Sitting through Stage 1 of an ISO 27001 certification audit for the first time can feel pretty daunting—even for a seasoned information security professional. Stage 1 is unusual in that focuses on the operation of the Information Security Management System (ISMS), not the technical controls that support the ISMS, which is something most folks have generally not experienced. Over the years I have answered a number of questions regarding Stage 1 a dozen-plus times, so I figure that makes it a worthy blog topic.
The focus of Clause 6 in the ISO 27001 standard is to ensure that top management has “a plan” that is based on the right target and the right information. We have noticed an increased emphasis over the last year on the objectives that are a requirement of the ISMS as defined in Clause 6.2.
The standard expects that the objectives for your ISMS should:
- Be consistent with the information security policy. This is a pretty low bar and relatively simple to meet.
- Be measurable (if practicable). The easiest way to accomplish this is to align your security metrics with your security objectives. For example; a security objective to reduce third-party risk could be supported by a metric that increases on a quarterly basis the percentage of high-risk vendors that have been evaluated in the past year. Think of objectives in terms of action verbs: reduce, increase, grow, improve, formalize, etc.
- Take into account applicable information security requirements, and results from risk assessment and risk treatment. Using your Risk Treatment Plan as the source for your security objectives is so logical, yet this is often not done. If your Risk Treatment Plan states that identified deficiencies in your security accreditation process for crucial business applications is in scope, then establishing a security objective to implement an OWASP ASVS Level 1 compliant application validation process would be an ideal objective. Making it measurable would entail establishing a security metric that measures the percentage of in-scope applications achieving ASVS L1 validation.
- Be communicated. The key here is to ensure that your objectives are run through the right channels for approval (e.g., your ISMS Steering Committee) and that all of the personnel integral to achieving the objective are actively communicated with.
- Be updated as appropriate. As ISMS objectives are generally updated each year, baking this into your annual risk assessment/ISMS planning sessions ensures that your ISMS objectives and security metrics are updated per your risk treatment plan.
The good news is that Stage 2 of the ISO 27001 Certification Audit is usually much more comfortable, as it focuses on the operation of technical controls like virtually every other audit you have been through.