Business & Technology Risk PartnersChris Hall's ISO27001 Blog and FAQ

What parts of ISO27002 must we comply with to be compliant with ISO27001?

There is nothing in ISO27002 that you must comply with in order to be compliant with ISO27001. If you decide that some (or all!) of the controls in Annex A of ISO27001 apply to your organisation (and are stated as such in the Statement of Applicability) then you must comply with the wording of those controls in Annex A and NOT, I repeat NOT, what it says in ISO27002 about those controls.

The exception to this is if you have decided and have stated that you will comply with whatever bits of ISO27002 you have decided are important enough for you to want to manage with your Information Security Management System.

In summary, you decide what controls are important to you and this does not need to be any of the Annex A controls and/or any of the guidance in ISO27002.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

Do I need an Information Asset Register to comply with ISO27001?

Firstly, what is an Information Asset register?

From an ISO27001 perspective there are two quite different “asset” inventories that you might choose to create. The first of these is an information asset register. This used to be a mandatory requirement in the old version of ISO27001. Simply put it is a list at a high level of the "information" that you are wanting to protect. It is usually a fairly short list measured in tens and not hundreds of items. Examples might be things like “Credit card data”, “PII”, "Personnel paper files", “Payroll data”, "Health records", "Board minutes", "Product Designs", "Customer details", "Intellectual property, "Pricing details", “Customer database”.

The second type of asset register is the conventional one that is a detailed long list of typically IT “things” such as hardware, laptops, servers, software assets, etc. Most organisations will have something of this kind.

Second. Why would I want an information asset register?

You are doing ISO27001 because it helps you manage your information risks – i.e. the risks to your “information” or more specifically, the risks to your information assets. In practice it is hard to see how you can understand your information risks without understanding what it is you are trying to protect - i.e. your information assets. Even if you don’t write it down in an information asset register you will certainly need a good understanding of your information assets. One way of undertaking the risk assessment is to go down your list of information assets and ask the question “What bad thing could happen to this?” Also, when you have done your risk assessment a good idea is to cross check it with your list of information assets (documented or in your head) to make sure you have not missed any important risks.

Third. Must I have a documented information asset register to comply with ISO27001?

The simple answer is no. You do not require an information asset register in order to comply with or be certified to ISO27001. There is nothing in ISO27001 that makes having an information asset register a mandatory requirement.

I have formally audited (for certification) organisations that did not have an information asset register and issued them with an ISO27001 certificate. I have successfully implemented (and obtained certification to) ISO27001 for organisations without an information asset register. In all cases these organisations did have a clear understanding of their information assets but they did not have a register or a list of them.

Fourth. But what about control A8.1.1 in Annex A which is about Asset Management?

You may decide as a result of your risk assessment that control A8.1.1 in Annex A is a useful control to you to help you manage your information security risks. There is nothing in ISO27001 that forces you to implement this control. If you do decide this control is important and state in the Statement of Applicability (SOA) that it is applicable then you must comply with its requirements as stated in Annex A. The wording of this control is “Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.”. You may interpret this as meaning that you need an information asset register and/or you may interpret this as meaning you need a list of (say) laptops. This is up to you based on whatever you believe you need to manage your information security risks. ISO27002 gives some guidance on this (and all other Annex A controls) but you are free to ignore all the guidance in ISO27002 if you think that it is not appropriate for you.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

Where does ISO27001 fit into the overall approaches to Business Continuity?

Not exclusively about ISO27001 but some thoughts on this. Note that most of this is not about IT.

Prevention is good. If you can stop bad things happening then you should do so. Information Security tends to be mostly about prevention. Locks on doors, security guards, malware protection, fire alarms, sprinkler systems and access control are some simple examples.

Resilience is good but not as good as prevention. So maybe you can’t always stop the bad things happening but if you can design and build in some resilience in case the bad thing happens than the disruption is minimal. Have extra telephone lines. have dual everything. have backups, use RAID, have UPS, etc.

Crisis Management/Major incident management is good but not as good as prevention or resilience. So, your prevention did not work and your resilience was not good enough and you now face a crisis or major incident. You should design and build approaches to dealing with Crisis/major incidents. Have a Crisis management team. Lots of companies in the public eye have done very badly at this.

Business Continuity planning is good. So, your prevention and resilience and crisis management approaches did not manage to keep your business going. Now what? I view Business Continuity in this context. I.e. what plans have you put in place (and tested) to deal with the fact that all your approaches to prevent your business being about to fail in a big way have not worked. The IT is all gone and won’t be back for days, the building is burnt to the ground, a major supplier went bust, there has been major data breach, etc.

Disaster Recovery. This is a somewhat unfortunate phrase since for most people it means the obvious – i.e. there has been a disaster and how do we recover. However, in BCM it is usually taken to only cover the IT. I.e. if the IT all goes wrong then how do IT recover from it. Major power failure and the generators failed to keep the IT going, the data centre burnt to the ground, we have been subject to a ransomware attack and the backups did not work, etc.

Note we could have a debate about some of the categorisation. For example, backups could be regarded as a prevention, resilience, business continuity planning or disaster recovery activity.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

How long does it take to implement ISO27001?

This depends on many factors – for example management commitment, scope, size of organisation, number of locations, budget, etc, etc.

For most organisations there are two main approaches to towards the extremes of how this might be done.

The first is where there is more pressure on timescales and is essentially a “fastrack” approach that aims to implement an ISMS and obtain certification in a fixed timescale. External consultancy help with this is likely to be more full time – notably at the start and towards the end of the implementation. BTRP offer this approach to implementation and for most companies this can be achieved in less than 2 to 3 months on a fixed fee basis where the fee is not payable until the organisation has obtained certification.

