Failure Points when building an ISMS.
What are the likely causes of an organisation failing in its quest for Certification, or the maintenance of an existing Certification, to ISO/IEC 27001:2013 [Information Security Management System (ISMS) – requirements]?
The International Standard, ISO/IEC 27001:2013, has an extraordinary amount of power; it simply needs a little bit of imagination and true desire to bring it together.
Yes, there are many benefits to Certification, not least of which would be providing an assurance (confidence) to prospective clients/customers that the organisation has put in place processes to manage the risk of a loss of confidentiality, integrity, and availability to information and data.
In my opinion, I believe there to be a whole heap of confusion out there. This confusion is not necessarily appreciated as being such, but it is there. The march of the cyber-prefix has not helped the situation. As important as cyber security is, it is only a part of the whole picture. And it is the whole picture (within a given scope) that the Certification addresses.
It is this whole picture (within a defined scope) that I am addressing. This is not an exhaustive list.
- One of the first failure points is the inability to interpret exactly what the standard is asking of us.
- The second failure point is vacillating between placing the ISMS in either IT or compliance. Parts of it may sit in both of course, but then, perhaps it does not. Cyber security may well sit within IT Security, but it is related to, wait for it, compliance. However, the real point the standard makes is about, competencies.
- The next failure point and related to the second, is placing the implementation of the standard into hands with little or no experience of the information security environment. To be frank, a three-day implementation course is not going to do the job either.
- The next challenge, related to the first, falls under the simple heading, risk. Simple heading yes, but oh my, does it conjure up all sorts of weirdness. Perhaps it is worth pointing out, risk is not a mathematical equation (yet), but is the effect of uncertainty on objectives (ISO Guide 73:2009). This is not just risk, but information security risk management with the objective of managing the protection of information and data. The standard confirms this right from the off by stating that the organisation will manage: risk and opportunities to the intended outcome of the ISMS and; the risk to a loss of C/I/A of information (within the given scope). Thinking seriously about that last statement what does it mean? The organisation must know what information sits within the scope of its Certification. For those with GDPR on their minds (and who hasn’t) there is a requirement to know what PII is in play; how it flows, and to have knowledge of the varying likelihood and severity for the rights and freedoms of natural persons. The whole risk process, if undertaken anywhere close to the requirements of the standard, should now illuminate a vast field of interrelated dots. If not, those dots will remain invisible, and the bigger picture will be lost.
- A statement of applicability (SoA), being an output of the entire risk process is a requirement that documents: all the necessary controls, determined through the risk process; justification for inclusion (modifying the risk), their status, and justification for any exclusions of a control (it may not be relevant, or perhaps your selection of a control, not outlined in Annex A, suites you better). The bottom line is that getting information security risk management wrong, then your SoA will be a mess. And, if you have no information (asset) register then you have failed to manage their risk, in essence you have failed at the fundamental basics that the rest of the ISMS sits on and going forward you will fail with GDPR.
There is good news, of a sort. ISO produces a series of guidance documents that would enable any organisation to implement an effective, efficient ISMS. Documents that would enable you to truly understand and realise the benefits of having an ISMS.