. How long will depend on the complexity of the organization and its ISMS, but one should assume that there will need to be good progress with the first cycle of internal audits for all of the key processes and arrangements. (It is for the certification body to determine exactly what it requires in order to be convinced of the establish- ment, effectiveness and ongoing arrangements for internal ISMS audit and management review, aspects it is required to confirm prior to issuing a certif- icate, and hence possibly something worth asking when selecting your certification body.)

The level of preparedness for an audit should then be assessed by carry- ing out a comprehensive review. The detailed work should be carried out by the information security adviser and by the quality function, and this should all be reviewed by the management information security forum. A compre- hensive review could use this book, starting with Chapter 4, and question the extent to which adequate steps have been taken to implement the vari- ous recommendations.

The Statement of Applicability (SoA) needs particularly detailed review. It should be possible to identify the extent to which each of the controls identified as necessary has been implemented and, where implementation has been only partial, to determine what steps (and how long they will take) will be necessary to complete its implementation. In particular, all instances in which the organization has chosen not to implement a recommended control should be reviewed in detail to ensure that this decision was appro- priate, and that the justification for exclusion that is included on the SoA is sufficient. Similarly, all instances in which a control has been implemented to a greater or lesser extent than indicated as necessary by a proper informa- tion security risk assessment should be reviewed, and if it is not possible (too difficult, expensive, etc) to improve the level to which the control has been implemented, managers should formally accept the highest level of residual risk.

Once a comprehensive review has been completed and the management steering group is satisfied that the ISMS is complete, complies with the standard and has been adequately implemented (and at least one cycle of internal audits of key areas of the ISMS as identified by the risk assessment also needs to have been completed), then the organization can safely move on to the Stage 1 visit by its external auditors.

IT GOVERNANCE370

Preparation of staff within the organization, prior to the audit, as to what they might expect and how to handle auditors is also a valuable step. Staff should be taught that auditors should be treated with complete honesty, and direct answers should always be given, even if this requires admitting to a lack of knowledge or error. Equally, staff should be trained to answer the question asked by the auditor and not to provide more, or less, information than is required. Auditors will usually ask for an explanation as to how a particular component of the ISMS works and will then want to be shown. This is normal and is how the audit is conducted.

ISO27001 Assessments Without Tears (available from https://www. itgovernance.co.uk/shop/product/iso27001-2013-assessments-without- tears-a-pocket-guide-second-edition) provides useful advice to those that are likely to be interviewed by an auditor. ISO27007 and ISO27008 set out guidelines for the ISO27001 auditor on how to conduct an audit. They are valuable both to the organization’s internal audit teams as part of their training and to the management information security forum so that they understand the approach that the auditors will take and can ensure that the organization is adequately prepared for the audit. The latter provides detailed guidance on auditing Annex A controls.

The outcome of the initial audit should, if the organization has diligently followed all the recommendations contained in this manual, be a positive recommendation for certification of the ISMS to ISO27001 and the issue of a certificate setting this out. The certificate should be appropriately displayed and the organization should start preparing for its first surveillance visit, which will take place about six to twelve months later. Any minor noncon- formities should be capable of being closed out by mail, and any certificate issued will be dependent on this happening within an agreed timescale.

The certificate will refer to the latest version of the SoA and auditors will check for updates at their subsequent visits. Therefore, when supplying a copy of the certificate to clients, stakeholders or other parties, the organiza- tion should be prepared to provide a copy of the most recent SoA (whether controlled or otherwise). While the SoA is a living document, updated as and when necessary, the organization should endeavour to keep such updates and alterations to a minimum.

It is possible that the issued accredited certificate mentions international and national standards from which information security contols in the SoA have been selected, such as ISO27017 and/or ISO27018.

THE ISO27001 AUDIT 371

Terminology

It is worth noting that different accredited certification bodies use different terms to describe what are, without wishing to imply a preference or endorsement of any one option, simply major and minor nonconformities. Some of the descriptors currently in use are shown in Table 27.1.

TABLE 27.1 Terms used by different accredited certification bodies for major and minor nonconformities

Major Minor

major nonconformity minor nonconformity

category 1 nonconformity category 2 nonconformity

nonconformity issue

major nonconformity nonconformity

Not all CBs will raise nonconformities at the Stage 1 audit; some will make ‘findings’, which should nevertheless be dealt with through your noncon- formity and corrective action process like any nonconformity.