The second of these is over a longer period and might typically take a year or more. This can be a useful approach if there is no real time pressure to implement the ISMS. External consultancy help with this would typically be part time – perhaps a day or so a month. BTRP offer this approach to implementation on a day rate basis.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

I run a service organisation that delivers services from a head office but I also have people and kit on site at client sites. Do I have to list all the client locations on the ISO27001 certificate?

Most if not all certification bodies will insist that the certificate states the address of the locations covered by the ISMS. This will be done either in the scope statement or on 2nd and if necessary, subsequent pages. Stating “all locations” would not be sufficient.

Note that this is normally considered to be those locations where the services are delivered “from” rather than “to”. I.e. if you certified a plumber you would not specify all the places the plumber delivers services to but you would include all those locations that the plumber worked “from”, assuming you had defined them to be in your scope.

In terms of what locations services are delivered “from”, again this would normally be considered those locations where there are people or equipment, etc that are within the scope of the ISMS. I.e. a “dark” data centre would be included even if there are no people there.

If you have people or equipment on site at a clients site and these people and equipment are in the scope of the ISMS then the certification body is within its right to say that those locations should be stated on the certificate. The only exception might be if these locations are only operated in for a short time.

However, you can make it clear in your scope statement that you are only including those people and locations that you want to. I.e. if you want to specifically include or exclude people and locations then you can do so by appropriate wording of the scope statement. Hence the reason why the certification body would want to include a list of locations on the certificate.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

What is it that is mandatory to implement in ISO27001?

The standard consists of clauses 4 to 10 only and all these clauses are mandatory. Of course, in order to implement clauses 4 to 10 you will have to implement many processes, etc. You will also have to implement those controls that you have identified in your SOA as being applicable to manage your risks.

Contrary to popular belief there are no mandatory controls in ISO27001. I say this because there are many people who believe (wrongly) that you have to implement the Annex A controls or at least those that you cannot say do not apply to you. This is wrong.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

How are ISO27001 and GDRP related?

GDPR is not inherently about information security and information security is just one component of GDPR. Nonetheless, the GDRP regulation does talk about security and includes this text.

“In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.”

It is also the case that an organisation must be able to demonstrate what it has done to meet the requirements of the regulation. In practice there is a growing recognition that using ISO27001 to help meet this requirement is beneficial as well as providing answers (and a defence) to the questions that would inevitably rise in the event of a breach.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

Is implementation of all the security controls identified in the SOA mandatory to achieve ISO27001 Certification?

Part of the standard says that the controls need to be implemented but the SOA wording requirement says that you have to indicate if a control is implemented or not. So no but don’t expect to get certified if none of the controls have been implemented.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

When I make changes to the Statement of Applicability do I need to tell the certification body?

The ISO27001 certificate states the version number of the Statement of Applicability (SOA) it applies to so in theory you need to tell the certification body every time it changes. In practice this rarely happens and even if you did tell the certification body it would depend on why it changed as to if a new audit would be required. It does not really make sense to say that a new audit is required if you add one control to the SOA or you change the status of a control to say “implemented” from “not implemented” since that is just the ISMS in action and working.

For various reasons including the above I strongly advocate that people keep their SOA as simple and as short as possible and that it only meets the absolute minimum requirements of the standard. That is not to say you may have other documents with the list of your controls and various attributes of those controls but then that is not your SOA.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

When I make changes to my ISMS do I need to tell my certification body?

When you make any change of any kind to your ISMS you may in theory need to tell your certification body. Look at the fine print of your contract with them for their rules about this. Also, ask them “What changes to my ISMS require me to tell you about them?”. Clearly there are some pragmatic decisions to take about this. If you change the footer on a document it would be ridiculous to tell the certification body. Also, if you update the risk assessment as a result of implementing a risk treatment action it also does not make sense to tell the certification body. If you change the name of your company and move offices and merge with another company and change the scope in various ways you will almost certainly have to tell your certification body so they can decide what to do. In practice people rarely tell their certification body anything between their certification audits unless the scope of the ISMS has changed and they may need to get the certificate updated to reflect the scope change.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

What is the best source of good practice on Business Continuity Management?

Not really about ISO27001 but some thoughts on this. Note that most of this is not about IT.

ISO22301.

The ISO Business Continuity Management (BCM) standard. Like ISO27001 this is about how to manage Business Continuity rather than the detail of how to actually do it and has been criticised because it does not have a lot of detail in it. If organisations want to be certified from a BCM perspective then this is the one to implement and follow.

ISO22313.

This is the guidance document for ISO22301 in the same way that ISO27003 is the guidance document for ISO27001. It contains a lot more detail about how to actually do BCM. I normally recommend that organisations implement/follow this rather than ISO22301 unless they want to be “certified” as such.

The Business Continuity Institute Good Practice Guide 2018.

Contains lots of good stuff about the overall approach to BCM although is sometimes a bit philosophical for my liking. However, it does give a good overview of the different types of Business Impact Analyses.

The good news is that (deliberately) all three of these have similar definitions for lots of terms. However, in my opinion I still think some of these terms are a bit unclear and I think that some of this is because traditional BCM people have been looking to expand the scope of their activities – for example into “Organisational resilience” rather than BCM as such.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

Do I have to implement the controls in Annex A?

