10 Most Common Questions About The 2022 Update to ISO 27001:2013
The information security management standard ISO 27001 and its code of practice ISO 27002...
ISO 27001:2013 is the de-facto international Information Security Management System (ISMS) standard and is deployed globally. For business, this means that accreditation is recognised everywhere and the resources needed to achieve the certification (provided by qualified assessment partners like StickmanCyber) are readily available to help organisations achieve the best possible security outcomes.
Introducing ISO 27001 | Information Security Management System FrameworkISO 27001 is an ISMS standard that provides a risk-based approach to managing people, processes, and technical controls. The standard’s modular approach to auditing people and technical dependencies ensures that numerous operational benchmarks can be measured, compared, and improved if security gaps are discovered. The standard is independently administered with certified practitioners offering implementation services for those organisations who lack the resources or desire in taking the DIY approach.
Business Case: Value proposition for implementing ISO 27001
The lack of appropriate security safeguards and controls poses an existential threat for businesses of all sizes. Making sure that security safeguards, controls, and policy guidelines meet the individual needs of an organisation is vital to securing your information framework. By implementing a tried and tested security management system, gaps can be remediated using industry best practices. ISO 27001 is more than just a security blueprint. The standard (when implemented) engages with all stakeholders across the organisation and features a modular architecture that enables individuals, business units, or the entire organisation to accept responsibility for security within their environment. This approach assists management in thoroughly fortifying security and helps to raise threat awareness across all levels of the organisation. Often the ISO 27001 review is part of an all-encompassing organisational assessment that examines every facet of processes, systems, and supply chains.
There are eight good reasons to invest in aligning your security safeguards against those of a mature and highly respected certification standard like ISO 27001.
- Reducing risk with benchmarks
Reducing business risk is imperative for management, but taming information security poses a challenge for both staff and management in organisations of every size. ISO 27001 guidelines and benchmarks help management and IT staff meet best security practices and compare their results with peers.
- Privacy legislation – conformance and governance
Instead of dealing with point solutions to solve discrete security issues, implementing an ISMS using ISO 27001 guidelines enables administrators to take a “top-down” view of governance. With the benefit of a robust structure and a dispassionate perspective, the employee’s compliance burden is eased by maximising existing tools and resources that help extend the ROI on your security investment.
- Enhancing the value of your business
Reputations, relationships, respect, and trust are built up over time. By demonstrating how committed your organisation is to deploy the best tools in protecting information security, commercial partners feel vindicated that their commitment to the business relationship with your organisation is a good investment.
- Trusted supply chain
As supply chains become more entwined, your security defenses are only as good as the weakest link in your trusted chain. ISO 27001 accreditation provides the assurance that business-partner security has met agreed security benchmarks that mitigates interdependency risk and protects your assets from nefarious threats posed from within trusted sources.
- Business continuity and resilience
Security breaches cost organisations vast sums of money in addition to the potential loss of reputation and brand value. ISO 27001 deployment drives a culture of proactive, proven, and tested enhancements that reinforce processes, systems, and controls.
- ISO 27001 encompasses all facets of business operations
Security threats can come from the most unexpected sources. A risk-based approach to security helps organisations implement threat modeling to “war-game” and rethink their approach to information security in a “whole-of-enterprise”, all-encompassing context.
- Gap analysis
In many organisations’ security safeguards are deployed because it’s perceived (often prompted with alarmist vendor marketing) that the need exists. Without a comprehensive security gap analysis to prove the need exists, it’s just informed guesswork. Because ISO 27001 is risk-based it’s critical that weaknesses and other security fractures are identified, prioritised and remediated, when time, resources, and budget are available. Aligning internal systems and processes with ISO 27001 can often take some time because of the granularity and depth needed to complete the certification process. A gap analysis helps stakeholders assign security priorities and wrangle the resources and funding needed to deliver the best outcome.
- Risk-based – not just another “tick-in-the-compliance-box”
Some security accreditations are based on box-ticking and inflexible policies. This type of approach will meet compliance objectives but could leave serious security risks undiscovered until it’s too late.
What is a typical ISO 27001 engagement?
As a certified accreditor, Stickman’s engagement model is straight-forward and typical of top-tier certifiers;
- Review ISMS documentation, scope the requirements, and report.
- Granular audit – validate your ISMS against the ISO27001 standard.
- Regularly scheduled independent reviews to ensure ongoing conformance with your ISO certification.
This certification looks deceptively easy but is onerous and demanding for one simple reason: it must be. The ISO 27001 audit shines a bright light on every aspect of business operations and flags limitations in people, processes, controls, and infrastructure that could compromise information security.
What does an ISO 27001 audit review entail?
