The most challenging parts of ISO27k

What are the most challenging aspects of ISO/IEC 27002 implementation and ISO/IEC 27001 compliance?   The following typical issues are summarised from a paper published in the ISSA Journal by Bil Bragg, a senior consultant from Dionach Ltd., who drew up the list by examining the gap analyses conducted for 20 client organisations. 

The first two concern mandatory requirements for ISO/IEC 27001 certification:

4.2  Establishing and managing the ISMS: few organizations had formally stated the scope of their ISMS or documented their risk assessment method and risk acceptance criteria in accordance with the standard.

6.0  Internal ISMS audits: only one organization had an internal ISMS audit program, and none had undertaken a management review of the ISMS.

The information security controls succinctly listed in Annex A of ISO/IEC 27001 and explained in more detail in ISO/IEC 27002 are not strictly mandatory for certification but are widely implemented and generally accepted as good security practices.

A.6.1  Internal organization: few organizations (especially SMEs) had an information security committee or forum, and had nominated a manager for the ISMS.

A.6.2  External parties: identification and treatment of risks relating to suppliers (including IT outsourcers) and customers was sporadic or missing.

A.7.1  Responsibility for assets: few organizations maintained inventories of intangible information assets.

A.9.1  Secure areas: while physical security gaps varied, they should have been identified through the ISMS risk  assessment.

A.10.7  Media handling: most lacked formal security policies and/or procedures for handling and disposing of media such as USB flash memory sticks.

A.10.8  Exchange of information: many organizations have neither an information exchange policy nor agreements with customers and suppliers on transferring confidential information securely (e.g. emailing confidential information).

A.10.10  Monitoring: few system clocks were time-synchronised, other than on MS Windows systems.  This is obviously important on security systems such as CCTV.

A.11.1  Business requirement for access control: few organizations had systematically documented user and system admin roles for their business applications.

A.11.2  User access management: few organizations regularly and systematically reviewed access rights across all IT systems.

A.11.3  User responsibilities: very weak or default  passwords were common on subsidiary and older systems, including network devices, databases and physical access control systems.  Compliance with clear desk and clear screen policies was very weak in practice.

A.11.7  Mobile computing and teleworking: few organizations had formal policies and procedures for mobile computing and teleworking.

A.12.3  Cryptographic controls: there was seldom a consistent approach to managing encryption methods and keys. 

A12.5.5  Outsourced software development: contracts did not stipulate intellectual property rights, escrow, quality and security requirements nor a right to audit the supplier.

A12.6  Technical vulnerability management: configuration management and security patching processes often neglected utility software such as Acrobat Reader.

A.13.1  Reporting information security events and weaknesses: many organizations lacked formal procedures for reporting security events, and mechanisms to quantify and monitor incidents.  [Cumulative security incident costs are an important strategic metric that helps management justify continued investment in the ISMS, while the detailed cost breakdown focuses attention on aspects requiring improvement.]

A.14.1  Information security aspects of business continuity management: business continuity plans were often either absent or outdated, while continuity exercises were irregular and unrealistic (e.g. limited scope).

A.15.1  Compliance: no organizations had identified all the information security-relevant laws and regulations, and established mechanisms to stay up-to-date on changes.

Many thanks to Bil for permission to share this list. Bil’s original article in ISSA Journal, available online to ISSA members, is well worth reading for additional details and guidance on this.

Without neglecting the other requirements, it's worth double-checking that your ISMS implementation project plans do in fact allocate sufficient resources and time to tackle all the issues identified here.