While variations in use of terminology is obviously annoying, given that the accredited certification bodies work in the field of standardization, this inconsistency needs to be acknowledged for other reasons. With the increasing use of ISO27001-accredited certification in the supply chain, we will no doubt see these terms being used to specify reporting requirements, measure conformance and compare organizations. Obviously, unless the terminology is clearly defined for such applications, it could lead to mean- ingless comparisons.

3

ISO27001

Benefits of certification

There are a number of direct, practical reasons for implementing an infor- mation security policy and information security management system (ISMS) that is capable of being independently certified (or registered) as compliant with ISO/IEC 27001. An accredited certificate tells existing and potential customers that the organization has defined and put in place effective infor- mation security processes, thus helping create a trusting relationship. A certification process also helps the organization focus on continuously improving its information security processes. Of course, above all, certifica- tion, and the regular external review on which ongoing certification depends, ensures that the organization keeps its information security system up to scratch, and therefore that it continues to ensure its ability to operate.

Most information systems are not designed from the outset to be secure. Technical security measures are limited in their ability to protect an infor- mation system. Management systems and procedural controls are essential components of any really secure information system and, to be effective, need careful planning and attention to detail.

ISO27001 provides the specification for an ISMS, and in the related code of practice, ISO/IEC 27002, it draws on the knowledge of a group of expe- rienced information security practitioners in a wide range of significant organizations across more than 50 countries to set out best practice in infor- mation security controls. An ISO27001-compliant system will provide a systematic approach to identifying and combating the entire range of poten- tial risks to the organization’s information assets, the variety and impact of which were described in Chapter 1. It will also provide directors of UK- and US-listed companies, directors of UK government organizations covered by the government’s ‘Orange Book’, and directors in the supply chains of both

IT GOVERNANCE38

public- and private-sector organizations with both a systematic way of meeting their responsibilities under the UK Corporate Governance Code, the FRC Risk Guidance and Sarbanes–Oxley, as described in Chapter 2, and the wide range of interlocking data protection and privacy legislation to which they are subject, and demonstrable evidence that they have done so to a consistent standard.

It also enables organizations outside the United Kingdom and United States to demonstrate that they are complying with their national corporate governance requirements as well as the data protection and privacy legisla- tion in their local jurisdiction. Equally importantly, an ISO27001 certificate enables an organization to demonstrate to any of its customers that its systems are secure; and this, in the modern, global information economy, is at least as important as demonstrating compliance with local legislation. ISBS 2010 identified that 68 per cent of large UK organizations had been asked by their customers to demonstrate compliance with information secu- rity requirements. Possession of a suitably scoped ISO27001 certificate enables a supplier cost-effectively to answer the information security and governance questions in request for proposal (RFP) and pre-tender ques- tionnaires.

Certification to ISO27001 of the organization’s ISMS is a valuable step. It makes a clear statement to customers, suppliers, partners and authorities that the organization has a secure information management system. Many countries in the world have their own central accreditation body (in the United Kingdom, it is the United Kingdom Accreditation Service: UKAS). This central accreditation body accredits the competence of certification bodies – who might be based inside or outside the country – to perform services in the areas of product and management system approval.

Organizations should use only accredited certification bodies when seek- ing ISO27001 certification. This makes sure that the certification process is independent, is of an appropriate quality, using competent personnel (includ- ing auditors), and ensures that any certificate awarded will be recognized internationally. A certificate is usually valid for up to three years.

The history of ISO27001 and ISO27002

BS7799, the UK standard that preceded ISO27001, was originally the outcome of a joint initiative by the then Department of Trade and Industry in the United Kingdom and leading UK private-sector businesses. The working

ISO27001 39

party produced the first version of BS7799 in February 1995. This was orig- inally simply a code of practice for IT security management. Organizations that developed ISMSs that complied with this code of practice were able to have them independently inspected but there was initially no UKAS accred- ited certification scheme in place, and therefore formal certification was not possible. An alternative solution, known as ‘c:cure’, was adopted to provide a framework for recognizing implementation of the standard, and was avail- able from April 1997. The confusion around c:cure and the absence of UKAS-accredited certification resulted in uptake of certification to the standard being much slower than anticipated, and c:cure was effectively withdrawn as an option late in 2000.

BS7799 underwent a significant review in 1998. Feedback was collated and in April 1999 a revised standard was launched. The original code of practice was significantly revised and retained as Part 1 of BS7799, and a new Part 2 was added. Part 1 was retitled ‘Code of Practice for Information Security Management’ and provided guidance on best practice in informa- tion security management. As a code of practice, BS7799 Part 1 took the form of guidance and recommendations. Its foreword clearly stated that it was not to be treated as a specification. It became internationalized as ISO/ IEC 17799 in December 2000.