| Annex | ISO27001 Domain | Business Context: examples |
| A.5 | Information security policies | A set of rules and guidelines that govern how employees manage security. Typical security policies examples include email, encryption, change management and data retention. |
| A.6 | Organisation of information security | Defining the roles and responsibilities that govern how sensitive information is handled across the organisation. Third parties may be included if external partners share confidential data. Lines of demarcation between stakeholders may also be defined based on how the organisation is structured. |
| A.7 | Human resource security | HR security encompasses all phases of employee engagement including screening, terms of employment, the role of management, training and disciplinary matters. |
| A.8 | Asset management | Assets’ constitute intellectual property, people, software, reputation and commercial knowledge in addition to hardware and physical chattels in the context of ISO27001 |
| A.9 | Access control |
Access control covers how data is accessed and protected by controls and policy. Regulatory and legislative oversight coupled with data sensitivity define how and who may access information. It also sets down the ground-rules about how other safeguards like multi-factor authentication are applied across organisations. |
| A.10 |
Cryptography | Cryptographic controls govern when, where and what type of encryption controls are deployed across the data chain. This covers the basics like password policy right through to algorithms, keys and secure software development policies. |
| A.11 | Physical and environment security | Providing the physical security to protect digital assets is vital in building comprehensive layers of information security. This domain covers protecting communication infrastructure (cables and ducts) right through to physical perimeters. |
| A.12 | Operations security |
Daily business operations must be protected with controls that mitigate business continuity risks and ensure that safeguards (regular backups etc) are performed and systems availability is maintained. |
| A.13 | Communications security |
ISO27001 prioritises securing data in motion and defines how to protect it using policies, technical controls and defining procedures that meet best practice like network segmentation and compliance with service level agreements. |
| A.14 |
System acquisition, development and maintenance | This domain emphasises security across the entire software development chain and includes secure development, testing, change management and outsourced application development. |
| A.15 |
Supplier relationships | Governs supplier relationships that addresses the risks posed by interdependent supply-chains and the contractual agreements that address this. |
| A.16 | Information security incident management | Following a predetermined course of action subsequent to a security incident. Legislative oversight like “notifiable breach” is included. |
| A.17 | Information security aspects of business continuity management |
Uptime and availability are issues addressed by business continuity management. Embedding these protocols in every process is critical to maintain a secure and resilient security environment. |
| A.18 | Compliance | Meeting corporate, legislative or judicial mandates to comply with overarching rules, guidelines and practices. |
ISO 27001 isn’t a compliance focused resource
It’s important to understand that ISO 27001 is not a compliance tool but actually a risk-based framework and methodology. This risk-based approach means that resources, time and money are allocated towards mitigating risks that pose the greatest threat to asset protection, business continuity and service availability. Each threat is weighted and prioritised based on the virulence of the business risk. Armed with these insights and budget, resources can be allocated towards projects that deliver the best security return on investment, and not be squandered on meaningless “ticks in the compliance box”.
Measuring and delivering a better security ROI with ISO 27001
ISO 27001 is optimised to deliver a better operating ROI from an organisation’s annual security budget. When a risk-based approach to security is taken, spending is closely aligned with exposure to threats. A retailer will allocate resources towards hardening their security in different ways from a health service provider. Similarly, both organisation’s Human Resources (HR) teams may use identical methods to safeguard employee privacy but rely on the ISO 27001 standard’s 14 controls to identify, segment and mitigate risks.
Interdependency drives ISO 27001 uptake
Increased interdependency is driving compliance with supplier relationships where the vendors must meet ISO 27001 standards. This requirement is increasing rapidly across government entities as they try to meet a universal and consistent approach to data security and the application of safeguards, across the whole of government and across internal and interdependent relationships.
ISO 27001 adds prestige to your brand
Although the ISO certification is not about branding or marketing, the accreditation can add prestige to your brand and offer a competitive advantage in commercial situations, particularly with those kindred organisations who have undergone the rigorous certification process.
How do you quantify how your security posture is evolving and improving?
Security attackers are constantly looking for new ways to breach and gain access to company assets. The latest trend shows that attackers are also focused on breaching supply chain partners (related/third-parties) to gain access via the indirect, “back-door” route. It’s this type of “dependency attack” that breaches controls and shatters trust that leads the list of CISO concerns. But the question remains how do you benchmark and independently assess the compliance of your systems with privacy legislation, industry guidelines and best practice?
An appetite for risk – cyber insurance and ISO 27001
How does an organisation identify, weigh-up, dissect, quantify, and put a price on information security risk?
An improvement that’s helping administrators manage security risk more effectively is the wider availability of cyber security insurance. Cyber insurance is based on well-understood principles: the greater the risk, the more costly the insurance premium. The same axiom applies when pricing security insurance: the more secure the environment, the lower the premium. When you can identify, price, mitigate, and remediate security risks, your overall security posture is improved and existing business instruments (actuarial tables) can help to calculate the return on investment.
Setting a common, global standard
Without a common standard or framework, it’s difficult to benchmark and test the efficacy of your existing safeguards and policies. The same applies to aligning staff training and policy development to meet upgraded security demands and compliance oversight. To tame overarching security complexity, organisations typically deploy a comprehensive ISMS to identify weaknesses and analyse gaps. Achieving an industry recognised certification also helps to establish trust with industry peers. ISO 27001 is now acknowledged as the preferred ISMS of choice with an army of practitioners and a wide selection of skilled people available to help your organisation quickly effect change and improve all facets of information security.
Understanding the standard
The ISO 27001 standard has been under constant enhancement from its inception as BS7799 in 1995.
Since then, global and regional security legislation has entered law in numerous jurisdictions. Concurrently, practices, policies, and compliance standards have increased the complexity of maintaining and meeting the oversight demands of both local and international sovereignty. Frameworks like ISO 27001 not only layout a security blueprint but offer clear integration roadmap guidelines for SOX, HIPAA or GDPR compliance.
Conclusion
So where to now? If your business depends on complex supply-chains or state government clientele it’s a commercial imperative that you take steps to update systems and processes to meet ISO 27001.
For management and board members who potentially face sanctions, penalties, or public shaming in the event of a “security incident”, investing in prevention is a much better approach that also mitigates the risk to your brand of reputational damage. If you choose to lower risk by investing in cyber-insurance, review whether premium costs are reduced if you’re ISO27001 accredited.
To fast-track ISO 27001 certification, select an accredited assessor like StickmanCyber to review and guide your journey. Set a goal to embed a security mindset into your people and processes to drive better security outcomes. Transitioning to ISO27001 is an opportune time to reset security awareness across your organisation and instil a corporate culture of security first.