Every once in awhile a client asks a question that makes me scratch my head and realize I have never really sat down and reasoned a particular issue through. Today I got one of those questions when I called a client to congratulate him on successfully passing his ISO 27001 certification audit. After thanking me he asked, “So now that we are certified, what are the key elements to keep our ISO 27001 information security management system (ISMS) compliant?”
The simplest answer is to follow your ISMS manual, but that’s a cop-out. In any ISMS there are elements that are a lot more critical than others. So, let’s apply one of my favorite maxims: the 80/20 rule. The key to keeping your ISMS compliant year after year is to thoroughly understand the 20% of your ISMS that provides the greatest return on effort—which usually aligns with the fundamentals of ISO 27001.
The three key areas to pay attention to are:
- Information Security Risk Management
- Continuous Improvement
One: Information Security Risk Management
Above all, ISO 27001 is an Information Security Risk Management system. Sustainable ISO 27001 compliance is therefore largely about consistently managing information security risk. The challenge, of course, is that critical internal and external contexts that impact risk are ever-changing (for example, deploying new code and systems, new vulnerabilities and zero-day exploits, law and regulation changes, the evolution of client and business requirements, and so on).
So the most critical element of sustainable Risk Management is having a mechanism to identify and address these dynamic issues as required. While that is the “responsibility” of your Risk Management Committee, it is imperative that the overall organization is integral to this effort. Just as your employees are your largest “threat surface,” they are also your largest “detection surface.” Those types of changes that have the potential to cause significant impact can be detected faster/better if the Risk Management Committee and top leadership stresses the importance of this role continually. Coupling this effort with regular reviews and specific triggers to revisit risk assessment (e.g., the rollout of technology change directly impacting highly sensitive data) will position you for success.
“Tone at the top” describes an organization’s commitment to its ISMS, as established by its board of directors, audit committee, and senior management. Having a strong tone at the top is critical to sustainable ISO 27001 compliance. If senior management is pushing the Director of Operations to roll out new features in your SaaS offering before they have been properly assessed, in order to meet an overly aggressive project schedule… your ISMS is effectively doomed. If, on the other hand, the CEO speaks up in a meeting and emphasizes that an application will not be allowed to go live until the Risk Management Committee accredits its operation… your ISMS has high hopes for success.
Three: Continuous Improvement
One element of ISO 27001 that often doesn’t get the attention it deserves is the requirement for Continuous Improvement. Embracing Continuous Improvement will make it easier to achieve sustainable ISO 27001 compliance. There are two key aspects of Continuous Improvement: Incident Response and Security Metrics.
While we all live in fear of security incidents, they are often the best opportunities to detect problems in your ISMS. Make sure that your Incident Response Plan includes a learning/follow-up phase after you have completed recovery. Understanding why something happened, how to prevent it from happening again, how to detect it earlier with less impact, and how to respond/recover faster are the keys to turning a negative situation into a positive one. With Security Metrics, start simple. Metricize things that are important (per your risk assessment) and easy to gather (data is readily available). Some example “starter” metrics might be: Security Awareness training coverage, average age of known system vulnerabilities in your production environment, number of user account reviews performed per year, etc. Continuously improving your Security Metrics creates a virtuous cycle that helps ensure sustainable ISO 27001 compliance.
What unexpected challenges, unforeseen costs and/or unplanned hassles are you experiencing with sustaining your ISO 27001 compliance?