Answering some of the most commonly asked questions around ISO 27001 implementation.

At risk3sixty, we have helped many clients implement ISO 27001. Through this work, we have pinpointed a few common misconceptions surrounding the framework. In this post, we will dig into these misconceptions and shed some light on the ISO 27001 implementation process.

Misconception #1: An organization must implement all Annex A controls to obtain certification.

ISO 27001 can be conceptually divided into two parts: Clauses 4-10 (the management framework) and the Annex A controls (the 114 controls that are described in the ISO 27002 implementation guidance standard).

One crucial element of the management framework is continuous improvement. Considering this, the goal of ISO 27001 is not to create the perfect security program, but to create an environment that allows security to grow and develop.

An organization does not need to have every single control implemented. Instead, the organization should demonstrate a commitment to continually improving security.

This is not to say that an organization can achieve certification with numerous major control gaps. Instead, action plans should be established, and preliminary work should be done prior to engaging an external audit firm.

Misconception #2: Risk assessments and control gap assessments are the same things.

In a typical ISO 27001 implementation, risk3sixty will perform the current state assessment and the risk assessment simultaneously. The current state assessment is a review of an organization’s current security program against the ISO 27001 standard.

Clauses 6 and 8 of ISO 27001 require a certified organization to continually monitor risk. To support this requirement, we help clients set up risk assessment policies and procedures, and often aid in performing the risk assessment itself. The risk assessment extends beyond the ISO controls and looks at the entire organization.

This may include market factors, upcoming regulations, and succession planning. Further, the risk assessment will likely include individuals from beyond the security team, such as senior management, HR, and finance.

Findings from the current state assessment may feed into the risk assessment. However, these processes are distinct and should not be viewed as the same exercise with the same stakeholders.

Misconception #3: Security is limited to the IT department and does not require top-level management attention.

When discussing firewall rules or code deployment methodologies, the audience is typically limited to select individuals in the IT department. However, when discussing security budgets and organizational risks, the audience should be much broader.

ISO 27001 requires that top-level management be involved in security. Security should ultimately become a driving factor in business decisions. Achieving this requires top-level management involvement.

Misconception #4: We just need policy templates.

ISO 27001 places a strong emphasis on documentation. We often provide policy templates to our clients to aid in this process. However, this is just the first step. The organization must read these policies, adapt them to their current processes, adopt processes that are missing, and approve these policies internally.

We are always happy to help clients refine our policy templates to their business. But at the end of the day, a policy that is never read or followed is like not having a policy at all.

ISO 27001 implementation can seem like a daunting task, but we are happy to help you on your journey to improving your security program. If you have any questions or would like to speak to an expert, contact us here.