BS7799 Part 2, titled ‘Specification for Information Security Management Systems’, formed the standard against which an organization’s security management system was to be assessed and certified. BS7799 Part 2 under- went a further review during 2002, and a number of significant changes were made. This version remained current until it was first internationalized as ISO27001 in 2005

BS7799–2 was internationalized as ISO/IEC 27001:2005 in 2005, and ISO17799 was revised at the same time, thus ensuring that the correspond- ence between the controls in the two standards would be maintained. ISO17799 was, without further amendment, bought into the new ISO/IEC numbering sequence for information security management standards in 2007 and identified as ISO/IEC 27002:2005, with the change in nomencla- ture being described in the document as a corrigendum!

ISO27001 and ISO27002 underwent extensive revision from 2008 onwards, and new, updated versions were published in October 2013. These are the current versions, and this book focuses specifically on them.

ISO27001 ‘forms the basis for an assessment of the Information Security Management System (ISMS) of the whole, or part, of an organization. It may be used as the basis for a formal certification scheme’. It is, in other

IT GOVERNANCE40

words, the specific document against which an ISMS will be assessed. It is the most important standard in the emerging ISO27000 family; it provides a specification, against which an ISMS may be assessed. Apart from ISO/IEC 27000, which is nominatively referenced from ISO27001, the other stand- ards provide useful guidance and advice, and have no mandatory effect.

The ISO/IEC 27000 series of standards

ISO27001 is part of a much larger family, of which ISO/IEC 27000 is the root for a whole numbered series of international standards for the manage- ment of information security. Developed by a joint committee of the International Organization for Standardization (ISO) in Geneva and the International Electrotechnical Commission, these standards now provide a globally recognized framework for good information security management.

The correct designations for most of these standards include the ISO/IEC prefix, and all of them should include a suffix, which is their date of publica- tion. Most of these standards, however, tend to be spoken of in shorthand. ISO/IEC 27001:2013, for instance, is often referred to simply as ISO27001.

Many of the standards have been previously published and are undergo- ing periodic revision; others are still under development. This book deals specifically with ISO27001 and ISO27002, but it will refer, where appropri- ate, to guidance contained in the supporting standards listed here. Organizations interested in using or applying these standards should acquire copies, which are available through www.itgovernance.co.uk/standards (archived at https://perma.cc/LHC2-ZRB5) in both hard copy and down- loadable formats:

●● ISO/IEC 27000 – ISMS Overview and Vocabulary;

●● ISO/IEC 27001 – ISMS Requirements;

●● ISO/IEC 27002 – Code of Practice for Information Security Controls;

●● ISO/IEC 27003 – ISMS Guidance;

●● ISO/IEC 27004 – Information Security Management – Monitoring, Measurement, Analysis and Evaluation;

●● ISO/IEC 27005 – Information Security Risk Management;

●● ISO/IEC 27007 – Information Security Management System Auditing;

●● ISO/IEC TR 27008 – Guidelines for Auditors on Information Security Controls.

ISO27001 41

There are then standards that provide guidance on specific topics such as the integrated implementation of ISO 27001 and ISO 20000-1 (the service management system management standard), information security govern- ance (ISO 27014) and organizational economics (ISO TR 27016).

The following are standards detailing requirements for certification bodies seeking accreditation for their ISMS certification scheme:

●● ISO/IEC 17021-1 – Conformity Assessment: Requirements for bodies providing audit and certification of management systems – Part 1: Requirements;

●● ISO/IEC 27006 – Requirements for bodies providing audit and certification of Information Security Management Systems.

Finally there are standards that provide sector-specific guidelines on the implementation of an ISMS. They include: inter-sector and inter-organiza- tional communications (ISO 27010); telecommunications (ISO 27011); cloud services (ISO 27017); processors of personally identifiable informa- tion in public clouds (ISO 27018); energy utility (ISO 27019); and the health sector (ISO 27799).

A full list of current and emerging ISO27000 standards is maintained at www.itgovernance.co.uk/iso27000-family (archived at https://perma.cc/ X9EL-UMEX) and you should ensure that the version you are using has been updated to reflect the 2013 standard.

Use of the standard

As a general rule, organizations implementing ISO27001 will do well to pay close attention to the wording of that specific standard itself, and to be aware of any revisions to it. Nonconformity with revisions or corrigendums will jeopardize an existing certification. ISO/IEC 27001 itself is what any ISMS will be assessed against; where there is any conflict between advice provided in this, in a supporting standard or any other guide to implementa- tion of ISO27001 and ISO27001 itself, it is the wording in ISO27001 that should be heeded.

