Recently, the Committee of Sponsoring Organizations (COSO) released a long-awaited exposure draft update to its Enterprise Risk Management (ERM) Framework. The original ERM Framework was issued in 2004. And if you are working for a public company and you are ISO 27001 certified (or want to be), it’s actually important to your ISMS.
That’s right, I’m suggesting that the guidance being issued by the same folks that brought you the internal control framework used for Sarbanes-Oxley (SOX) is relevant to your ISO-27001 ISMS. Why?
The most notable reason is that it’s relevant to your Senior Management (assuming you are audited by an accounting firm of note). The five organizations that support the framework are the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), and Financial Executives International (FEI). You can be certain that the financial auditors talking with your CFO and management team will be talking about the principles of the new COSO Enterprise Risk Management Framework. This means that your organization’s senior management is going to be exposed to the new COSO ERM.
Assuming your organization leverages COSO from an Enterprise Risk Management perspective, that means that your ISO 27001 ISMS should be assessing, analyzing and making decisions on key information security risks in accordance with your organization’s Enterprise Risk Management Framework.
The latter point is interesting because there is still often a disconnect in the way that risk is viewed and managed between executive management and IT/Security. When this occurs, I would argue the root cause is often a poor understanding and consideration of ISO 27001’s Clause 4, “Context of the Organization.” I think my argument is supported by the fact that ISO 2001 directly refers to ISO 31000 (ISO’s guidance on Enterprise Risk Management) in this clause. In short, the context should include:
- Interested Parties (and their requirements)
- External Issues that influence the ISMS
- Internal Issues that influence the ISMS
- Interfaces and dependencies between activities performed by your organization and other organizations.
A few of the ways that the new COSO ERM provides valuable input into your ISO 27001 ISMS includes:
- The COSO ERM’s emphasis on a strong internal control and Governance framework both influences the ISMS and supports it. 27001’s requirement that “Top management shall demonstrate leadership and commitment with respect to the information security management system” would be logically and directly fulfilled by use of the COSO ERM. (Interested Parties)
- An interested party for every organization is the CxO Suite. The COSO ERM should provide valuable insight into “top management’s” risk appetite, which is critical to determining acceptable risk levels. (Interested Parties)
- COSO’s emphasis on performance management provides direct input into 27001’s requirement that “The organization shall evaluate the information security performance and the effectiveness of the information security management system.” (Internal Issues)
- COSO’s emphasis on the entity’s strategy and business objectives on risk and risk tolerance. (Internal Issues)
- COSO’s acknowledgment of culture (mission, vision, and core values) as something that notably influences risk and risk tolerance (Internal Issues). We see this as an important ISMS Scope in many organizations, most notably large law firms.
- COSO’s recognition of the challenges around effective risk communication, both internally and external to the organization. (Internal & External Issues)
- COSO’s recognition that the skills, experience, and business knowledge of the personnel integral to controlling risk is critical (Internal Issue). This is another huge challenge for virtually every client, as there is such a notable shortage of information security talent.
- COSO’s additional guidance on the importance of external issues (political, economic, social, technological, environmental and legal) on managing risk. (External Issues)
- The business responsibility in recognizing and managing the risks relating to partnerships. (Interfaces/Dependencies)
To be blunt, I have always largely dismissed COSO’s relevance to Information Security. I’m not even sure why I initially took the time to scan the new exposure draft. However, having done so, I think that it provides some valuable insight into establishing the scope of your ISO 27001 Information Security Management System. Live and learn …