Last Updated on March 16, 2023
With most cybersecurity frameworks, such as SOC 2 or NIST 800-171, the emphasis is on the controls, with all organizations being obliged to implement the same “one size fits all” control set. Many companies seeking ISO 27001 certification treat it similarly—their goal is to implement and document all 114 controls in ISO 27001’s Annex A.
But ISO 27001 says you should implement only those specific controls that your scope/context and risk assessment require. Beyond that, you’re just wasting time, effort and money. In fact, putting unnecessary controls in place could jeopardize your certification audit.
To stamp out these kinds of misconceptions and keep SMBs on course to a successful ISO 27001 certification audit, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special podcast on the “top 10” biggest issues he sees with our ISO 27001-as-a-service clients.
Over-committing on controls can lead to audit nonconformities
The view that ISO 27001 requires all 114 controls can lead to problems during your certification audits.
“Clients will jump on the line and say, ‘We updated our password policy and now our password policy accounts for these 14 things,’” John relates. “And I’ll say, ‘What did your password policy account for before this?’ And they’ll say, ‘Well, we only had 4 of the 14 attributes that ISO 27001 mentions that you might want to use.’ And I’ll say, ‘Well, were you successful before? Did you ever have password breaches? And they’ll say, ‘No, we didn’t have any problems. But the standard says that, so we want to make sure we conform to it.’”
Do only what is needed
If you take the ISO 27001 controls as prescriptive/must-do, you are misreading the standard. The best approach is to document what you’re doing now, and then only add those things that are absolutely necessary to address identified risk.
John explains: “What happens—I see this all the time—is they were doing these four things within this one control. ISO 27001 mentions eight other things, so they added those eight other things but only did four of them.
“So now they’ve done eight out of the twelve. They didn’t really need to do those second four things, which means that they’re spending money for nothing, right? It’s very inefficient.
“Then, on top of that, because they didn’t do the last four, they’ve got nonconformities on their audit. Because it’s the auditor’s responsibility to say, ‘Well, I thought the fact that you added these twelve things to this control means they were all necessary to mitigate risk to an acceptable level. So if you didn’t do those four, we have a problem,’” describes John.
“Don’t over-commit on controls,” John emphasizes. “Understand risk and then implement controls proportional to risk. So, document what you do. And then only gap assess from there forward to determine whether or not you need to do any more than that. In many instances, you don’t need to do much more than that.”
Showing continuous improvement
Another reason not to over-commit on controls is that ISO 27001 places major emphasis on continuous improvement to maintain your certification. Each year, during your surveillance audit or recertification audit, your auditor will ask you to demonstrate continuous improvement.
“So, starting at the minimum of where you need to be, and then moving forward each year, also provides value that way,” John concludes.
If your business is moving toward ISO 27001 certification, this “consultation-in-a-podcast” with ISO 27001 expert John Verry belongs on your must-listen list: EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security
Looking for some more meaningful information around managing your ISO 27001 Certification? Check out this blog post: ISO 27001 Top Tip: Focus on Process, Not Controls – Pivot Point Security