An external auditor will be assessing the ISMS against the published standard, not against the advice provided by this book or any third party. It is critical, therefore, that those responsible for the ISMS should be able to refer explicitly to the clauses and intent of ISO27001 and should on that basis be able to defend any implementation steps they have taken.

IT GOVERNANCE42

An appropriate first step is therefore to obtain and read ISO/IEC 27001 itself. Note that ISO27001 uses the word ‘shall’ to indicate a requirement, whereas the other standards in the family use ‘should’ to indicate good prac- tice which is not a requirement.

The UK Accredited Certification Scheme was launched in April 1998, and there is an ISMS users’ group that enables users to exchange information on best practice and enables members to provide feedback on a regular basis to national standards bodies, and through them to the International Organization for Standardization.

ISO/IEC 27002

In 1998, when the original BS7799 was revised for the first time, prior to becoming BS7799 Part 1, references to UK legislation were removed and the text was made more general. It was also made consistent with OECD guide- lines on privacy, information security and cryptography. Its best-practice controls were made capable of implementation in a variety of legal and cultural environments.

In other words, the ISO/IEC 27002 Code of Practice is intended to provide a framework for international best practice in information security controls and systems interoperability. It also provides guidance, to which an external auditor will look, on how to implement controls within a certifiable ISMS. It does not, as the standard is currently written, provide the basis for an international certification scheme. The guidance that this book provides in implementing an ISMS will therefore start with the requirements of ISO27001, will then look to ISO27002 for guidance as to the range of actions that could be considered in implementing selected controls, and will look to other best practice sources for more detailed input where relevant.

It is particularly important to note that, while ISO27002 provides inter- national best practice in information security controls, it is not necessarily up to date for more recent changes in the information security environment. It has been written, and rewritten, over a number of years. The speed with which information technology has evolved, and goes on evolving, already means that some of the specific guidance in ISO27002 may be inadequate to deal with newly identified threats and vulnerabilities and the most current responses to them. That does not invalidate ISO27002; it simply creates an opportunity for the practitioner to go beyond IS27002 when necessary.

ISO27001 43

This book has a bias towards implementing an ISMS within the United Kingdom, as this is where the authors’ direct experience was gained. It does also draw on our combined experience, over a number of years, working with organizations around the world on their information security manage- ment strategies. Its lessons are directly applicable for all ISMSs that are to be certified by an accredited certification body anywhere in the world.

This book sets out how to implement an ISMS that is capable of certifica- tion to ISO/IEC 27001:2013. It will do so broadly within the context of the Microsoft suite of products, as these are the products most widely used in those parts of the world likely to be interested in certification. The imple- mentation steps set out in this book, however, apply in all software and hardware environments. The standard itself was specifically written to be technology independent.

This book will refer very explicitly to ISO27001 and to ISO27002 in order to comment on the implementation steps necessary to reflect the recommendations of ISO27002 and to comply with the standard. However, the reader must obtain current copies of both documents (as well as any others that may appear to be necessary) and use them alongside this book in order to optimize an information security project and gain the full value of this book.

Continual improvement, Plan–Do–Check–Act, and process approach

The 2002 version of the standard for the first time promoted the adoption of a ‘process approach’ for the design and deployment of an ISMS. This approach, widely known as the ‘Plan–Do–Check–Act’ (PDCA) model, is familiar to quality and business managers everywhere. While ISO27001:2005 mandated the adoption of PDCA, it is no longer specifically required; what is a specific requirement is the adoption of a suitable and appropriate continual improvement process. For many organizations, this will continue to be the PDCA model but the way is open for organizations that, for instance, already use ITIL or COBIT to adopt instead the continual improve- ment models from those frameworks. The vast majority of organizations are likely to adopt PDCA, not least because it is an easily understood model which also lends itself to application in integrated management systems which cover (for example) quality, environment, IT service management and

IT GOVERNANCE44

business continuity. This book will assume that the PDCA model is used, and you should therefore make sure that you thoroughly understand it.

The 2013 version of the standard has been designed for better alignment, or integration, with related management systems (eg ISO9000) within the organization. Other ISO standards are being brought into accordance with a consistent high-level structure and common terminology (known as Annex SL, because it is an annex to an ISO directive on standardization) which will simplify management system integration significantly; the concept of a single, integrated management system, embedded within the standard oper- ating processes of the organization, and capable of certification to multiple standards, is becoming much easier for the average organization to achieve.

