Information risk management - a worked example [LONG]

In the past few days, I have been triggered yet again by someone fearing that ISO/IEC 27001 certification auditors may insist that various Annex A controls are applicable and must therefore be implemented for conformity. Apocryphal nightmares about auditors doing exactly that tend to stoke the fear and prolong the myth.

Myth, yes, myth. I've said it before and no doubt I'll say it again: the Annex A information security controls are not formally required for conformity with the standard - none of them, not even one. If you or your auditors believe otherwise, kindly tell us which clause of the standard applies. What are the exact words leading to that conclusion?

Spoiler alert: there are none. There is no such requirement. IT DOES NOT EXIST.

There is, however, a conformity requirement to check through Annex A for any controls that might reduce otherwise untreated information risks, but even then there is no (repeat, no) obligation to implement the controls as stated in Annex A. Organisations can adopt whichever controls or other treatments management deem are appropriate ('necessary' in the language of the standard) to address their information risks, provided the risk management process within which these critical decisions occur fulfil the formal, mandatory requirements of the standard as laid out in various main body clauses.

On the ISO27k Forum, Tom told us he is planning for certification in a year or two.

"I have been talking to some colleagues from companies with certification. I have the impression that the auditors want to see all controls from the standard, preferably implemented according to ISO/IEC 27002, and that the risk assessment is actually just seen as a mandatory document with no further value in deciding which controls are required."

The reported auditors' assertion that risk assessment is 'a mandatory document, unlinked to deciding which controls are necessary' is quite bizarre, frankly a load of cobblers. It puts things precisely the wrong way around. Since controls are intended to mitigate unacceptable risks, understanding the risks is a prerequisite to selecting suitable controls. Otherwise there is no rational basis - no business purpose to selecting, implementing, using, managing, monitoring and maintaining the controls, incurring costs that deserve to be justified as with any other business activity, system, project or investment.

Just imagine if someone tried to convince the CEO that a stock of magic beans is a prerequisite for security: would she be persuaded? Would she authorise the 'magic bean stock maintenance' charge in the security function's annual budget?

Course not.

So, Tom who is evidently inexperienced with ISO27k is hoping to forestall the situation of having to fight the certification auditors on this point.

I understand and appreciate any audited organisation's reluctance to challenge whatever the certification auditors say, given anxiety about potentially upsetting the auditors and hence not being certified. It is obviously a high-stress point, approaching the finishing line in the race to certification, and the auditors seemingly hold all the power ... but do they? Really?

Let's consider this challenge-the-certification-auditor situation in terms of information risk. Breaking it down, it appears that:

• The key threat is that the auditor might react very badly to being challenged and make things very difficult for the client.
  
  
• The main vulnerability arises from the organisation's evident desire, determination or need to be certified, and hence management's understandable reluctance to do anything that might compromise achieving such a strong and clear business objective.
  
  
• The main impact is potentially the organisation not being certified (by the present certification body at least*) but more likely [alleged] nonconformities or opportunities for improvement being raised for discussion with management and resolution. Secondary impacts include aggravation, stress, distraction (e.g. inability to deal with coincident incidents or urgent issues), disarray, business disruption, arguments, ulcers, demotivation, resignations ...

Possible risk treatment strategies to mitigate the risk include:

• Avoidance: don't get audited! Don't pick unaccredited or naive auditors! Hide in the stationery cupboard! Resign and run far far away!
  
  
• Sharing: work with experts used to dealing with ISO27k certification auditors in this kind of situation. Collaborate with management and other specialist functions (such as Internal Audit, Risk Management, IT, HR and Legal/Compliance). Discuss your situation and approach with competent consultants. Escalate genuine concerns about the auditor's competence to the certification body's management, seeking a compromise.
  
  
• Mitigation: proactively reduce various risk factors using various controls (see below).
  
  
• Acceptance: suck it up! Risk is an inevitable part of the implementation and certification process.

Think creatively about various mitigating controls e.g.:

• Prepare to justify and robustly defend your position to the auditor if necessary e.g. accumulating and retaining sound evidence that you have duly fulfilled all the mandatory requirements of the standard to the letter ... and more besides (demonstrably exceeding the obligations).
  
  
• Implement an IT system or service specifically designed to support formal conformity with ISO/IEC 27001:2022, meaning all the mandatory main clause requirements at least.
  