No. There are many ISO27001 people who wrongly have the view that implementation of applicable Annex A controls is mandatory to achieve ISO27001 certification. This is not correct. If you read the standard carefully you will see that you only have to use Annex A to undertake a cross check that your risk assessment has not accidentally missed out some important controls but these potentially missing controls do not have to be from Annex A. They can be “custom” controls and there are many advantages in doing so. It is the case that in the old version of ISO27001 controls to manage the risk had to be selected from Annex A but in the 2013 version of the standard that requirement was removed. This allows organisations to use their “real” controls in their risk assessment rather than artificially use Annex A controls and this can help considerably with “ownership” of the risks and controls.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

What are the mandatory documents in ISO27001?

It is worth quoting the standard with respect to this.

"The organization’s information security management system shall include:

• a) documented information required by this International Standard; and
• b) documented information determined by the organization as being necessary for the effectiveness of the information security management system.

NOTE The extent of documented information for an information security management system can differ from one organization to another due to:

• 1) the size of organization and its type of activities, processes, products and services;
• 2) the complexity of processes and their interactions; and
• 3) the competence of persons."

Therefore, there are 2 requirements. Taking the second one first - b) then this is open to a bit of interpretation and discussion. A good example is external and internal issues. There is no requirement to document these and in an organisation with 5 people it is probably not worthwhile. In a larger organisation, it would be reasonable (and a good idea) to document them even though the standard does not require it.

In some cases I suggest you document stuff anyway since it is the easiest way to convince the auditor that you have done it.

The first requirement a) ought to be easy but the standard is slightly unclear in some areas – for example what does “retain documented information about the information security risk assessment process” mean? It is reasonable to assume that it means that the risk assessment itself is documented but does it also mean the process document itself needs to be documented, etc?

The nearest thing that is an official list is in the as yet unpublished (and draft) new version of ISO27007 which lists these as being the requirements for documented information:-

• 4.3 Scope of the ISMS
• 5.2 Information security policy
• 6.1.2 Information security risk assessment process
• 6.1.3 Information security risk treatment process
• 6.1.3 d) Statement of Applicability
• 6.2 Information security objectives
• 7.2 d) Evidence of competence
• 7.5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the ISMS
• 8.1 Operational planning and control
• 8.2 Results of the information security risk assessments
• 8.3 Results of the information security risk treatment
• 9.1 Evidence of the monitoring and measurement results
• 9.2 g) Evidence of the audit programme(s) and the audit results
• 9.3 Evidence of the results of management reviews
• 10.1 f) Evidence of the nature of the nonconformities and any subsequent actions taken
• 10.1 g) Evidence of the results of any corrective action

Note that there is no requirement to document the processes for any of the Annex A controls (or keep their records) unless you have chosen the control in the risk assessment as managing one or more risks. But, as is said above you should do so if you need to do so to ensure the effectiveness of the ISMS and as I have suggested, in some cases you should keep records so you can prove to the auditor that something it working OK.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

What do I have to do if I need to change the scope of my ISMS?

There are two main aspects to any change in ISMS scope.

Firstly, what effect does this change have on your ISMS? In principle this is simply a matter of looking at all the clauses 4 to 10 and seeing if anything needs changing and then making the changes. The risk assessment is the most likely candidate for change but it could affect several clauses.

Secondly, how does this affect your certification? Will this affect anything that is said on the certificate? Also, look at the fine print of your contract with the certification body for guidelines on what they expect to happen if you change the scope. However, the main thing to do is ask your certification body what they expect to happen as there are a few ways of dealing with scope changes depending on many factors.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

My company would like to implement ISO27001 for certification purposes but ONLY to the IT Department. Can we do this?

This is not unusual and you can do this but you might face some challenge from your certification body and auditor since they might query why you want to do this and how you have come to this from the context of the organisation. However, they will probably let you do it subject to careful wording of the scope statement on the certificate.

The IT department is not likely to be the owner of most of the information assets “managed” by IT and this causes some complications. I suggest you focus on the risks and less on the information assets as such since this will then help decide the controls irrespective of the “owners” of the information assets. You do not have to have an information asset register or explicitly refer to information assets anywhere in order to implement an ISMS that is compliant with ISO27001:2013. But it helps.

The main challenge tends to come from the fuzzy boundaries with other departments and this will depend to some extent on how formal the services are and how formally segmented IT is from the rest of the organisation? This segmentation can be physical, organisational, etc. If there are formal detailed SLAs this can help but without these the boundaries of the scope can be very problematical.

If other parts of the organisation outside the IT function can affect the information risks managed by IT then must identify these risks and what you are going to do about them. As an example, if someone in HR could accidentally do something that could cause significant damage to the IT services then what controls are you going to put in place to manage that risk? As a simple example, if the HR department physically sit next to the IT department does that give risk to any information risks?

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

Do we need to do a gap analysis for ISO27001 certification?

It is worth looking at some of the types of activity of this kind.

Stage 1 audit.

Mandatory. Various phrases are sometimes used to describe this including “pre audit”, “system audit”, “documentation audit”, etc. Its primary purpose is to assess how ready you are for the Stage 2. In theory, it does not matter if you “fail” your stage 1 audit as you can’t get your certificate until the stage 2 anyway. A stage 1 will not normally look at any controls and may not look in depth at all the clauses of ISO27001. If you want to be sure that all your clauses and controls are all OK for the stage 2 then you should be careful of relying on the stage 1 to give you this assurance.

Gap analysis.