A note on numbering

ISO27001 adopts the same standard numbering methodology for its clauses and sub-clauses as will other management system specifications. This means that the requirements of the standard (what you have to do if you are to claim compliance with it) are set out in clauses 4–10, with clauses 1–3 being introductory and the annexes being excluded from the requirements.

ISO27002 follows a different numbering sequence, with clauses 1–4 providing general guidance on the use of the standard, and clauses 5 through 18 providing guidance on individual controls. Annex A to ISO27001 is numbered from A5 to A18, in order to match the control clauses in ISO27002. In this book, we refer to Annex A controls by means of the ‘A’ prefix (as in A.5.1.1.) and to those same controls in ISO27002 by means of the ISO27002 numbering (as in 5.1.1). Where we identify clauses in ISO27001, we are specifically referring to the stated requirements of the standard.

Returning to ISO 27001, the numbering is solely for the purpose of refer- encing. The standard itself recognizes that the order and number of clauses does not indicate relative importance or an order of implementation.

Structured approach to implementation

Although ISO27001:2013 allows the organization to tackle its clauses in any appropriate order, it makes sense to have a structured approach to the establishment of an ISMS. There are six steps to this ‘Plan’ stage of a project (using the Plan-Do-Check-Act approach that used to be, but is no longer, prescribed in ISO 27001):

ISO27001 45

1 Create the management framework: set up your implementation project, define the internal and external context of the organization, identify the requirements of any interested parties and, considering these issues, define the scope of the ISMS; select a continual improvement model and determine your approach to documentation.

2 Obtain top management commitment to the ISMS, define an information security policy, and allocate roles and responsibilities – including a ‘management representative’.

3 Define a systematic approach to information security risk assessment and the risk acceptance criteria.

4 Carry out a risk assessment to identify, within the context of the policy and ISMS scope, the important information assets of the organization and the risks to them. This is where you assess the risks.

5 Identify and evaluate options for the treatment of these risks, selecting, where required, the control objectives and controls to be implemented.

6 Prepare a statement of applicability and a risk treatment plan.

Once these steps have been carried out, you would begin implementation (the ‘Do’ stage) of the system.

The implementation process will go through its own five steps:

1 Finalize the risk treatment plan and its documentation, including planned processes and any required supporting documentation.

2 Implement the risk treatment plan and planned controls.

3 Arrange appropriate training for affected staff, as well as awareness programmes.

4 Manage operations and resources in line with the ISMS.

5 Implement procedures that enable prompt detection of, and response to, security incidents.

The ‘Check’ stage – which drives continual improvement activity – has, essentially, only one step: monitoring, reviewing, testing and audit. However, monitoring, reviewing, testing and audit is an ongoing process that has to cover the whole system, and a certification body will want to see evidence of an effective internal audit programme in relation to the ISMS as part of its certification activities.

Testing and audit outcomes should be reviewed by managers, as should the ISMS in the light of the changing risk environment, technology or other

IT GOVERNANCE46

circumstances; improvements to the ISMS should be identified, documented (where necessary) and implemented. This is known as the ‘Act’ stage. Thereafter, it will be subject to ongoing review, further testing and continu- ous improvement.

A ‘mini-PDCA’ approach could also be applied to each control or group of controls, with the ‘Check’ phase contributing to the ‘measures of effectiveness’ that will eventually feed into the management review (see Chapter 4).

This book takes a sequential approach to the establishment and imple- mentation of an ISMS. In reality, once they realize the scale of the information risks they face, many organizations will want to tackle a number of the necessary tasks in parallel. Certainly, as many organizations will come to ISO27001 with some information security structures already in place, an alternative approach built around completing an initial ‘gap analysis’ which compares the requirements of ISO27001 with the ISMS processes already in place and then builds the ISMS project as, in effect, an information security improvement plan designed to close those gaps, may also be a practical approach. In taking such an approach, however, bear in mind that an effec- tive management system is one in which the way arrangements to address the requirements of the standard relate to and work with one another in order to provide a repeatable and dependable system that delivers required outcomes is more important than simply addressing individual clauses.

If component tasks of establishing the ISMS are being carried out in parallel, or the organization already has elements of an ISMS in place and is driving gap analysis-based improvements toward the objective of ISO27001 conformance, it will be critically important to first have a thorough under- standing of all the requirements of ISO27001 as well as a strong project management methodology to keep everything together.