  
• Use an ISMS internal audit and/or management review a little ahead of the certification audit as a lower-stress opportunity to confirm your conformity, leaving enough time to address any identified nonconformities or improvement opportunities.
  
  
• Rehearse/practice the process of receiving, considering, responding to, debating/arguing/negotiating and closing-off audit findings, recommendations, issues etc. with management and other colleagues, building everyone's competence and confidence.
  
  
• Actively seek to learn about other certifications and audits, either within the organisation or without (e.g. chat this through on the ISO27k Forum).
  
  
• Rehearse/practice/refine your professional interactions with the auditors, or step back and engage someone more suitable, competent and experienced to act as the primary client contact just for the audit.
  
  
• Make an extra-special effort to get everything ready in good time for the audit - all the evidence neatly collated, filed, indexed, reviewed, authorised etc., everyone liable to be audited prepared to play their parts, nerves steadied and emotional+professional support made available [Hinson tip: don't leave anything important to the last minute, when stress levels are inevitably hitting a peak. Plan to complete your studying and revision comfortably before the final exams, with contingency!].
  
  
• Arrange to be kept fully informed by those involved during the course of the audit (e.g. gathering informal contemporaneous feedback from all auditees, with daily briefings for the core team), prioritising and responding dynamically and professionally to emerging issues wherever possible (nipping things in the bud).
  
  
• Fight fire with fire: arrange/prepare to receive, consider and respond to any audit findings robustly, with strong support from management, colleagues, the evidence and the standards. Develop a policy and process for this, if appropriate and helpful.
  
  
• Prepare (if necessary) to escalate serious issues to your own senior management plus those of the certification body (perhaps even their accreditation body) - for instance, pre-warning senior management that you and the team need their support at this stressful time, explaining and pre-agreeing the strategy, and ensuring that you have management's ear during the certification audit (e.g. offer daily verbal status/progress updates to an executive manager?).
  
  
• Investigate the certification body's appeals or complaints process, ideally before needing to use it.
  
  
• Negotiate explicit requirements for ISO27k experienced, qualified and reasonable certification auditors, and clarify an escalation path in case of difficulties, in the contract or engagement letter with the certification auditors, or if that proves impossible, seek alternative accredited auditors (noting that, at this point in the procurement process, the client holds more power than the supplier).
  
  
• Research (using social media etc.) the backgrounds and interests of the individual auditor/s conducting the audit for clues about their hot-buttons - perhaps ask for their CV/s or make informal contact with them prior to or at the start of the audit.
  
  
• Consider the organisation's bottom line/absolute business requirement/s carefully with management: if the auditors turn out to be totally unreasonable, unrealistic and unprofessional, are you prepared to walk away, open a contract dispute or seek a second opinion, or choose another more reasonable accredited certification body? If that is simply unacceptable, just how far are you willing to go to achieve certification? Explore the options and talk through the implications.
  
  
• Rise above it. Retain a strong sense of perspective and a calm, considered, professional demeanour throughout - perhaps even the occasinal cheeky or wry smile. Audits are also stressful for auditors. We're all human. Allegedly.
  
  
• Others? I'd love to hear from you if you think of alternative or complementary strategies and approaches, especially any that have worked for you. Email me, please! 

Notice that the risk treatments address almost any adverse auditor finding, run-in, disagreement, dispute, diference of opinion or bun-fight - not just wild, outrageous and unjustified claims that Annex A controls are in some sense mandatory. They work to some extent for ISMS Internal Audits and Management Reviews, assorted external audits, even supplier security audits.  

 

In short, this is an opportunity to identify, evaluate and treat the information risk using the very processes your ISMS was designed to perform. Good luck!

* I might even suggest asking prospective certification bodies to confirm, in writing, their explicit acceptance that all the Annex A controls are discretionary, not mandatory, before even appointing and contracting with them. If they are unwilling to do so, look to their competitors for a more enlightened and accurate conformity assessment approach. Ignorance on this fundamental issue may be just the tip of the iceberg.

PS  ISO/IEC 27013:2021 "Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1" was formally amended (patched) in December 2024. A quarter of the 4-page amendment concerns the SoA, including the following absolutely clear and definitive statement:

"The controls in ISO/IEC 27001:2022, Annex A, are not requirements and are not mandatory."

So, there it is, in black and white. My case rests m'lud.