ISO 27001: that's too difficult for us
12:00 Tuesday, 27 October 2020
UK Cyber Security Council
Allow me to declare an interest: I am a big fan of the ISO 27001 family of standards. Having led the implementation of an ISO 27001 Information Security Management System (ISMS), and advised on several others, I recall two facts that were common to all of them: the introduction of the ISMS made security operations better; and in all cases, one of the biggest problems was showing them that although the standard is far from trivial, it is nothing like as complicated as they feared.
The perception of complexity is perhaps a puzzling one, because ISO 27001 is not War and Peace. Notwithstanding the fact that the associated documents can be lengthy (ISO 27002, which will be core to your implementation exercise, is an example), the main ISO 27001 document is a mere 34 pages, including the cover at the front and the blurb at the back. The perception of complexity is magnified by the size of the various books you can buy to help you through ISO 27001: the first three results in an Amazon search a moment ago for printed books about ISO 27001 were 408, 244 and 196 pages respectively.
In its 26 page of meaningful prose, the standard lays down, in black and white, the components of an ISMS: the fact that ISO 27001 is primarily a risk management standard; the need for top management support from the outset; risk assessment and treatment; performance evaluation; continuous improvement; and so on. Annex A gives a starting point for a list of risk areas and associated controls, with ISO 27002 providing detailed ideas for how to implement the controls in each area.
So where is the problem?
As with many standards, the “what” is described very clearly, but not the “how”. That is, the documentation tells you the required outcome but not how to get there or the ingredients you will need along the way. It also hints at some of the skills you will need either in-house or via external assistance – not least in the bibliography where it refers to ISO 31000, “Risk management — Principles and guidelines”. ISO 31000 is a set of standards dedicated entirely to risk management, and in fact if you take any of the formal courses to become a qualified ISO 27001 implementer or auditor you will spend time in standards such as ISO 31000 and, in the case of the audit course, ISO 19011 (“Guidelines for auditing management systems”) too. But there is no need to panic in either case: getting the basics right takes just a few hours’ learning.
The average ISO 27001 implementation will, in the general case, need some external advice: this will be the fastest and safest way to certification as an experienced implementer will steer you around the pitfalls instead of letting you fall into them. In the general case, though, with bright people and a modest amount of training, your reliance on the third party will tail off quickly and you will surprise yourself that you have a self-run ISMS that you understand, maintain and continuously improve.