Implementation issues

Implementation of an ISMS will have significant impacts on the way people work. It should be seen as a business project, not an IT or informa- tion security project. Effective leadership, top management support, change management and internal communication are all essential components of any successful ISO27001 system roll-out. An overview of key issues that will contribute to a successful implementation is set out below with more specific information and analysis in later chapters.

ISO27001 47

Clause 6.1 of the Standard requires the organization to consider any issues identified as part of its assessment of internal and external context, as well as the requirements of interested parties (both of which are discussed further in Chapter 5), and assess how these might impact the project to establish an ISMS and the bearing they may have on the longer term effec- tiveness of the ISMS. This requirement should be addressed as part of creating the project and management framework; the authors recommend that the implementation project itself produces and maintains a project-level risk log. While one of the highest-potential impacts might be assigned to the risk associated with gaps in senior managers’ understanding and commit- ment, there may be other project-level risks arising from the organizational context: a currently lax security culture, for instance, creates different imple- mentation challenges than one that is already tightly and centrally controlled.

Management system integration

Some organizations that tackle ISO27001 already have an ISO9001 certifi- cated quality management system in place, and may also have certifications to ISO14001, OHSAS 18001 and other standards, such as ISO20000 and ISO22301. ISO encourages integration of quality and other management systems. The ISMS should be integrated with the quality management and any other management system to the greatest extent possible (not forgetting that any management system needs to be integrated with the business if it is to deliver on all the benefits that it can offer). The adoption of a (largely) consistent high-level structure, common core text and terms and definitions across new and revised ISO management system standards since October 2013 lends itself to a single management system that addresses requirements from multiple standards. In other words, the way in which an organization addresses context, top management commitment, internal audit, continual improvement and documentation can be largely the same for each and every management system standard it adopts.

In the case, therefore, where an organization already has a management system based on this consistent approach (commonly referred to as Annex SL after its then position in the ISO Directives for standardization – just after Annex SK and before Annex SM), implementation of ISO27001 is simply going to be the extension of an existing management system to include information security management, not bringing in a whole new

IT GOVERNANCE48

management system. This is an important message that should, in this circumstance, underpin the change management and communication plans; the smaller the perceived mountain, the more quickly will an organization set out to climb it.

In circumstances where the organization does not already have an exist- ing ISO9001-certified management system and wishes for guidance on the documentation, document control (authorization, version control, status, etc aspects of producing management system documents) and records issues of ISO27001, it should obtain and use the guidance in any current manual on the implementation of ISO9001:2015. Note that the ISO27001 specifica- tions for document control (clause 7.5) include the control of records.

The organizations that are accredited to offer certification to ISO27001 are usually listed on the websites of national accreditation bodies. Not all of them offer a truly integrated certification service. Each organization’s website will set out what it does, and the links on the site should be followed to explore the offerings of each company.

Documentation

As set out above, the organization should adopt, for its ISO27001 system, at least the same documentation principles as are required for ISO9001. A properly managed ISMS will require documentation. Clause 7.5 of the standard describes the minimum documentation that should be included in the ISMS to meet the requirement that the organization maintain sufficient records to demonstrate compliance with the requirements of the standard. The types of documents that are typically required for an effective ISMS include the following:

●● The information security policy, the scope of the ISMS (including the internal and external issues, and the requirements of interested parties), the risk assessment methodology and risk assessment results, the control objectives, the statement of applicability (developed as described in Chapters 5 and 6). These might, together with a description of the Continual Improvement (PDCA) approach, and the rules for document and record control, form the core of an ISMS manual.

●● Evidence of the actions undertaken by the organization and its management to specify the scope of the ISMS (business architecture diagrams. organization charts, network maps, etc) the minutes of board and steering committee meetings, as well as any specialist reports).

ISO27001 49

●● A description of the management framework (steering committee, etc). This could usefully be related to the organizational structure chart.

●● The risk treatment plan and the underpinning, documented procedures (which should include responsibilities and required actions) that implement the specified controls. A procedure describes who has to do what, under what conditions, or by when, and how. A work instruction is an even more detailed description of how to perform a specific task. Procedures (there might be one for each of the implemented controls) and work instructions might be identified in the ISMS documentation, but would be subject to a lower level of authorization than the manual.

●● The procedures (which should include responsibilities and required actions) that govern the management and review of the ISMS. These should be developed in line with the guidance contained in this chapter.

