ISO 27001 & BS 25999

I’ve met quite a few companies considering how to start their ISO 27001 / BS 25999 project, with quite different approaches – some are convinced they can do it completely on their own (with no prior ISO 27001 knowledge), while others thought they can do it with the help of a consultant only.

They are both wrong.

Road map for ISO 27001 / BS 25999 implementation

There is one thing you definitely need for the implementation – knowledge. By knowledge I mean the know-how of the implementation process, so that you don’t get stuck and  waste time on irrelevant issues, while forgetting the important ones. What you need are the guidelines for implementation, as well as knowledge on how to implement all the pieces of the puzzle.

This is why it isn’t possible to implement these standards with just your existing knowledge base, and it is very rare to find companies who already have experienced ISO 27001 / BS 25999 implementers.

Of course, one way to get around this is to hire a consultant. But this is not the only way – I’ll address that later.

Hiring an ISO 27001 / BS 25999 consultant – pro’s and con’s

The biggest benefit of a consultant is that he/she is going to get you through the implementation process much quicker than if you did it on your own (provided that the consultant has sufficient knowledge). A consultant should provide you with tips & tricks for each step in the implementation process, check the documentation, train your employees, etc. He/she could also run interviews with your employees, write the documentation, and process the results (e.g. during risk assessment).

A major drawback of hiring a consultant is that most small (but also medium-sized) organizations cannot afford one – consultants tend to charge large fees and cannot guarantee the successful implementation. Besides, the more work is done by a consultant, the less will be done by your employees, therefore less knowledge and skills will be passed on to your organization.

Then there is also the issue of confidentiality – the consultant will learn everything you do from the inside (including your vulnerabilities and controls that are in place), so if you didn’t check this person thoroughly, he/she could become quite a significant threat.

Finally, there is the question of quality – too many times I met “experts” who claimed they implemented these standards many times, but didn’t know e.g. how to run the risk assessment; or what is the purpose of business impact analysis.

Implementation without a consultant

Consultants are not the only source of knowledge – you can also choose the option to implement the standards with your employees by providing them appropriate training and support.

Here are some ideas on how to obtain the knowledge:

• Send your employees to trainings – read How to learn about ISO 27001 and BS 25999-2 for more info
• Get the best practices through documentation templates
• Purchase the literature – there are various books and other publications available on the Internet

If you start implementing the standards on your own, it is probably going to take longer than if you did it with a consultant. But, it is going to be cheaper, and most probably your employees will learn better what certification entails, and what their responsibilities will be – because they will be forced to consider every step very carefully.

So, the answer to the initial question is: no – a consultant is not mandatory for your implementation (although quite often it is the best solution). However, the implementation knowledge is mandatory – without it, don’t expect to finish your ISO 27001 / BS 25999 project soon, if at all.

You can also check out our online mentoring service called Guidance & Review (commercial service).

This is probably the second most common question I hear about ISO 27001 and BS 25999 (the first one is How much does it cost?). Well, the answer is not really encouraging – most of the people I speak to expect it to be a few months. But this is not realistic – the reality is closer to one year.

Of course, you can always produce 50 documents in a matter of days claiming you are compliant with ISO 27001, but this is not what I’m writing here about. I’m writing about the implementation that makes sense, i.e. that produces results – a lower number of incidents, higher efficiency, cost savings etc.

Time needed for ‘Plan’ and ‘Do’ phases

Your main implementation effort will be spent on the Plan and Do phases, i.e. the first two mandatory phases in which the risk assessment/business impact analysis is being done and in which all the controls (including business continuity plans) are being implemented.

The duration of implementation for these two phases depends primarily on the size of the organization:

• Smaller organizations (up to 50 employees) usually implement the standard in up to 8 months
• Mid-size organizations (up to 500 employees) usually implement the standard in 8 to 12 months
• Large organizations (500 employees and more) – implementation usually lasts 12 to 15 months

One note here – in my experience, the companies that drag such projects for too long (e.g. small companies for more than 12 months), usually never finish the project – in such organizations there is never enough recognition of the importance of ISO 27001 or BS 25999, so human or financial resources dedicated to such a project are never sufficient.

