Andy Brophy, Founder of Inavate Consulting gives the lowdown on the recent changes to the ISO27001 information security standard.
With the recent revisions of the ISO 27001 standard, it’s important for firms to understand the key changes and next steps to ensure transition to adhering to the standard.
With over 20 years of experience as an ISO 27001 consultant and cyber security expert, Andy, has led over hundreds of independent audited ISO 27001 implementations so he is well placed to talk about the new standard.
The time was right for the standard to be updated. People tried to shoehorn out-of-date controls to manage risks, particularly when it came to the cloud and hybrid working.
We’ve been doing this for so long we’ve seen it evolve from BS7799 to ISO2701:2005, then ISO27001:2013 /17 and now 27001:2022. As always, there appears to be differing views between the auditing bodies and in fact, sometimes, between auditors within the same certification body.
This can be frustrating from an implementation point of view, but it’s good to see different interpretations as long as the auditor’s interpretation is aligned with the Standard.
Over the years I’ve worked with hundreds of firms to get them to ISO 27001 certification, you could say I am possibly one of the most audited people around when it comes to 27001 and I still learn from every single project we deliver and audit we attend.
Key changes from the information security management system perspective include:
Once you have updated the Information Security Management System, you must review and update the current risk assessment.
To map to the new control numbering and, if relevant, select controls from the new set of controls to manage existing or new risks, not forgetting to create new policies and, where applicable, update existing documents and implement technical solutions to meet the new controls.
You can use 27002 or other standards as a source for what should be covered.
Then, create a new SOA (Statement of Applicability) with new controls that include the justification for the control, for example referring to the risk assessment, compliance needs, and so forth and for ease of use we recommend that it refers to supporting policies, process etc.
Not forgetting, as with the old version of 27001 you need to indicate if the control is “implemented or not”.
I have to say I am not a fan of this binary rating in the standard.
It is easy if the control is not applicable, or has not been implemented, but, for example, when a customer has identified a risk and partially implemented the Data Leakage Prevention control within the scope or focused on the detect attribute, it’s a bit of a grey area; some certification bodies appear to accept a partial rating, some a percentage, others just yes or no.
So, I usually discuss it with the auditor and take their lead.
There is also the additional requirement to “monitor” objectives. As a consultancy, this is something we’ve always done, which is good news for our existing clients as they don’t need anything.
Our whole 5D implementation methodology is based upon an organisation defining its security objectives, and we work with them to implement them within business-as-usual activities.
You will need to update your audit schedule to include the new ISMS and control numbering, as well as any ISMS processes, and we recommend that you conduct audits on the ISMS changes and new controls.
5D is our method of implementing 27001: define, design, deploy, demonstrate, develop.
Without going into a massive rabbit hole or substantiating the view that I am a complete 27001 anorak, our 5D approach shows how we link mandatory requirements and controls into an ISMS and forms part of our compliance without the complication ethos.
It’s most important for a firm to get copies of the new versions of ISO27001, ISO27002, and also if relevant, a copy of ISO27022, conduct a gap assessment, and then update the ISMS, risk assessments, SOA, policies, procedures, and technical controls.
But before doing that, hold a management review with the leadership team to explain the changes, get their agreement on the update and then go with it.
A key message to get across is to wrap 27001 around your business.
There’s no value in taking a tick-box approach to the standard; it’s got to work for you.
We recently worked with an organisation of 50 people whose ISMS comprised over 200 separate documents – which made understanding of functionality or what value it provided a challenge.
We did fix it for them, and they ran solo at the audit with no non-conformities.
It’s more challenging to make things simple, and that’s what we are good at.
If you’re seeking to smooth your transition to the updated standard, it’s essential to stay proactive, to not only implement but understand the nuances.
The standard has evolved and so must our approaches ensuring resilience and integrity of our data-driven world.
This article was originally published in the April Edition of Security Journal United Kingdom. To read your FREE digital edition, click here.