Optional. Can be done by anyone. If done by a certification body they will need to be very careful how they approach it and word their recommendations so they cannot be accused of designing or implementing any of the clauses or controls since this would give them a conflict of interest. What gets looked at is up to you but is usually all the clauses plus at least some (and usually all) of the controls. This is usually done quite early on in the implementation of the ISMS so that you know what you need to do prepare for the certification audit. You can do as many of these as you want and whenever you want.

Pre audit/Trial audit.

Optional. Can be done by anyone. If done by a certification body they will need to be very careful how they approach it and word their recommendations so they cannot be accused of designing or implementing any of the clauses or controls since this would give them a conflict of interest. Usually tries to be as close to what the stage 1 and stage 2 audit would actually be so that interviewees, etc get a taste of what it is like being audited. What gets looked at is up to you but is usually all the clauses plus at least some (and usually all) of the controls. What locations you do this at is up to you but if you can find out from the certification body what locations they are visiting for the stage 2 then of course you can target your pre audit at those locations. Normally done just before the Stage 1. Whether you need one is dependant on how confident you are that all is well and how important it is that you pass the audit at the first attempt. You can do as many of these as you want.

Internal audit.

Mandatory. Best to do it before the stage 1 but if you don’t mind getting a major nonconformity at the stage 1 then as long as you do it before the stage 2 you will be OK. You must have done one before you can be certified. Can be done by anyone except the certification body (see ISO27006 5.2.1 a) but as per the ISO27001 9.1 requirements, whoever does it must be objective and impartial. What gets looked at is dependant on what you have defined in your ISMS to meet the requirements of 9.2 but is usually all the clauses plus some of the controls at some of the locations, etc.

It is possible to combine in various ways some of these as long as you take into account the above notes. Specifically, the certification body cannot do the internal audit but are of course the only people who can do the Stage 1.

Certification bodies that say they can do a gap analysis as part of the Stage 1 can do so but you cannot then use that gap analysis to meet the internal audit requirement and this is why some certification bodies will tell you that this is a conflict of interest. Some of this confusion is about people sometimes using the above terms interchangeably.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

How long must an ISMS be running before it can be certified?

You will get different answers about this but fundamentally it is about having sufficient evidence to prove that it is operating OK but this is not absolute. Some more thoughts on this.

1) You must have done an internal audit and have done a management review (even though it may not have much to say).

2) You do not have to have evidence of all occurrences of everything – if you have not had a breach then that is OK. Do not implement a new visitor logging process on Friday when the Stage 2 starts the following Monday as you will not have sufficient evidence to prove that it is operating OK.

3) Ideally you should have some previous versions of your risk assessment to be able to demonstrate it being updated as a result of the implementation of the risk treatment options. See clause 8. But you will probably be OK as most certification bodies/auditors will not expect to fully assess this until the first surveillance audit.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

What advice do you have for smaller companies when approaching ISO27001?

I assume you are looking to be formally certified since if not then it is all somewhat easier.

It partly depends on your timescales and reasons for doing it. If you have pressing timescales and a strong business imperative to become certified then you should get some external support but choose wisely. There are a lot of consultancy firms and people who claim to understand ISO27001 but do not understand it as well as they should and make it much more complicated and time consuming than it needs to be. If there is no urgency then it can be done without external support but you should balance that against the time it will take you and the risk that you have not interpreted the requirements correctly.

However, you should aim for someone external to do a “pre assessment”/”gap analysis” after you think you have implemented most/all the clauses. You can also use this to help meet the Internal ISMS audit requirement. Choose wisely who you get to do this! For a small organisation, this should not take more than a day or two at most.

What to read? I suggest (in order) – ISO27000 (free), ISO27001 and then ISO27003. I suggest you leave ISO27002 until a bit later. Contrary to popular belief you can completely ignore ISO27002 if you want to although it does contain some stuff that might be helpful to you.

If you are a small organisation I would usually suggest you keep it simple by having a scope which is the whole organisation or you can get boundary issues.

Again, contrary to popular belief, ISO27001 does not require lots of documentation but there are some things I suggest documenting even if the standard does not formally require it – e.g. issues and interested parties.

You should keep your risk assessment to a manageable size. The actual number of risks depends on lots of factors but I suggest that for a small organisation any more than (say) 30 risks is going to be too many to manage.

Again, as has been said, keep your number of controls to a manageable number but it is harder to give an actual figure for this. Although there are some pros and cons, unlike most consultants I recommend that you do not choose your controls from Annex A and make all your controls “custom controls” as defined and explained in ISO27003. This can simplify things considerably for small (and large!) organisations.

Oh and don’t forget that you are very likely to fail unless you have management support.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

How do you find an internal auditor if you are a very small company given that the auditor has to be independent?

Lots of people (including me) use the term independence when talking about who can undertake the Internal Audit but the standard does not use the word independence. It uses the phrase “select auditors and conduct audits that ensure objectivity and the impartiality of the audit process”.

Someone might not on the face of it be “independent” but can still be “objective and impartial” but proving this to the certification auditor can be tricky.

A consultant who helps with an ISMS implementation could undertake an Internal ISMS audit before they start their implementation work but this only works if enough of the ISMS has been implemented to make the Internal ISMS audit meaningful.

It could be argued (and some certification auditors will do so) that if you are employing someone to undertake the internal audit who works for the same company as the consultant who implemented the ISMS they cannot really be regarded as independent. The could easily have a conflict of interest since they might be reluctant to “criticize” a colleague’s work especially as it may imply that the consultant who implemented the ISMS did not do a good job. However, this does not necessarily mean that such an auditor should not be used and cannot be objective and impartial which is the requirement of the standard.