When speaking about implementation time, it is worth mentioning here that the work on ISO 27001 / BS 25999 doesn’t stop with Plan and Do phase – these management systems need to be maintained and improved (phases Check and Act), meaning that the work on information security and business continuity is not one-off, but continuous. However, the effort for maintaining and improving the system is not as great as in the first two phases.

Things that will speed up your implementation

The duration mentioned above depends of course on many factors, but generally the following factors will speed up the implementation:

• If you run the implementation as a project – if you know exactly what are the objectives, who is responsible for what, if the resources are available and what are the deliverables, you will not only speed up the process but also increase your chances of a successful outcome.
• If you already have ISO 9001 or some other management system – ISO 27001 and BS 25999-2 are not that different from other management systems, so you can use some of the existing procedures and processes and save probably 20% to 30% of your time.
• If you already have many security/business continuity policies and procedures already in place – chances are that your existing documentation will be acceptable for ISO 27001/BS 25999 and it will decrease your implementation time; not only that, you will already have an understanding in your organization about what information security / business continuity is all about.
• Having the appropriate documentation templates – here I don’t mean any documentation templates, but the templates in your language, appropriate for the size of your company, and made specifically for the purpose of ISO 27001/BS 25999. (Another note here – free templates downloaded from the Internet are not going to speed up your process because you’ll need considerable time for their customization.)
• Having the knowledge – you can obtain the knowledge either through literature, in-person courses, online courses (that’s our specialty!), or by hiring a consultant; without knowledge not only will your project last much longer, but you’ll probably never finish it.
• Last but certainly not least – the support of your management. If you don’t get their support in terms of money and human resources, your project will actually last quite short – it will be finished even before it begins.

So the point is – the implementation of standards like these does take quite a lot of time, so you need to make sure you do it with some purpose in mind. If implementation is done superficially or without clear objectives, you’ll not only lose time but miss an opportunity to help your company improve and grow.

And of course, you can decrease the implementation time – if you plan your project carefully.

It’s been six years since the last revision of ISO/IEC 27002 (in 2005) – much has changed in information security since then, and this standard definitely needs some “facelifting”. Since ISO 27002 is closely tied to ISO 27001, this revision has to be done simultaneously for both standards, and is expected to happen in the latter half of 2012 or during 2013.

ISO 27001 and ISO 27002

What these two standards have in common are the 133 controls – they are offered as a kind of catalogue in Annex A of ISO 27001, with the idea that appropriate controls are selected based on the risk assessment. ISO 27002 lists all of these 133 controls again, but offers detailed explanation of best practices for their implementation. For a detailed explanation of the differences between ISO 27001 and ISO 27002, read ISO 27001 vs ISO 27002.

This relationship between the two standards is why ISO 27002 has changed its name in 2007 – it was previously called ISO/IEC 17799, but its name was changed to ISO/IEC 27002, making it part of ISO 27k series.

This most important link between ISO 27001 and ISO 27002 – identical structure of ISO 27001 Annex A and ISO 27002 controls – will most likely still be included in new revisions of both standards. However, the way it is structured and the individual controls will most probably change.

