Reading between the lines of ISO27001 [L O N G]

ISO/IEC 27001 is a succinct, formally-worded standard for two key reasons:

  1. It is deliberately generic, being applicable to all manner of organisations regardless of difference in location/s, size, industry, maturity, structure, information risk and security status ... and so on. In effect, it specifies the lowest common denominator - the things that ALL organisations should be doing to manage their information security controls, as a minimum. The hurdle is set low enough that every organisation ought to find value in designing, implementing and operating an Information Security Management System as laid out in the standard.

  2. It is a certifiable standard, explicitly specifying the characteristics that every certified organisation's ISMS is expected to have. Again, it is a minimal specification with no concept of typical, average or maximum security: that is entirely down to the organisations themselves to determine, following the information risk management processes minimally defined in the standard.

There are many things the standard does not specify at all, or at least not in detail, for example here is clause 6.3 (new to ISO/IEC 27001:2022):

6.3 Planning of changes

When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

That's it, the entire specified requirement consists of a 3-word heading and a single 24-word sentence. 

Oh boy.

Let's explore that one example in more detail - a deep dive into interpreting the precise language of the standard [dons lawyer's flash suit and all-knowing smirk] ...

  • "Planning of changes", for starters, is patently about 'planning', but think about all the different ways we 'plan' things. A plan to do anything significant in a business context would normally be a written plan, probably with some sort of summary/overview and more details on the objectives or purpose, the steps/activities involved, the resources required, the timescales, and maybe other aspects such as the business context, constraints, risks and options - different ways to achieve the objectives, or points in the plan where management decisions are made about whether and how to proceed ... hinting at management or administrative or process controls relating to the management of changes, which in turn refers to change-related strategies plus policies, procedures and practices.

  • In stark contrast, my cunning 'plan' to complete this blog piece today is, a best, a vague intention. I didn't even know for sure what it would cover until I got into it. There was no written plan at all, and nobody but me to review and approve it. The objectives were less clear than a smart, dismissive comment from a typically evasive politician. I didn't need to measure or report progress to anyone or explain why I've blown my notional budget of "an hour or so" to write this piece. Was that 'a plan'? Maybe not. For me it was all I needed, so cunning I could have pinned a tail on it and called it a weasel. And patently it worked, because you are reading these very words, so I honestly don't care what you call it. It doesn't matter one jot.

  • OK, so what about "changes"? What is 'a change'? Is correcting a typo on an intranet page about an infosec policy the kind of change that needs to be planned? What if it is not a typo, but several dozen, some significantly affecting the meaning of the words? Is employing yet another SecOps analyst a 'plannable change'? What about the regular shift changes in the SOC? A new strategy? A different tool? An escalating threat? A slight shift of emphasis or priorities? Appointment of a replacement auditor? These are all 'changes' with vastly different implications, all related to some extent to the ISMS.

  • So, should the type and detail of planning reflect the nature and extent of the change? If so, how? 

  • Oh and what is "a planned manner"? That's about as vague as vague can be!

  • Notice all the things that clause neglects to say, such as that the plan should be documented. Hmm, a vague intention to change something about, within or relating to the ISMS, not even expressed verbally, technically constitutes a "planned manner" but, of course, would be virtually impossible to prove to someone, such as an auditor. Hmmmm.

I'm over-exaggerating here to make a point: as formally worded in the standard, that clause is not explicit and detailed enough to clarify the requirement, in which case (formally speaking) we have the latitude to determine things for ourselves ... but having done that, what if the certification auditors have a different determination? What if they interpret the requirement very narrowly, very broadly, or simply differently to us - what then?  

The solution to this little conundrum is to be sensible about things, making a genuine effort to fulfil the likely intent of the clause by, for instance, preparing documented plans for 'significant' ISMS changes (determined according to the context, in relation to whatever is important at that point), having management authorise/approve and resource the changes, stepping through the plans generating evidence to report progress, and retaining as much information as you think might reasonably be required to convince the certification auditors and - more importantly still - whatever is valuable for your own business purposes. Within that flappy envelope, finer details such as what form the documentation should take, or what 'authorise/approve' actually means, are matters for you and your colleagues to determine. 

Go for it! Knock yerselves out!

The easy option in situations like this is to follow convention, doing the usual things in the usual fashion (where that is reasonably obvious), in the hope that the auditor will be happy. However, a conventional approach may not be ideal in any specific situation, in which case taking a different route within the broad confines of the standard is OK but might catch an auditor's eye - so be ready to explain and justify your approach. This becomes more important if your unconventional approach is notably and deliberately strange for particular reasons. Anything markedly out of the ordinary or controversial is, of course, more eye-catching*  

The certification auditors (specifically) are supposed to be doing straightforward compliance auditing against '27001, so any Major Nonconformity they raise ought to specify the clause stating a particular mandatory requirement that is not satisfied. Even Minor Nonconformities should really be related to requirements in '27001, while there is more latitude to point out general issues and 'good practices' etc. in Observations, without explicitly having to cite any corresponding clauses from the standard.

ISMS internal auditors, however, can do whatever form of auditing they are tasked by management to do, poking into whatever they are pointed at, with very little guidance or constraint from '27001. Likewise with ISMS management reviews. You can use both internal audits and management reviews to your advantage in the case of anything unconventional or controversial about your ISMS: presuming the auditors/reviewers notice and bring them up (potentially having brought them to their attention), you have the chance to try out and maybe refine your explanation or argument. If you can't convince them, you will likely struggle to convince the certification auditors, so you might just have to wind your neck in and become more conventional after all. Nice try, but sorry it didn't work out.

