ISO 27001 Implementation Can Create Imperfect Security


I have been in the Information security sector informally for many years, and in the past 5 years, much more formally.  I have used mostly NIST and ISO 27001 frameworks for clients although I have used others like PCI and Cobit.  I like the framework that ISO 27001 and supporting ISO documentation (ISO 27002-5), especially the latest 2013 revisions.  There are a few issues that remain after implementation, even with the most rigorous security frameworks.

Lack of security and in particular the handling of personal information, has regularly been in the headlines over the last few years.  There have been notable incidents among giant retailers, banks, large private corporations.  Would your company know if it had data stolen?

ISO 27001

“It is a specification for an information security management system (ISMS). Organizations which meet the standard may be certified compliant by an independent and accredited certification body on successful completion of a formal compliance audit.”  — ISO/IEC 27001:2013 – Wikipedia, the free encyclopedia.

A key problem with ISO 27001 is it being a management standard framework, not a security specific standard.  It provides a framework for the management of security within an organization, but does not provide a “how to” guide for implementing the security.

ISO 27001 takes a risk assessment based approach to its processes. An information security risk assessment is recommended to identify the security requirements of the organization, and to then identify the security controls needed to bring that risk within an acceptable level to the organization.

Once the security controls have been identified, ISO 27001 defines processes to ensure that these controls are implemented and are effective; and that the controls continue to meet the organization’s security needs.

  • The organization decides what level of security it needs. The level of risk acceptable to the organization is a senior management decision. The ISO 27001 framework does not impose any particular level of risk requirement. For example, if senior management decides that a high risk of compromise of personal information is acceptable to the organization, then ISO 27001 provides a management framework to implement that flawed decision. 
  • A risk assessment is used to identify the level of controls required by the organization.  However, ISO 27001 does not define the risk assessment method to be used.  The standard requires risk to be documented and have a method, and use that method.  The risk assessment is key to an organization being able to properly withstand IT security breaches by providing adequate controls or compensating controls.
  • The security controls that an organization utilize are not reported on or measured in a way that can be reported on.  You would never want to publicly publish controls, but a way to give assurance to other organizations that your controls are good would be nice.

What does ISO 27001 do for you?

When using the ISO 27001, you need to decide on a risk method, implement a risk assessment, select your security controls, and ensure that these are adequate to meet the security needs of your organization. This requires information risk management and security expertise to implement. The ISO 27001 does not tell you how to do this, but rather provides a framework within which to do it. This can create a problem for many organizations that have never completed a full IT Security review with an expert because it can create uninformed leaders who are making decisions that could have long term impacts on the safety and integrity of the organization. You can also have additional problems with keeping your IT secure if the risk assessment within the certification process is not regularly revisited for adequacy. Software patches and updates happen regularly in technology, and it is important to review how these vulnerabilities are being identified by software developers. 

Holistic Security is hard to achieve. No one single person can do all the security in a typical organization. It takes a change in mentality to work together in business, with senior management, and even with the Security Auditors to make an organization secure. Being safety minded and having a culture that thinks about IT security is so much more than completing a certification checklist. Every time a new software is being discussed or a new process involving external connectivity is reviewed for implementation, an organization should be security minded.

The Danger of Thinking ISO 27001 Certification Is All You Need

ISO 27001 can create imperfect security if not implemented properly

This statement is something we, at CubedCorps Cyber Security, would like you to understand carefully: Compliance or external certification to ISO 27001 does not mean you are secure. It means that you are managing security in line with the standard, and to the risk level you think is appropriate to the organization.

The ISO 27001 provides a list of controls in Annex A, this list is not an exhaustive list. In the 2013 version of the framework, the controls in Annex A are much more complete than in prior versions and tries to be more in line with other ISO frameworks. In conjunction with ISO 27002, it provides some guidance on the controls that you should consider.

However, it does not provide detailed guidance for your organization, the information that you handle, and the systems that you use. Again, security expertise is required both to implement an information security risk assessment and to define the required security controls.

If your risk assessment is flawed, you don’t have sufficient security and risk assessment expertise, or you do not have the senior management and organizational commitment to implement security, then it is perfectly possible to be fully compliant with the standard, but still be insecure. This can be especially true if you choose to work with a security expert who is used to working with a different industry than yours. If a security consultant is not fully familiar with all of the data and technology utilized within your industry and/or does not take the time to ask additional questions regarding your technology uses, there could be many areas of protection missed in how you store and transfer your organization’s digital information.

In the end, an organization will only implement information security effectively if there is a culture that appreciates the value in the information being held and the immense value in protecting it. This requires visible management commitment, individual ownership, and responsibility. Supporting this with effective security education and awareness will strengthen a culture’s resolve to take security frameworks seriously. Without this, an ISO 27001 ISMS is unlikely to be effective, and hence information will not be appropriately protected.

Security Conclusions About ISO 27001

ISO 27001 gives you a roadmap and framework for implementing and maintaining security.  It also gives you a baseline against which to work – either to show compliance or for external certification against the standard.  It is up to you and your organization to make good security choices.

If your risk assessment is flawed, you do not have sufficient security and risk assessment expertise, or you do not have the senior management and organizational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but still be insecure.  This is where security minded organizations that are small to mid-size may need to have eternal assistance by an expert.

Implementing ISO 27001 is the right way forward to ensure the security of an organization.  However, to be secure, it is necessary to develop a culture of valuing information and protecting it, through:

  • A strong commitment to information security that begins from the top of the organization.
  • Individual ownership and responsibility for information security.
  • Effective internal communication about security.
  • Effective information security education and awareness.
  • Risk analysis that looks for new threats and assesses the situation. (situational awareness)

Where to Find Help With ISO 27001 Certification & Compliance

CubedCorps Cyber Security can assist you with the risk assessment and planning to ensure you truly are secure. CubedCorps has extensive experience in assisting in creating cyber security ISMS frameworks, additional varieties of frameworks, and we help with audit preparation. Reach out to us today for more information.