Expected changes

At the moment of writing this article (October 2011) it is impossible to predict all the changes in ISO 27002 because the final draft hasn’t been written yet. However, most likely changes can be judged by hearing what ISO 27001 experts have to say – here’s a summary of suggestions from ISO 27k Forum, the leading expert forum about ISO 27001/ISO 27002:

• Accountability – definition of what it means in relation to human resources management
• Authentication, identity management, identity theft – they need better description because of their criticality for web-based services
• Cloud computing – this model is becoming more and more dominant in real life, but hasn’t been covered in the standard
• Database security – the technical aspects haven’t been systematically laid down in the existing revision
• Ethics and trust – an important concept not covered at all in the existing revision
• Fraud, phishing, hacking, social engineering – these particular types of threats are gaining more and more importance, but aren’t covered systematically in the existing revision
• Governance of information – this concept is very important for the organizational aspect of information security and is not covered in the current revision
• IT auditing – needs to focus more on computer auditing
• Privacy – needs to go broader than existing data protection and legal compliance, especially because of cloud computing
• Resilience – this concept is completely missing in the existing revision
• Security testing, application testing, vulnerability assessments, pen tests etc. – these are essentially missing in the current revision

As Gary Hinson from the ISO27k Forum argues, several of these issues are already covered, but they were not given sufficient emphasis in the current revision of the standard – key terms widely used today are either completely missing or are only vaguely alluded to.

Also, the new ISO 27002 will refer more on other standards that define certain areas in more detail – for instance, Section 14 Business Continuity Management will refer to ISO 22301 (new standard dedicated to business continuity management) and ISO/IEC 27031 (focused on ICT aspect of business continuity).

All these changes mean that not only some of the controls will change or will be added, but it also means that the structure of the standard will change – instead of existing 11 sections of Annex A / ISO 27002, some new sections will probably have to be created, and others merged. And these structural issues are probably the toughest ones since the body in charge of the revision (JTC 1/SC 27 committee) will need to ensure compatibility with the existing revision. This is why we have no idea at the moment what these structural changes will look like.

ISO 27002 certification?

Many people still ask me whether it is possible to get certified against ISO 27002. The situation with the new revision will stay the same – currently it is not possible, nor will it be possible to get an ISO 27002 certificate because unlike ISO 27001, this is not a management standard.

This means ISO 27002 will remain a code of practice (or best practices) for implementation of security controls. It will not define the management system – e.g. the documentation management, internal audit, management review, corrective and preventive actions, risk management, etc.  – all these remain in the domain of ISO 27001. Therefore, ISO 27001 will remain the only certifiable standard in the ISO 27k series.

Implications for the ISMS

If you already have your Information Security Management System implemented, you don’t have to worry too much – no matter which changes the new revision will bring, you will have enough time (normally one year after both standards have been published) to implement the changes.

Once the revisions are published, you will need to align the structure of your controls in the Statement of Applicability with the new Annex A in the revised ISO 27001. And although the structure won’t change too much, this alignment will be the biggest job that’s ahead of you.

And this is where the new ISO 27002 will bring the most value – in the transition period you will have plenty of refreshed best practices to choose from. And since ISO 27002 is quite detailed, and you still have the freedom to choose only the appropriate stuff for your organization, it will definitely help you make such transition easier.

If you think writing a bunch of information security documents is enough to get ISO 27001 certificate , you’re wrong. You need to implement all the activities described in your documentation, but that’s not all – you also need to follow certain steps in the final phase of your ISO 27001 project.

ISO 27001 certification process

Let’s start first with the certification process itself – it is divided in two steps: Stage 1 audit and Stage 2 audit. In Stage 1 audit (also called Documentation review) the certification auditor checks whether your documentation is compliant with ISO 27001; in Stage 2 audit (also called Main audit) the auditor checks whether all your activities are compliant with both ISO 27001 and your documentation.

Therefore, you need to pay attention to both writing appropriate documentation for your needs, and to really committing to implementation information security in your company. For details on required documentation, steps in the audit and how to deal with nonconformities read this article How to get certified against ISO 27001?.

Mandatory steps for finishing the implementation

After finishing all your documentation and implementing it, you need to perform these mandatory steps in your ISO 27001 project:

• Internal audit
• Management review
• Corrective and preventive actions

The purpose of internal audit is that someone independent checks out whether your Information Security Management System (ISMS) is working properly. Read more about internal audit here Dilemmas with ISO 27001 & BS 25999-2 internal auditors.

