As we begin to plan internal Information Security Management System (ISMS) audits in advance of surveillance audits with our ISO 27001 certified clients, here at Pivot Point Security we are increasingly turning an eye towards ISO 27001 Draft 2013. It’s a challenging time, because to the maximum extent possible we want to prepare for the forthcoming standard. However, it’s a draft that is likely to change—perhaps significantly. I’ve talked with several ISO 27001 Lead Auditors who work full-time for registrars and their guidance has been similar: you are likely better off waiting for the formal standard before making significant changes.
I agree with this approach, although I think that there are several “fundamental” changes in ISO 27001 that are intended to address specific challenges that auditors have seen to this point. As these changes are more underlying in nature, I think that it is beneficial to begin thinking about making any necessary adjustments along these lines before the standard is formally adopted. More importantly, changes like these are “structural” to ISO 27001; that is, they will still benefit you even if they don’t make the cut into ISO 27001:2013.
All that said, here are my thoughts on areas to consider making changes:
Engage Business Management (not just Information Technology/Security) Management
ISO 27001:2005 (the current version) uses the term “management” when it refers to the governance mandate of the standard. ISO 27001:2013 has a new section titled “Leadership” that emphasizes management’s responsibilities and the importance of “top management” commitment to the ISMS. I think many small to midsize organizations interpreted “management” to mean higher levels of management in the technical/information technology/information security realm. I think the shift to the term “Top Management” denotes the standard’s true intent that operations/business management needs to be integral to the ISMS.
I know that we have had some clients who have resisted our efforts to ensure that the efforts of the ISMS/Risk Management Committees are communicated to and validated by business management. But I would be very surprised if this idea is dropped when the new revision is formalized.
Tune your Information Security Risk Assessment approach
ISO 27001:2005 outlines a very traditional Risk Assessment methodology: identify risks by identifying assets, the threats to those assets, vulnerabilities that can be exploited by those threats, and impacts to confidentiality, integrity, and availability. Most of this language has been replaced in ISO 27001:2013 with “identify risks associated with the loss of confidentiality, integrity, and availability for information within the scope of the ISMS.”
I think this is a clear movement towards one of the elements of ISO 27005 that we have endorsed for years here at Pivot Point—conducting Risk Assessments by focusing on the information and the processes that act on it. This is a superior Risk Assessment methodology compared to an asset-centric approach, and I am thrilled to see it more formally endorsed in the standard. This is a drum we have been beating for several years. There is also some new language on the importance of ongoing risk assessment including “when significant changes are proposed or occur.”
Because ISO 27001 is essentially an Information Security Risk Management system, I think any changes to Risk Assessment language will be/have already been well considered, so I think this concept will be reflected by the new standard.
Leverage System Security Plan Concepts
As a company that works both sides of the Information Security Framework aisle (NIST and ISO), we take a very positive view of the fact that there has been consistent movement towards “harmonizing” the concepts/standards from both camps. There is a new section in ISO 27001:2013 called “Information Security Objectives and plans to achieve them” that looks to be leveraging concepts from NIST’s System Security Plan.
As many ISO 27001 Registrars are FedRAMP 3PAO’s (and ISO 27001 Implementers are FedRAMP implementers) I think this is intended to simplify the overall ISMS for those clients that need both FedRAMP (or other NIST 800-53 based) attestation and ISO 27001 attestation. It’s interesting that it stops short of endorsing a formal Security Certification & Accreditation (SC&A) process, which I think would have been moving too far too fast. I’m convinced that as we move forwards SC&A concepts, ISO 27001 certified organizations will increasingly leverage to further mitigate risk.
Monitor Your Controls (not just your ISMS)
ISO 27001:2005 broadly talks about “monitoring” the ISMS. ISO 27001:2013 takes a much more focused approach and calls out the importance of having a documented plan/rationale for monitoring specific processes and controls. I think this is a direct response to those companies that become ISO 27001 certified but do little more to truly embrace the spirit of the standard beyond conducing an ISMS internal audit each year.
Clearly, an annual ISMS audit without other meaningful forms of controls monitoring happening daily/weekly/monthly/quarterly is insufficient to truly manage information security risk. This change gives the auditor a way to issue non-conformities under this scenario that does not currently exist.
I think these ideas are very fundamental to the direction that ISO 27001 is moving as they address specific concerns that the registrars/auditors have experienced. So while the language may change, I don’t think the concepts will.
If you agree, as you review your ISMS this year and think about potential changes:
- Make sure that your ISMS governance process extends into the C Suite and incorporates business management (not just IT/IS management).
- Review your Risk Assessment methodology and consider making it information-centric if it’s currently asset-centric. To be clear, I don’t view this as a requirement, but you will find that information/process-centric risk assessment is far more natural, intuitive, and effective than asset-based risk assessment. At the same time, make sure that your methodology incorporates mechanisms that trigger updates for notable changes for both internal or external contexts.
- Update your Security Metrics/ISMS Internal Audit procedures to incorporate some more pointed and specific monitoring of controls that are critical to managing your organization’s most notable ISMS risks. A simple and natural way to move in this direction is to conduct a portion of your ISMS internal audit quarterly, rather than in its entirety annually. Ensure that your processes generates the artifacts that you will need during your surveillance audit.
- If you’re really motivated, get up to speed on the concepts of a System Security Plan and figure out where it can provide value in the context of your ISMS Manual.