July 19, 2016

Last Updated on January 19, 2024

A client’s IT Infrastructure Manager recently asked me if a change to their remote access controls would jeopardize their compliance with the ISO 27001 standard. The question revealed that the organization did not have a simple process to follow when making information security decisions—and I’m sure they are not the only ones with this problem.
So here’s a list of questions and activities to go through that enable any organization to make information security management decisions in compliance with the ISO 27001:2013 standard. This blog post provides a simple explanation of the seven information security management processes required for ISO 27001:2013 compliance.

INFORMATION SECURITY MANAGEMENT PROCESS QUESTIONS AND ACTIVITIES TO CONSIDER FOR MAKING INFORMATION SECURITY MANAGEMENT DECISIONS IN COMPLIANCE WITH ISO 27001:2013
Context What are the business issues driving or affecting this decision?
Who are the interested parties (e.g. stakeholders) for this decision and what are their security requirements?
Can the business issue(s) and information security requirements be addressed within the scope of the information security program or does the security program need to leverage interfaces or dependencies with other entities?
Has the information security program been given approval to address the business issue(s) and requirement(s)?
Leadership Identify the member(s) of top management responsible for ensuring the security program supports the business decision.
Does the information security policy support the business decision or is a policy change/exception required?
Did the member(s) of top management assign and communicate responsibility and authority for:

  • Ensuring the information security program’s support for the business decision complies with the ISO 27001 standard
  • Reporting on the effectiveness of the information security program’s support for the business decision to top management
Planning What risks and opportunities are presented by addressing the issues and requirements for the security program to support the business decision? Have actions been planned for the security program to address the risks and opportunities?
Do existing security plans to achieve the information security objective(s) support the business decision or is a new objective and plan to achieve it needed?
Support Does the security program have the resources needed for the risk treatment and security plans required to support the business decision?
What competencies are required to execute the risk treatment and security plans that support the business decision? Does the organization have the required competencies or a plan to attain them?
Are the individuals responsible for executing the risk treatment and security plans aware of…

  • the information security policy’s requirements
  • how they affect the security program’s ability to effectively support the business decision
  • the consequences of not complying with the security program’s requirements

What are the communication requirements for the security program to support the business decision? What needs to be communicated internally and externally to the interested parties? When does this information need to be communicated? Who needs to receive communication? Who shall initiate communication? What process should be used for communication?
Document the following:

  • Any changes to the scope of the security program to support the business decision
  • Any changes to the information security policy to support the business decision
  • The risk assessment and risk treatment process used to identify risks, opportunities and actions to address them
  • Security controls selected to address risks and opportunities presented by the business decision
  • Any new/changed information security objectives
  • Evidence of competence to execute risk treatment and security plans
  • Information necessary to effectively manage the security program’s support for the business decision
  • Information necessary to have confidence the risk treatment and security plans supporting the business decision were executed as intended
  • Change control for risk treatment and security plans supporting the business decision
  • List of processes outsourced by the security program to support the business decision and the information necessary to manage them
  • New risks, opportunities and actions to address them
  • Results from monitoring and measuring the security program’s performance supporting the business decision
  • Audit program and results from auditing the security program’s support of the business decision
  • Results from management reviews of the security program’s support of the business decision
  • Nonconformities in the security program’s support of the business decision and corrective actions to address them

Ensure all documentation of the security program’s support of the business decision is created and updated with proper identification, description, formatting, reviews and approvals.
Ensure all documentation of the security program’s support of the business decision is controlled to prevent unauthorized access, change or loss of information and version history.

Operation Ensure someone is assigned responsibility for tracking execution of the security plans necessary to support the business decision and has a process to ensure they are carried out as planned.
Ensure someone is assigned responsibility for controlling changes to the security plans and has a process to mitigate the impact of any negative consequences.
Ensure someone is assigned responsibility for tracking and managing processes outsourced to the security program’s interfaces and dependencies that are used to support the business decision.
Ensure additional risk assessments are done (as needed) and documented to identify additional security risks associated with the security program supporting the business decision.
Execute risk treatment plans for actions to address identified security risks to the business decision.
Performance Evaluation Identify security metrics to evaluate the effectiveness of the security program’s support for the business decision and document the results. Consider the following:

  • What needs to be monitored and measured to ensure the security program effectively supports the business decision?
  • What are the methods for monitoring, measurement, analysis and evaluation of the data?
  • When does the monitoring and measuring need to be performed?
  • Who is responsible for monitoring and measuring?
  • When should the results from monitoring and measuring be analyzed and evaluated?
  • Who is responsible for analysis and evaluation of the results?

Ensure the security program’s support for the business decision is added to the internal audit program. Determine who will be responsible for auditing the security program’s support for the business decision and when the audit should be performed. The individual responsible for the audit will need to document their audit plan, criteria, scope and reporting requirements.
Ensure top management (e.g.,steering committee for the security program) reviews the security program’s support for the decision. At a minimum, document management review of the following items:

  • New business issues driving or affecting the business decision
  • Feedback on the security program’s performance supporting the business decision, including trends identified by incident reports, security metrics, internal audit results, or tracking of security objectives
  • Feedback from interested parties
  • Risk assessment results and status of risk treatment plans
  • Opportunities for continual improvement in the security program’s support of the business decision
Improvement  Ensure there is a process to address and document nonconformities in the security program’s support of the business decision.
Ensure there is a process for corrective actions to prevent recurrence of nonconformities in the security program’s support of the business decision.
Assign responsibility and authority for the nonconformity and corrective action processes to appropriate individual(s) associated with the security program.
Ensure there is a process to track plans for continual improvement of the security program’s support of the business decision.

To connect with an expert who can tell you more, contact Pivot Point Security.