Management review is actually a formal way for management to take into account all the relevant facts about information security and make appropriate decisions. The point with ISO 27001 is to reach such decisions as part of a regular decision making process.

Finally, the company needs to correct all the problems detected by internal auditors, managers or someone else, and document how these problems were resolved – this process is called corrective actions. It is recommended to take preventive actions too – to try to prevent problems before they happen (something the certification auditor will appreciate quite a lot).

How to test ISO 27001 implementation?

However, before undertaking these mandatory steps, it is useful to check whether everything is in place. This step is not required by ISO 27001 (at least not in such an explicit way), but in my opinion it significantly increases the chances for successful certification.

Doing the ISO 27001 test (or check) means that everyone who has a role in ISMS has to check whether everything he/she is responsible for really functions as required by the standard, and by the company’s documentation.

Such test/check is not the same thing as internal audit because during internal audit it is the auditor who goes through the company checking out things, while what I’m talking about here is that almost every employee needs to think hard whether he/she has done really everything that is required. In such a way you not only decrease the chances for something going wrong, but also raise the awareness of your employees.

All these steps might seem complicated or you may think of them as costly overhead. But, believe me, they do serve their purpose – if implemented properly, you will see that they will actually increase your level of information security.

“Your ISO 27001 is nice in theory, but if our system administrator goes crazy, we’re dead.” – I hear this quite often when speaking to my clients about which security controls they should apply.

And it’s not only system administrators, it is also the line managers, engineers, top management, etc. – actually, anyone who has access to sensitive information or systems could be a potential threat. For instance, the biggest damage in banks is not done by robbers (with guns in their hands), but by inside jobs (with computers in their hands).

Of course, money theft is not the only purpose of these kinds of attacks – it can also be sabotage, theft of confidential corporate information, altering of data, theft of identities, etc.

Since this is such a complex issue, how can you deal with it?

Risk assessment

ISO 27001 is a standard which approaches security management mainly from the preventive point of view – the first step is to find out which incidents could happen regarding your employees (but also external partners with access to your systems), and then to choose appropriate security controls in order to avoid those incidents. In ISO 27001, this process is called risk assessment and risk treatment.

However, risk assessment shouldn’t be done superficially. If you didn’t think really hard about all the bad things that can happen, then you won’t mitigate those risks and someone could exploit those vulnerabilities.

Therefore, don’t rush through this step; do it systematically.

Preventive measures

Once you know how an insider can exploit your vulnerabilities, you can start planning your security controls in a comprehensive way. Again, ISO 27001 offers a catalogue of security controls in its Annex A – here are a few examples of the most common controls to mitigate the risk of insider threats:

• Access control (section A.11 in Annex A) – access to sensitive data can be approved on a need-to-know bases only. This way you decrease the number of people that can do harm, but also decrease the damage if someone’s identity is stolen.
• The access privileges must be regularly reviewed (control A.11.2.4) – very often quite a few employees have access to information they don’t really need.
• The accounts and access rights of former employees must be removed (A.8.3.3) – yes, sometimes there are open accounts a few years after an employee has left the company…
• Strong password policy (control A.11.2.3) or some other authentication method should be enforced to disable identity theft.
• Segregation of duties (control A.10.1.3) – you probably wouldn’t allow a single person to authorize large payments – the same goes for any other sensitive system.
• Backup (A.10.5.1) – of course, it should be regular; but also access to backup information cannot be allowed to employees who can harm your production systems the most.
• Document policies and procedures which clearly define the security roles and responsibilities (A.8.1.1; A.10.1.1) – you cannot expect your employees to observe the security rules if they don’t know what the rules are.
• Awareness & Training (A.8.2.2) – all of your employees need to know why it is necessary to protect sensitive data, as well as how to do it; for certain jobs (like monitoring logs) you may need to send your employees to special trainings.