The ISMS documentation should be controlled documents, available to all staff. It can be done in paper form but is most effective either on a shared drive, an intranet, a SharePoint server or through a document management and policy support software tool. SharePoint is increasingly widely used and it ensures that the current version of any procedure is immediately available to all members of staff without inconvenience. Remember that any shared resource will have its own challenges in terms of organization and control; ownership of assets, archiving and data integrity are key issues. SharePoint installations should be subject to their own specific governance arrange- ments if they are to produce maximum benefits.

A structured numbering system should be adopted that ensures ease of navigation of any manual or related documentation and ensures that initial document issue is controlled, that replacement pages and changes are tracked and that the manual is complete. Staff should obviously be trained in how to use the ISMS; this is usually best done as part of the staff induc- tion process.

Clearly, there will be a number of security system documents that them- selves need to be subject to security measures. These will include documents such as the risk assessment, the risk treatment plan and any non-public versions of the statement of applicability, which contain important insights into how security is managed and which should therefore be classified and restricted in accordance with the type of information classification system described in Chapter 9. Access should be limited to people with specified ISMS roles, such as the information security adviser.

IT GOVERNANCE50

ISO27001 clearly recognizes that there is no such thing as a ‘one size fits all’ approach. Instead, it recommends that the ISMS documentation be scaled to reflect the complexity of the organization and its security requirements.

The ISO27001 ISMS Documentation Toolkit (www.itgovernancepublishing. co.uk/product/iso27001-2013-isms-standalone-documentation-toolkit (archived at https://perma.cc/JGK5-DPVY)) was created specifically to accompany this book. It contains a comprehensive set of ISMS documents that are designed for adaptation to meet the specific requirements of any individual organization.

Leadership

Leadership, like all key business initiatives, has to be provided from the top. The whole of clause 5 of the standard deals with leadership and sets out a number of ways in which top management must evidence their commitment to information security in the organization.

This is very much a clause that looks for ‘Tone from the Top’. Ideally, the CEO should be the driving force behind the programme, and its achieve- ment should be a clearly stated goal of the current business plan. The CEO needs to understand completely the strategic issues around IT governance and information security and the value to the company of successful certifi- cation. The CEO has to be able to articulate them and to deal with objections and issues arising. Above all, he or she has to be sufficiently in command of this part of the business development to be able to keep the overall plan on track against its strategic goals. The chairperson and board should give as much attention to monitoring progress against the ISO27001 implementa- tion plan as they do to monitoring all the other key business goals. If the CEO, chairperson and board are not behind this project, there is little point in proceeding; certification will not happen without clear evidence of such a commitment. This principle, of leadership from the top, is of course essential to all major change projects.

No certification body will certify an ISMS without getting firm evidence of the commitment of senior managers. If this commitment is not clearly demonstrated, the ISMS simply will not be adequate and the risks to the organization will not have been properly recognized or fully addressed, and the strategic business goals are unlikely to have been considered.

ISO27001 51

Change management

There have been many books written about change management programmes and initiatives. Many such programmes fail to deliver the benefits that have been used to justify the expense of commencing and seeing them through. Successful implementation of an ISMS does not require a detailed change management programme, particularly not one devised and driven by consultants. What it does require is complete clarity among senior manag- ers, those charged with driving the project forward and those whose work practices will be affected as to why the change is necessary, about what the end result must look like and why this result is essential.

The design and implementation of the ISMS should be driven by a project team that is drawn from those parts of the organization most likely to be affected by its implementation as well as a very small number of functional experts, including HR or personnel experts. The balance is important: a properly functioning ISMS depends on everyone in the business understand- ing its processes and applying its controls, and if the project team is made up of a preponderance of non-technical people, it is more likely to produce something that everyone in the business understands. The team certainly should include at least one experienced project manager, who will be respon- sible for tracking and reporting progress against the planned objectives. The project team or sponsor should report directly to the CEO (or equiva- lent management authority that has responsibility for the entire scope of the ISMS) and have the appropriate delegated authority to implement the board-approved plan. Clause 5.1.c requires the provision of adequate resources to establish the ISMS, and this is the first step to doing so.

There needs to be an outline timetable and top-level identification of responsibilities and the critical path to completion. This should be prepared by the project team and, once it has been critically tested by the CEO and top managers, approved by the board. This plan should fit onto two sides of A4 and should provide sufficient scope for those who will have to imple- ment it to find appropriate solutions to the many operational challenges that there will be.

