A year on from the publication of ISO 27001:2013 I thought it worth reflecting on what the ‘new’ version of the specification has meant for those working with it, and whether it has addressed the criticisms levelled at the 2005 version.
I’ll start by reflecting on what the 2013 version means for those that have already adopted the ‘original’ 2005 version. Most organisations that already comply with the 2005 version of the Standard have approached the transition as a chore, trying to identify the least onerous means by which they can ‘tick the box’ for the 2013 version. In short, this means fudging how their existing ISMS maps to the new set of requirements and, using the freely available mapping of choice, how the ‘old’ Annex A control references can be updated to reflect the 2013, 13 category, 114-control structure. The single saving grace is that many auditors have taken a similar approach and so certifications are not jeopardised; for me, however, this is as good as a major non-conformity, as there are benefits to be had that are not being embraced.
The first opportunity…
…is the flexibility now offered with regard to the information risk assessment methodology. It is no longer the prescriptive asset-based approach, but offers the opportunity to utilise an approach that means operational managers can really get involved and own the challenge. Adopting a method that non-IS executives will adapt to relatively easily is more likely to result in those same people coming to the IS function with prompts for updates and reviews as they better understand the approach, how it seamlessly links with the corporate risk assessment and that the ‘reward’ is more appropriately aligned to the time and effort required.
The second big opportunity…
…for adopters of ISO 27001 is to default to a control set other than that listed in Annex A for treating risks. What better way to demonstrate the all-embracing approach of a management system for information security than to have it blend all of the various requirements put on the organisation, balancing where they are applied and the other control sources they should mix with? Yes, ISO 27001 requires that they are compared to the security controls in Annex A to ensure that none are inappropriately omitted, but this is no more than a sense check on what the business requires in order to comply with its legal, regulatory, contractual and business risk-informed selection in the first instance. Indeed, if this sense-check is to be applied in the spirit I suggest, it should not be at the 114-control level but at least as detailed as the ~1030 ‘shoulds’ mentioned in the guidance in ISO 27002:2013. Of course, the SoA will reflect and justify inclusion/exclusion at the 114-control granularity, but what better sense of comfort than to know that such a full cross check has been deployed?
My challenge to ISMS and ISO 27001 auditors is to encourage clients to consider adapting their asset-based risk methodologies to better integrate with and reflect the corporate risk regime and to adopt controls more closely aligned with their ‘interested parties’. Sure, there are potential weaknesses that could be introduced at the same time as taking advantage of the benefits these steps have to offer, but if auditors are truly competent then these should be identified and addressed as appropriate.
My thoughts on the second aspect of my opening paragraph – asking whether the 2013 version of the Standard has addressed the criticisms of the 2005 version – will be covered in part II of this article, which will be posted next week.
Finally for this week, a word on certification bodies: what have they done with regard to transition? The feedback I have from their clients is that the transition arrangements could have been more clearly communicated. Some are not clear as to whether the ‘transition audit’ is part of a scheduled surveillance visit or not, and, if it is, what version of the specification they will be audited on and non-conformities raised against: the short answer for clients in this situation is to ask your certification body!
Want to know how to ensure your ISMS benefits from the flexibility ISO 27001:2013 offers around risk assessment? Or how to select the right course of security controls for your organisation? The IT Governance Lead ISO 27001 Implementer course covers both of these questions in an intensive three-day experience, and is available both on-line and in classroom.