Of course, there are other controls that are more technically oriented, like segregated network architecture (A.11.4.5), regular security patches (A.12.6.1), spyware scanning (A.12.5.4), anti-virus (A.10.4.1), firewall (A.10.6.1), physical entry controls (A.9.1.2), etc.

People issues

However, someone with high motivation and skills can bypass all of these security controls and achieve whatever agenda he or she has. Therefore, in my opinion, the most important thing is to develop some early warning indicators. And that requires a little bit more sophistication.

First of all, you need to know who you are employing – you probably wouldn’t allow some total stranger to access your sensitive data and/or systems only because he or she has a very nice diploma and a letter of recommendation. You need to dig deeper, or as ISO 27001 puts it – perform the background verification checks (A.8.1.2).

The second, and probably the most important control, is to constantly monitor what is going on – both on the “soft” side (most of the times you can observe if someone is starting to behave in a strange way) and on the “hard” side – by monitoring logs (A.10.10.2), i.e. monitoring whether there is anything suspicious in the use of information systems. Actually, the two can often be viewed together – whenever you conclude that someone’s behavior is peculiar, then this person’s logs need to be observed in more detail. And vice versa – if you spot some strange usage of information system, the soft side should be monitored more closely.

To conclude, insider threats will probably remain the biggest risk to the security of information – the complexity of information systems and amount of data will only increase this threat in time. And the best way to deal with them is to prevent them – once they happen, you can only hope they won’t go too far.

More and more often people ask me how to deal with cloud computing in the context of ISO 27001 and BS 25999. My answer is: use common sense.

Their dilemma is quite understandable – these standards were written before cloud computing was such a big issue, and there is no particular focus on cloud computing in any of them. To make things worse, the outages of cloud computing providers cause serious problems to other Internet-based businesses, as was the recent case with Amazon Web Services (for more info on AWS and ISO 27001 read Does ISO 27001 mean that information is 100% secure?).

Therefore, their point is: since we cannot control information in cloud computing, the security of information in such cases is only a dead letter.

New concept?

I would disagree on that. The point is – cloud computing is nothing else but outsourcing (of your information archiving and/or processing).

And you already do outsource other activities which could endanger the security of your information – your software is usually developed externally, you may have external suppliers which maintain your hardware and software assets (sometimes with remote access to your network), most probably you do have some kind of external maintenance staff on-site (if nothing else for the infrastructure), almost certainly you do have consultants and/or auditors on-site (who do know the vulnerabilities of your company) and you probably do have cleaning staff outsourced (and they do have access to most of the facilities when no one else is present).

Therefore, I would say that although cloud computing is a new technological opportunity, the main issue of outsourcing remains as before – how much can you trust your outsourcing partner?

Common sense

This is where you need to apply your common sense, or to put it in the wording of ISO 27001 and BS 25999-2 – you need to apply risk assessment to find out what the potential risks are, and then you need to choose your partner wisely and apply necessary security controls to mitigate those risks.

In its control A.6.2.1 ISO 27001 requires to identify “… risks to the organization’s information and information processing facilities from business processes involving external parties”, and A.6.2.3 requires to address security issues in agreements that “… shall cover all relevant security requirements”; there also various other controls specifying information backup (A.10.5.1), access control (A.11), classification (A.7.2.1) etc. In clause 4.1.1 BS 25999-2 requires to “…identify all dependencies relevant to the critical activities, including suppliers and outsource partners”, in clause 4.1.2 “…understand the threats and vulnerabilities … including those provided by suppliers and outsource partners”, and in clause 4.2 “…determine how it will recover each critical activity … including products and services provided by suppliers and outsourcing partners”.

