Last Updated on March 16, 2023
In our ISO 27001-as-a-Service practice, we encounter a lot of misconceptions that can cause organizations to stumble on their path to ISO 27001 certification. One of these is the widely held view that the ISO 27001 framework, like many other cybersecurity frameworks, will prescribe what your controls should be and how they should be implemented.
For example, many people believe that ISO 27001 will dictate what your password policy should be, or how long you must keep logs from your SIEM system. All you have to do is implement “what the standard says” and you’ll pass your certification audit. Right?
But the ISO 27001 standard isn’t prescriptive or “one size fits all.” It doesn’t tell you want to do, independent of your information security management system (ISMS) context and risk assessment. So, how do you know what controls you need to implement and how they should look?
To debunk the top 10 misconceptions that businesses mistakenly embrace on their ISO 27001 certification journey, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special podcast on this widely applicable issue in response to multiple client requests.
“The risk assessment and scope told me.”
“The answer to virtually any question that somebody asks you on ISO 27001 is, ‘It’s what the risk assessment and scope told me,’” explains John. “So, if you ask me how many characters long a password should be, that is going to depend on your risk. Who are you protecting against? What are the threat agents that you’re worried about? Where is your data being kept? Different systems probably have a different requirement for passwords based on the quantity and the criticality of the data that they protect. And that’s what ISO  says.”
“Remember, controls are mechanisms that reduce risk,” John adds. “So, you should implement controls in accordance with your risk. And, of course, risk is defined by your context.”
If your company is looking to achieve ISO 27001 certification, consider this podcast with ISO 27001 expert John Verry as a free consulting conversation with your name on it.
If your organization is pursuing ISO 27001 certification, you’ll want to listen to this podcast in full: EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security
Looking for some more information to help define your ISO 27001 scope? Check out this blog post: You Don’t Define Your ISO 27001 Scope – Your Information Does – Pivot Point Security