A key preliminary step in any successful change programme is to identify and isolate, or convert, potential opposition. Where an ISMS roll-out is concerned, there is sometimes internal resistance from the IT department. There are a number of possible reasons for this, including the desire of the head of IT not to lose control of IT security, the IT department’s desire to maintain its mystique and the fear that its existing controls might be found

IT GOVERNANCE52

to be inadequate. This is not surprising. ISO27001 does require the organi- zation’s board and senior management to take control of its ISMS and the whole organization to get behind and understand key aspects of security policy. The resistance of the IT department must be expected and overcome at the outset. There are circumstances where this can lead to a change in IT staff, either forced or unforced, and the organization should expect this and prepare appropriate contingency plans.

Training will be an important facilitator of the change programme. ISO27001 requires that those who have key roles within the ISMS are appropriately competent (clause 7.2) and this might cover ISMS implemen- tation (for the person/people determined as having responsibility for ensuring the ISMS meets the requirements of ISO 27001, as per clause 5.3 a) and audit competence, as well as initial training for the project team in the principles of ISO27001, the methodology of change and project manage- ment and the principles of internal communication. Staff throughout the business will need specific training in those aspects of security policy that will affect their day-to-day work. The IT manager and IT staff will all need competency in information security, and if this needs to be enhanced by training, this should be delivered by an organization that recognizes and understands the technical aspects of ISO27001 training.

Communication

Underlying any successful change management programme, and especially necessary for the successful roll-out of an ISMS, is a well-designed and effec- tively implemented internal communications plan. Compliance with clause 7.4 (which deals with communication) suggests that key components of this plan might include the following:

●● Top-down communication of the vision – why the ISMS is necessary, what the legal responsibilities are, what the business will look like when the programme is complete and what benefits it will bring to everyone in the organization.

●● Regular cascade briefings to all staff on progress against implementation objectives. These briefings should quickly become part of the existing organizational briefing cycle, so that ISO27001 progress becomes part of the normal business process – ‘just another thing that we’re doing’.

●● A mechanism for ensuring that key constituencies and individuals within the business are consulted and involved in the development of key

ISO27001 53

components of the system. This ensures that they buy in to the outcome and to its implementation.

●● A mechanism for ensuring regular and immediate feedback from people in the organization or in affected third-party organizations so that their direct experience of the initial system as it is implemented is used in the evolution of the final version.

●● These face-to-face communications should be underpinned with an effective information sharing system. Most usually, this will be part of the corporate intranet, on which regular progress reports as well as detailed information on specific aspects of the ISMS are posted. E-mail alerts can tell staff to access the intranet for new information whenever it is posted and the site could encourage feedback by means of a ‘write to the CEO’ function. Organizational Facebook and Twitter accounts could also be pressed into service as part of the project.

Reviews

Clause 9.1 of the standard requires the effectiveness and performance of the management system, as well as effectiveness of relevant controls to be meas- ured and monitored and for management to carry out periodic reviews of the effectiveness of the ISMS. This will be discussed in some detail in Chapter 6. The records of the management body (to be discussed in Chapter 4) that is responsible for implementing the ISMS should document that these reviews were carried out on particular dates, what the results of the reviews were and what actions, if any, were required as a result.

Continual improvement and metrics

Clause 10.2 of the standard requires the organization ‘to continually improve the suitability, adequacy and effectiveness’ of the ISMS. The correc- tive action requirements of clause 10.1 are met by an effective ISMS audit programme (Chapter 27), competent review and management of non- conformities (which often, for the ISMS, involves the information security manager), the incident response procedures (Chapter 24) and related docu- mentation. Prevention, as a specific process, has been removed from the standard, as the ISMS itself is now seen as the preventive tool that manage- ment deploys in order to prevent compromises of information security.

IT GOVERNANCE54

The combination of effective monitoring, measuring, and corrective action processes, together with a formal review process and strong internal audit structure, within the context of an ISMS developed in line with the recommendations of this book, will enable an organization to start demon- strating its approach to continual improvement. A long-term approach to continual improvement must include measuring the effectiveness of the ISMS and of the processes and controls that have been adopted. ISO27001 requires effectiveness measurements (also see Chapter 6 and ISO/IEC 27004) to be undertaken and results from them included in the input to the manage- ment review meeting. Clearly, information security as an organizational function needs to be measured against performance targets in just the same way as are other parts of the organization. In order to develop a useful set of metrics, an organization will have to identify what to measure, how to measure it and when to measure it.

Some of the areas that should be considered for measurement include the effectiveness and value adding capability of the incident handling process, the effectiveness and cost savings provided by staff training, the improve- ment in efficiency generated by access controls and external contracts, and the extent to which the current scope is meaningful and relevant in the changing business environment.