In terms of looking for people to undertake internal audits (it does not have to be one person) you should be looking for someone who can take that fresh “untainted” look at what has been implemented and has the skills to do so.

This is relevant in very small organisations where it is likely to be difficult to find someone who is truly “independent” but it may well be possible to find someone who can be “objective and impartial”. However, convincing a certification auditor in these situations could be a challenge.

With my certification audit hat on there are many aspects to look for. I am certainly a bit suspicious if the internal ISMS audit is done by someone from the same organisation (internal or external) that did the implementation but the main proof comes from looking at the detail of the report(s). It is normally fairly easy to tell if the people who did the internal ISMS audit(s) were “objective and impartial”.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

How should I respond when a certification auditor raises a finding?

A few thoughts, suggestions and options for this.

1) For most certification bodies the onus is on the auditor to prove and get agreement to the finding before they can raise it. They need to persuade the client by “force of argument and evidence”. Easier said than done and many auditors will just say “I am raising this whatever you say”.

2) You say thank you and move on and “fix” the finding. If is an easy fix and this is not a major non-conformity (or even if it is) then this is probably the best action.

3) You could ask for the certification body definition of a finding and how they should be categorised and check it against the finding.

4) You ask for the evidence supporting this and against what clause(s) of Section 4 to 10 of ISO27001 are you raising this finding?

5) You ask them to check with their boss/technical reviewer that they agree that this is a finding and its classification, etc.

6) You could agree to the finding but then do nothing on it. Not recommended. Ignoring findings is a bad idea.

7) You could agree to the finding but then do something minimal on it to address it. A bit risky but might be worth it.

8) You could agree to the finding and do nothing with the finding as such but ensure you get documented evidence from each of the affected risk owners that they accept the risk (and that you have followed your risk methodology) and then be prepared to argue your point.

9) If the finding is raised and you disagree then you can escalate informally to the certification body. Depending on the certification body, etc this might work. Don’t forget that you have a commercial relationship with the certification body and it is not really in their interests to upset you as you may then decide move to a different certification body.

10) If the finding is raised and you disagree then you can raise a formal complaint to the certification body. However valid your complaint is they won’t like this as their Impartiality Committee and accreditation body will get to hear about it.

11) You could ask for the name of the chair of their Impartiality Committee and raise it direct with them. Again, they won’t like this.

By and large, your best option is to “take it on the chin” and fix it unless it is a major non conformity which would stop you getting the certificate or you are going to get fired or not get your bonus, etc, etc…

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

How do I use ISO27001 Annex A with other control lists – e.g. NIST and PCI DSS?

• Annex A in ISO27001

  The standard does not require you to use Annex A controls in your risk assessment but you can if you want to. ISO27001 does require you to do a cross check of your controls with Annex A after you have done your risk assessment.



• ISO27002

  This can be very useful guidance if you have selected any Annex A controls in your risk assessment. Remember that to be compliant with ISO27001 you do not have to do anything in ISO27002 unless you have decided that some of what it says is a necessary control or part of a control to manage one or more of your information risks.



• NIST, HIPAA and FEDRAMP.

  These may be of significant relevance if you are in the USA but NIST is also used around the world.



• ISO27018.

  ISO27018 - “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” and data protection/GDRP legislation may be relevant if you are doing anything with personal data.



• PCI DSS

  PCI DSS is likely to relevant if you are doing anything with credit cards but is also a pretty comprehensive and detailed list of controls for managing risks to any confidential data.



• ISO27017 and CSA

  ISO27017 - “Code of practice for information security controls based on ISO/IEC 27002 for cloud services” and the Cloud Security Alliance (CSA) list of controls may be useful if you are doing anything with the cloud – either as a cloud service provider or cloud service user.



• Cyber essentials

  Cyber Essentials and Cyber Essentials+ may be relevant if you are in the UK.



• NIS

  The “Networks and Information Systems” (NIS) directive controls may be relevant if you are in the EU and work in a relevant sector – e.g. supporting critical infrastructure.



• SOC 2

  SOC 2 is more IT based and heavy going but may be required for some Business to Business services - notably IT services.



• COBIT and ISF

  COBIT and the Information Security Forum (ISF) are a couple of the more generic lists of controls that may be useful from an information security perspective.



• Other sector specific lists

  Other sector specific lists – for example for SCADA may be useful.



• Other country specific lists

  Some countries have specific frameworks – I have mentioned some of the UK and USA ones above.



• Etc!

  There are lots of others.

Some of these (e.g. FEDRAMP, Annex A as part of ISO27001, PCI DSS, SOC 2) can be subject to formal accreditations/certifications if required. Others (e.g. ISO27002, COBIT, ISF) are written more as guidelines and are not really subject to formal accreditations/certifications.

You can get mappings between these lists but I suggest that you should be very careful with them. These mappings are mostly very poor and at best give a very rough indication that control “X” in list “A” may have some words and/or a slight similarity/overlap with control “Y” in list “B”. But these mappings do not mean that if you have implemented control “X” you have also implemented control “Y”. Most of the mappings I have every looked at have been rubbish.

So, which of these control lists/frameworks/standards/guidelines should you look at?

Some of these may be mandatory for you for various reasons and you should check to see if that is the case. (There is a separate discussion to be had about how to deal with mandatory controls that are not strictly required to help you manage your information risks but that is outside the scope of this discussion.)

Which others you should then look at is really up to you and depends on many factors. As described earlier, because you are doing ISO27001 you have to consider Annex A. You do not have implement any of the Annex A controls but you do have to do the cross check with Annex A. I also recommend that people do consider doing the cross check against some of the others – for example NIST and PCI DSS.