OK, now consider how this relates to the rest of the standard, aside from clause 6.3. Issues of this general nature occur throughout the standard. Some requirements are more explicitly and clearly defined, whereas some are even vaguer-er than that "planned manner" thing. 'The conventional approach' is not always obvious, and there are many points of doubt and potential disagreement once you delve deep into the precise language used, trying to relate and apply the standard to what your organisation needs to do in respect of its ISMS. 

Some of those lingering issues can be resolved by:
  • Additional advice/guidance in other ISO27k standards such as 27006, or other applicable standards about auditing, compliance/certification auditing, or accreditation, both ISO and non-ISO ones;

  • The emerging series of Auditor Practice Notes from ISO/IEC JTC 1/SC 27 - most not yet written;

  • Standards, codes of practice, guidelines etc. from audit bodies such as ISACA;

  • "Reading between the lines": despite intentions, the printed words are merely hints to be interpreted by the reader. What do you think the committe was getting at when it wrote, reviewed, revised and eventually published those words? What else might they (we!) have been getting at? How might other people - in particular the certification auditors - interpret the same words?

  • Considering your context - specifically, the business situation and requirements that led you to adopt the standard and implement an ISMS in the first place. Was certification even an essential part of it, or in reality did you actually want to up your game in the area of information risk and security management? Certification is usually optional, so what are the implications of simply doing what is best for the business, regardless of conformity with some ineptly-written unclear and easily misunderstood standard from some distant stuffy committee of so-called experts? Stuff em!

  • Asking for help e.g. raising queries or concerns on the ISO27k Forum. By all means ask us whether your proposed or current approach satisfies the standard, telling us as much or as little as you need to explain it without being too explicit on an open forum. You're welcome to contact me directly about it, preferably with all the nitty-gritty details for a more informed, comprehensive and pragmatic response ... but we should probably enter into a formal agreement first because my time is valuable;

  • Experience. Time served. Situations survived. Challenges conquered. Lessons learnt, and delivered successfully. This is, after all, the reason 'my time is valuable': I've invested most of my working life into this, >35 years so far.
* That may even be a good thing if it diverts the auditors' time and attention from other concerns that you would rather slipped beneath the radar! It's a risky strategy though: the auditors might spot and complain about them both, becoming even grumpier than normal due to discovering this annoying little cluster of concerns. Is it an indication of something deeper, such as governance issues, maybe a deliberate attempt to mislead the auditors? Oh oh. That's bad, very bad.  

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

Philosophical phriday - compliance risk

Image
According to a vendor's promotional video interview I saw recently, the 'cybersecurity compliance burden' has allegedly become so significant that [customer] organisations are eagerly buying [their] software tools and services to help them manage and fulfil their obligations. The vendor's argument goes that, instead of accumulating a ragtag bunch of policies and other controls relating to user Identification and Authentication (I&A), for instance, it makes sense to:  Identify all the cybersecurity-related laws, regulations and standards that apply to the organisation; Examine them for any security control requirements relating to, say, I&A; Rationalise the I&A controls down to the smallest set that satisfies all the requirements - the lowest common denominator; Design, implement, use, manage and maintain those I&A controls; Have the I&A controls checked or audited to gain assurance that the compliance requirements are met.  OK so far? Sounds reasonab
Read more

ISMS internal audit priorities

Image
A thread on the ISO27k Forum sparked my imagination over coffee this morning. Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan.  Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements. ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the stan
Read more

Passionate dispassion

Image
Someone who is actively involved in, or is managing, an activity is patently not independent of it. They may well make a conscious, rational and determined effort to be objective, dispassionately reviewing evidence etc ., but their subconscious/emotional biases/prejudices and beliefs/value-systems will inevitably influence what they do. With the best will in the world, they will struggle to challenge and assess their past decisions and activities, especially if they were "certain" or "determined" or genuinely believed they were "doing the right thing". Furthermore, it is very hard for anyone to review the things they did not do, decisions they did not make or options they did not even consider. Mostly, they remain out of sight or out of the question.
Read more

45 ISO Management Systems Standards

Image
The ISO website  currently lists 45 published M anagement S ystems S tandards: 1. ISO 7101:2023 Healthcare organization management — Management systems for quality in healthcare organizations — Requirements 2. ISO 9001:2015 Quality management systems — Requirements 3. ISO 10012:2003 Measurement management systems — Requirements for measurement processes and measuring equipment 4. ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes 5. ISO 14001:2015 Environmental management systems — Requirements with guidance for use 6. ISO 14298:2021 Graphic technology — Management of security printing processes
Read more

Philosophical phriday - a noncompliance ramble

Image
In a previous philosophical phriday post , I moaned about vendors of security compliance support/management tools and services over-promising and under-delivering - an admittedly biased, even cynical opinion piece about the compliance imperative . A recent article in Corporate Compliance Insights notes that "CISOs are not just defenders against cyber threats but also champions of compliance and operational resilience". Hmmm, are CISOs 'compliance champs', really? Today, I'm discussing alternatives to being compliance-driven. How else can organisations drive their information risk, security and related concerns in a positive direction?
Read more

Adaptive SME security Crowdstrike special

Image
As if on cue, along comes a golden opportunity to consider what the Adaptive SME security  approach has to say regarding the Crowdstrike incident: That's not 20/20 hindsight but foresight: I've picked out the most relevant rows from the security controls table published in the guide 24 hours before the incident.  Although Crowdstrike primarily supplies much larger enterprises than SMEs, the incident could equally have afflicted other security software, or indeed operating systems such as Windows and assorted cloud apps commonly used by SMEs. Regardless of the details, it is a wake-up call, an opportunity to consider and respond to the information risks ... and to adapt , accordingly.
Read more