A year on from the publication of ISO 27001:2013 I thought it worth reflecting on what the ‘new’ version of the specification has meant for those working with it and whether it address the criticisms levelled at the 2005 version.
Last week I described how users of the standard might better embrace the 2013 version to harness the benefits it offers. Now it is time to consider whether ISO 27001:2013 has addressed the criticisms of the 2005 version. Those main criticisms?
- It was possible to achieve certification for a scope that is meaningless.
- The ISO 27001:2005 requirements for an asset-based information security risk assessment process is incompatible with the corporate risk methodology and is too resource intensive.
- An organisation could achieve certification to ISO 27001:2005 by adopting a stupendously high risk appetite and so did not need to address reasonable client requirements.
- ISO 27001 is not applicable to SMEs and micro businesses.
Taking each in turn…
Certainly the 2005 version of the Standard was open to abuse. From the sublime – a data centre that holds certification for its own comms room, nothing to do with the hosting environment! – through to the ridiculous – a scope statement that covers a general IT service, management of a vegetarian restaurant and sales of environmentally friendly goods all for the single ISMS. The 2005 accredited certification scheme was, however, transparent enough for users to determine what it meant to them if they knew how to interpret a claim of certification: review the certificate, make sure it is issued by a certification body accredited by an IAF (www.iaf.nu) signatory, and then know what it means with regard to the assurance it provides – no guarantee of a particular security stance being in place, but rather a measure of the processes the organisation applies to determine and manage its security stance.
Back to the applicability of scope: the ‘common text’ now being adopted by all management system standards (also referred to as Annex SL) sets out requirements for the organisation to consider the needs and expectations of interested parties, and to determine the scope in light of those.
Sure, this does not mean that all issues need to be ‘in-scope’, and the position is further muddied by the various scopes that could be referred to – the scope of the ISMS, the scope of certification, the scope of everything relevant to the ISMS? If auditors and certification bodies are doing their jobs correctly (“shall ensure that the scope and boundaries of the ISMS of the client organization are clearly defined in terms of the characteristics of the business, the organization, its location, assets and technology”, as per ISO 27006:2011 section 9.1.2), however, the scope statement should be clear as to what is and is not covered by the certification.
For the ‘meaningless scope’ criticism I conclude that ISO 27001:2013 has addressed this particular weakness in the previous version, particularly if auditors embrace the spirit of management system requirements and their intent to satisfy the requirements of customers and other stakeholders (see ISO 27000:2014 section 3.2.5), and ensure that scope statements are clear and robust.
The 2005 asset-based risk assessment
Certainly for most organisations that already had an established corporate risk regime, the requirement for a detailed asset-based information security risk assessment was not compatible and there would be little or no appetite to work through a much more resource intensive methodology purely for a single discipline such as information security. Similarly, for those organisations that had not been convinced of the need for a corporate risk management process, any case for a resource intensive asset-based method was likely to fail from the outset unless there was a truly impelling case for certification, and then it would be a case of identifying the least amount of work required to scrape the certification bar.
The 2013 requirements are much less prescriptive and thus lend themselves to integration with a corporate regime much more easily. Meeting these requiremetts can also be much less resource-demanding than satisfying the 2005 criteria for those adopting an information security risk method as their first foray into risk management. Using this flexibility to align the ‘2013-compliant’ risk method with the wider corporate risk assessment enables the organisation to keep information security risks – and the resources required to deliver it – in perspective when compared to other business disciplines. Yes, there are certain schemes that require an asset-based approach and personally I still see it as the gold standard for information security risk assessments, but the flexibility offered in ISO 27001:2013 means that a blended mix of an alternative, corporate-savvy approach together with an asset-based method targeted to certain systems and activities is acceptable.
It was possible to adopt a risk appetite that accepts every risk
While, unfortunately, some organisations managed to get a stance of simply accepting every risk past some auditors and achieve certification, it was never in the spirit of the Standard. The good news is that the 2013 version of the Standard addresses this straight-on through the previously mentioned context and the operational risk clause at section 6.1.1 that references 4.2, which, in turn, recognises that ‘requirements’ may well include “legal and regulatory requirements and contractual obligations”.
My finding? The 2013 version of ISO27001 has answered the criticism, ensuring that the security profile adopted by the organisation aligns with contractual, legal and regulatory requirements, as well as the “risks and opportunities” the organisation needs to address.
ISO27001 is not applicable to small and micro businesses
On to the final criticism: many state that the Standard is overly complex, too expensive and burdensome. I reject this for the 2005 version of the Standard, and for exactly the same reasons suggest that the 2013 version is scalable for any size of organisation. The incompatibility for small and micro businesses lay with the methods that those levelling this particular criticism deploy. Applying a suitably tailored and intelligent approach informed by years of experience of working with the specification proves that it can and does work. Take the IT Governance case study on Workforce Metrics – accredited certification for the smallest of businesses in less than four months.
In conclusion, I find that ISO 27001:2013 has addressed the criticisms described earlier in this text, and so recommend that organisations that have previously considered and dismissed ISO 27001:2005 reconsider their stance in light of the 2013 version.
Similarly, for those concerned with supply chain information security assurance who had considered and shied away from ISO 27001 previously, I urge a reassessment so as to keep abreast of changes; make sure you are making the most of the risks and opportunities in a changed environment – much like the specification itself.
Read more about the mutually supporting information security standards within the ISO27000 family.