Don’t forget that the starting point is your risk assessment. If you ignore for the moment the mandatory controls you need then these lists of controls and frameworks can be a very useful cross reference check to see if you have missed anything important in your risk assessment. I advise you to do the risk assessment first and then do the cross-reference check(s) , as noted above, rather than use one or more of these lists to drive the content of the risk assessment. If you do this then you are then much more likely to get a risk assessment that is relevant and useful for your organisation.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

How meaningful is a supplier's ISO27001 certificate and how do I check that it is valid?

There are several checks you can undertake to determine if an ISO27001 certificate has any meaning to you. How many of these you undertake will vary depending on many factors.

Some possible checks and activities are:

• Check that it is in date – i.e. has not expired.
• Check the scope statement carefully. Does it cover the locations, business processes, organisation name, systems, etc that are of relevance to you? Do not assume that because an organisation has ISO27001 that it is covering the service it is giving to you. If in doubt ask for clarification. As well as having a scope statement on the certificate many organisations also have a more detailed scope document which they will probably not be prepared to send you but there is no harm in asking for it.
• Contact the organisation and ask them for a copy of the Statement of Applicability (SOA). This lists all the controls that the organisation has defined as being important to manage their information risks. The SOA will also contain a statement about whether the control has been implemented or not. Look carefully at the SOA and be comfortable that the controls are reasonable and valid from your perspective. Some organisations will be very reluctant to send you their SOA but press them as it is specifically named on the certificate. If they are not willing to send you it they may be able to show you it on a screen so you can at least see its contents. Do not assume that because an organisation has ISO27001 that it has implemented controls that are relevant to you.
• Although the organisation is fairly unlikely to send you it, you can also ask for a copy of the last certification audit report issued by the certification body (CB). This is potentially very useful to you as it will show what controls the auditor tested at their last visit and when it was. It will also show what locations they visited. The certification audit report will also list any weaknesses or problems that the certification auditor found. ISO27001 certification can be obtained and kept when the ISMS and associated controls are operating with weaknesses and faults as long as, of course, that these are not major weaknesses or faults.
• Certification auditors do not test all the controls listed in the SOA at each visit and the initial certification may only test perhaps a third or so of the controls listed in the SOA. You should not rely on the ISO27001 certification to give you absolute assurance that the controls have been independently tested by the certification auditor.
• You may have some specific controls that are of importance to you that you want to focus on whether they are listed in the SOA or not. As an example, supplier vetting of their own staff from a security perspective may be very important to you and if so you may want to ask about this specifically with your supplier. Do not assume that because an organisation has ISO27001 that it is fully operating effectively and properly all the controls that are important to you.
• You might want to consider when the organisation was initially certified – was it recently? If the organisation was recently certified this may mean that the management of information risks is currently fairly high on managements thinking but on the other had it may mean that the management of information risks is not so fully embedded. It is also very likely to mean that not all the controls will have been tested by the certification auditor. If the organisation has been certified for several years then this could be seen as a good sign and that most if not all the controls will have been tested at some point. But, it may also mean that the management of information risk is not so high on managements thinking.
• You might also want to consider the reputation of the certification body. This is harder to assess – especially as even some of the “big” name CBs can and do have certification auditors of varying quality and consistency. Note also that some CBs specialise in certain sectors and this may not be appropriate from your perspective. Not all CBs are equal – even those ones properly accredited (see below).
• The certificate will state the name of the CB. I.e. the organisation that issued the certificate. Contact the certification body and ask them to confirm that the ISO27001 certificate is valid. It may have been withdrawn. Some certification bodies have web sites where you can do this check. If not then you should email them and ask.
• Look on the certificate or the CB web site and find out who has accredited the CB. I.e. this is the organisation that has “accredited” the CB to issue certificates. As an example, in the UK this is most likely to be UKAS. Look on the web site of the accreditation body and check that the CB is accredited to issue ISO27001 certificates. Note that some CBs are, for example, accredited to issue ISO9001 certificates but not ISO27001. As an example, this is the list of CBs accredited by UKAS (in the UK).UKAS ISO27001 certification bodies. If the CB is not accredited to issue ISO27001 certificates then you are strongly recommended to ignore the ISO27001 certificate.
• When you have the name of the accreditation body you should check on the International Accreditation Forum(IAF) web site that the accreditation body is a member of the IAF. The IAF is a body that oversees the accreditation bodies. This is the list of accreditation bodies that are members of IAF. IAF members If the accreditation body that accredited the CB is not in the list in the link above then you are strongly recommended to ignore the ISO27001 certificate.

In summary, how much weight you give to an ISO27001 certificate from a supplier is for you to decide but don’t forget the importance of other typical supplier controls – for example monitoring the performance of your supplier from an information security perspective.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

ISO survey on how many organisations are certified to ISO27001

You may find it interesting to see the results of the ISO survey of worldwide ISO27001 certificates by year, country, sector, etc, etc, It includes data on other standards - .e.g. ISO9001. (The link is at the bottom of this blog entry)

It shows that ISO27001 is the third most popular management system certification and showed an increase in certifications of 19% from 2016 to 2018.

The total number of ISO27001 certifications in 2018 was nearly 40,000. It is most popular in East Asia and the Pacific followed by Europe. As in all previous years the number of certificates in North America is relatively small although has shown an increase of 43% from 2016 to 2018.

The biggest sector worldwide is Information Technology. Japan has the most certificates.

The information is gathered by asking certification bodies that have been accredited by an accreditation body that is a member of the International Accreditation Forum. It excludes those certifications by (how can I put this) somewhat questionable certification bodies of which there are quite a few. Until a few years ago the results of the survey were only available to organisations that replied to the survey but they are now publicly available.

I also recommend reading the overall results and explanatory notes.

Lots of interesting stats!

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

Does ISO27001 require you to identify and manage legal, regulatory and contractual requirements in your ISMS?

Answer: No.

Back to basics – what is a compliance risk? As always there are lots of definitions but most seem to settle on words around “The risk to an organisation of not meeting legal or regulatory requirements”, or longer versions like this “Compliance risk is the threat posed to an organization's financial, organizational, or reputational standing resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice.”. People often also include contractual requirements in this – e.g. PCI DSS.

My question is - what has this got to do with “information risk”? The answer is nothing!

It is a very common misconception with respect to ISO27001 is that you must include legal, regulatory and contractual risks as part of the ISMS. The 2005 version of ISO27001 did require this to be done but the 2013 version of the standard removed this requirement. Many of the other management system standards (e.g. ISO9001 and ISO22301) explicitly require legal, regulatory and contractual requirements to be identified and included in the management system. However, the fundamental principle of ISO27001 is to use the information risk assessment to decide what to include and manage using the ISMS and including compliance risks and compliance controls would conflict with this.

Remember that ISO27001 requires you to identify and manage risks that if they happened would result in the loss of confidentiality, integrity or availability of information. There is no mention of compliance in this requirement.

A risk that says “We fail to comply with GDRP” is a compliance risk and not an information risk. Similarly, “We fail to comply with PCI DSS” is a contractual requirement risk and is not an information risk. The risk “We have a breach because we don’t comply with GDPR and as a result we are fined” is still a compliance risk and not an information risk because this risk is about the compliance and the implications of not complying. “We have a breach” is an information risk.

Of course, all organisations should manage their compliance risks relating to information but ISO27001 does not require you to include these in your ISMS.

If you want to, you can of course choose to use your ISMS to help you manage compliance risks and controls but you then need to be careful with your Statement of Applicability (SOA) as you may be including some controls that are not as a result of your risk assessment. I discourage clients from including these compliance controls in their SOA unless they have made the conscious decision to use their ISMS to help them manage compliance risks and controls. This isn’t a bad idea (and can be quite a good idea) as long as they know what they are doing. But if they do this they are then building a sort of joint ISMS and CMS (Compliance Management System). If you do this I suggest you flag them somehow as being compliance risks and compliance controls to make it clear that they are not information risks or controls managing information risks. This may help when discussing this with your certification auditor and in theory, although not necessarily in practice, when the certification auditor undertakes their audit you could ask them to ignore/not audit those risks and controls that relate to compliance and not information.

It is of course likely that controls identified to meet a compliance requirement may also be playing a part in helping manage one or more information risks. This does not mean that where this is identified that the risk assessment must be updated as the risk assessment does not need to identify all the controls managing all the risks. The risk assessment only needs to identify the necessary controls to manage the information risks. If, and only if, you are convinced that the compliance control identified is also a necessary control to manage one or more information risks then you should also update the risk assessment and SOA to reflect this.

If anyone tells you that you must include legal, regulatory and contractual risks in your ISMS then ask them to show you where in the standard it says that legal, regulatory and contractual risk relating to information must be identified and managed. They will not be able to do so. If they point to Annex A then you can remind them that nothing in Annex A is mandatory.

In summary, don’t let anyone tell you that you must include compliance requirements/risks/controls in your ISMS.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

Why does a certification auditor audit the controls as well as clauses 4 to 10?
.. and can a certification auditor raise a non conformity for something there is already a risk treatment plan or action plan for?

ISO27001 is clauses 4 to 10 only and the auditor will go through each clause and check that the organisation complies with each clause. If they do comply then they are meeting the requirements of the standard and will get their certificate. So why does any auditor need to audit any of the controls?

The answer is that some of the clauses refer to the controls and their implementation and operation and in order to check the organisation is compliant with the clauses the auditor needs to do some checking/auditing of the controls.

The main clauses of relevance are these: -

• In 6.1.3 d) in the SOA each control needs to be annotated with a statement about if it is implemented or not. In order to check that SOA is correct the auditor will need to undertake some sampling of the controls to confirm that the control is implemented or not depending on what is said against the control. If the SOA says a control is implemented then is it? If the SOA says a control is not implemented then if it is then, perhaps somewhat perversely, this is a finding.
• In 8.1 the requirement is to plan, implement and control the processes needed to meet the information security requirements. This is an extremely important clause and in order to check that this has been achieved the auditor will need to undertake some sampling of the controls to confirm that the controls are implemented and operating effectively.
• In 8.3 the requirement is to implement the risk treatment plan and this includes implementation of the controls. In order to check that this has happened the auditor will need to undertake some sampling of the controls to confirm that the control is implemented.
• In 9.1 the requirement is to monitor and measure in some way the operation of the ISMS and the controls and in order to check that this is being done correctly the auditor will need to look at some of the controls.
• In 9.2 the requirement is to undertake internal audit(s) of the ISMS and the controls. In order to check that this is being done correctly the auditor may need to look at some of the controls.

So, it is reasonable for the auditor to audit the controls but only insomuch as to convince themselves that the requirements of clauses 4 to 10 are being met. They do not need to check all the controls to do this – they can sample. They only need to sample sufficiently to convince themselves that the requirements of the clauses are being met.

If the auditor finds something wrong with a control then do they raise a non-conformity? It depends. If it is a non-conformity that represents something that the ISMS already knows about then no because that is the ISMS in action. As an example, if one of the controls is having a Business Continuity Plan and the auditor identifies that the document contains the wrong job title for someone but the risk treatment or non-conformity log states that “The BCP needs updating to reflect organisational changes” then they should not raise the non-conformity. If they do then what this means is that for each and every risk treatment action and non-conformity identified in the ISMS the auditor will need to raise a minor, or possibly major non-conformity. This is clearly wrong and totally against the principle of the ISMS. However, if the auditor identifies a non-conformity against a control that the ISMS does not already know about then that is clearly a non-conformity that should be raised since it represents something that should be known about and isn’t. Custom and practice is that the auditor will raise the non-conformity by referring to the control reference (e.g. A12.3.2 or C004) but strictly speaking it should be against the relevant clauses of ISO27001.

Similarly, if the SOA identifies a control (e.g. “DLP”) as “not implemented” and the risk treatment says “implement DLP by Feb 2019” then this is the ISMS in action and it is wrong for the auditor to raise a non-conformity that says “DLP not implemented”.

But in 8.3 it says that the risk treatment plan has to be implemented so how do we deal with that? In theory this means that if there are any items at all in the risk treatment plan then the organisation is not compliant with 8.3 and the auditor could raise a non-conformance against 8.3. This is clearly nonsense and would mean that almost every certification audit that ever takes place will have a non-conformity raised against 8.3. So, the auditors will not do this. The same principle applies even if there are a number of controls identified in the SOA as “not implemented” since it is clearly nonsense to say that an auditor should raise a non-conformity about each of these controls since the standard specifically allows controls to be “not implemented” and still be compliant with the standard!

Consider the following scenario. A client has implemented an ISMS and at the initial stage 1 and stage 2 audits there are no controls in the SOA that say “Not implemented” and there is nothing in the risk treatment plan. All is well and the client is certified to ISO27001. A few weeks before the first surveillance audit the client identifies a new risk that needs adding to the risk register. An analysis of this risk identifies the need for two new controls to be implemented and improvements that are needed to three existing controls. The risk assessment is updated, the two new controls are added to the SOA and say “not implemented” and the risk treatment plan is updated to include the actions needed to implement the new controls and enhance the three existing controls. When the certification auditor undertakes their audit should they be raising any non-conformities in their audit report because of this? Of course not! This is the ISMS in action. They may well audit the three existing controls as they are operating at the moment but it would be wrong to raise any non conformities against them on the basis that they are not properly managing this new risk.

So, it is certainly the case the auditor should not raise non-conformities that are already known by the ISMS since that is the ISMS in action. If they start doing so then all that happens is that the ISMS manager makes sure that that any such known non-conformities are kept hidden from the auditor at the next audit. If they don’t do this they know that all that will happen is that the auditor will say “thank you very much for identifying a non-conformity – I will raise that as a non-conformity in my audit report”. The ISMS manager would create a “clean” “shadow” ISMS to show to the auditor.

But doesn’t this mean that someone could claim to be compliant with ISO27001 and try to get certified if they have done a risk assessment but have lots of controls (or maybe all the controls!) that are not implemented? The answer to this is no and the main reason for this is clause 8.1 which (paraphrased) says that the organisation has to have implemented and be operating the processes to meet the information security requirements and information security objectives. If they don’t have any controls operating or not enough controls have been implemented they will not be able to demonstrate that they are doing this. But of course not all the controls need to be fully implemented or operating fully effectively for the organisation to be meeting its information security requirements and information security objectives.

In summary, it is right for a certification auditor to sample controls (but they don’t need to check all of them) to check that the relevant ISMS clauses are properly implemented but it is wrong of them to try to raise non-conformities that the ISMS already knows about and is dealing with.

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.

What is the purpose of the Statement of Applicability and what should it contain?

The purpose of the SOA is to list all the controls that are applicable to managing your information risks.

Usually the only people who ever look at it are the information security manager and the certification auditor. Clients of yours who see your ISO27001 certificate can ask to see it but you are not obliged to send them a copy.

A minimal SOA contains the following:

The following statements at the top of the SOA:

• “All the controls listed below are implemented”.
• “All the controls listed below are justified because they are specifically named in the information risk assessment as managing one or more of the risks identified in the information risk assessment”.
• “Any controls not listed below (e.g. as in Annex A) are excluded because they have not been identified as managing one or more of risks identified in the information risk assessment”.

A table containing a list of the controls. This should have two columns.

If not all the controls have been implemented then an additional column is needed to state “implemented” or “not implemented”.

An SOA that follows the above fully meets the requirements of the standard.

Note that the standard requires the justifications for exclusions of controls from Annex A and the above approach achieves this. The standard does not require that all the Annex A controls are listed in the SOA. The SOA need only list those controls that are applicable and the only controls that must be named as applicable are those that are named in the risk assessment.

Controls required to meet legal, contractual and regulatory requirements must not be listed in the SOA unless those controls are managing one or more information risks. Remember that the only risks ISO27001 asks you to identify in the information risk assessment are ones that if they happen would result in the loss of confidentiality, integrity or confidentiality of information in the scope of the ISMS.

If anyone tries to tell you that the above does not meet the requirements of the standard ask them to read out the wording from the standard to justify their view.

I have used the above approach to implement several ISMS that have then been successfully certified.

Keep it simple!

If you have a question about an aspect of ISO27001 please contact Chris Hall with your query.