So what can you do to decrease the risk of cloud computing? Here are a few very basic tips:

• Do a thorough check on the potential provider – not only its performance record, but also the background of its management, have they implemented the information security and business continuity policies and procedures, financial stability, legal risks etc.
• Write very specific security clauses in your agreement with the provider, where the biggest emphasis will be on issues that have raised the highest concerns during risk assessment.
• Keep a backup copy of your information locally – although a cloud computing provider will (probably) do regular backup, it is always a good idea to have direct control of your information. (e.g. banking regulators in some countries have imposed regulations to local banks to keep the backup copy inside the country specifically because of this risk.)
• Develop your strategy on how to return the information processing/archiving back to your company (re-insourcing) in case of problems with your cloud computing provider – you should know exactly which steps are needed, as well as which resources.
• An exit strategy might also be to have an alternative cloud computing provider standing by, ready to jump in if your existing partner performs badly.
• Perform regular checks of your provider to find out whether they are complying with the security clauses in the agreement.

Of course, most of the things mentioned here will seem impossible for a smaller company. But in such a case, would you really give them your important information without having any guarantees? Sometimes you are better off with no cloud computing – this is something your management needs to decide: they have to weigh out the balance between the cost & convenience and the risks.

Manage your risks

I’m not trying to say here that the risks of cloud computing are the same as other outsourcing risks, because they are not – cloud computing usually brings higher risks. I’m also not trying to say that ISO 27001 and BS 25999-2 (soon to become ISO 22301) do not have to be more specific about cloud computing, because they do. I also think that the legislation will have to address this issue very quickly.

What I’m trying to say here is that although the risks related to cloud computing are high, it doesn’t mean they cannot be mitigated. Therefore, use your common sense when choosing your cloud computing provider – if you don’t trust your provider fully, then don’t entrust them with your sensitive information.

If you think your management doesn’t have a clue what information security is all about, keep in mind that misunderstanding usually goes both ways: management often thinks you have no idea about what is appropriate for the business.

So before suggesting to your management to start implementing your information security / ISO 27001 project, you should learn about your management’s way of thinking. Here are the five main concerns your management will have when you approach them:

Is it really necessary? You have to be prepared to present the main benefits of information security, because otherwise the management won’t understand its purpose. In most cases you can choose among the following benefits: (1) Compliance with various legislation and contractual requirements etc., (2) Achieving competitive advantage in the marketplace, (3) Lowering expenses by decreasing the number of incidents, and (4) Optimizing your business operations by clearly defining tasks and responsibilities. Read more on these four benefits here: Four key benefits of ISO 27001 implementation.

Does it fit into our company strategy? Strategic fit is very important for your top management – one of your management’s primary concerns is how to keep your company competitive for a longer time period. Therefore, you have to do your homework – find out how information security can underpin certain elements of your company’s corporate strategy.

How to decrease the costs? One of the most misunderstood aspects of information security is that most of the problems (i.e. incidents) happen not because of technology, but because of human behavior. Therefore, most of the investments needed will be in defining new policies and procedures, and training and awareness programs which will prevent such incidents from happening – such investments are usually far cheaper than new technology.

Sometimes, investment in technology will also be needed – in such cases you can try to calculate the Return on Security Investment. For instance, you might try to calculate the damage that would be caused by a fire, and calculate the investment needed to prevent such damage. Just be sure not to exaggerate here, because you’ll lose your management’s confidence.

How to make sure we’ve achieved what we wanted? First of all, you need to help your management set very clear objectives – usually, those objectives will derive from the four benefits mentioned above. The second step is to set up a measurement system which will define how to measure whether the company achieved the set objectives; that system must involve clear responsibilities of who will make the reports, in which form, and who is going to read them and interpret them. Finally, a system must be in place to correct all the deviations from the objectives (be sure that such deviations will certainly happen).

What risks are involved? Management usually wants to know what is the likelihood of failure of the investment they have made. Here you need to explain to them the balance between the risks you will identify during the risk assessment and the security measures your company will invest in – the higher the investment, the smaller the chances that something will go wrong. Of course, overinvesting is not a solution, and this is why you need to leave the decision about acceptable risks to the management – your role is to present them the risks and potential security measures in an objective manner. The decision what to do with those risks is up to the management.

The point here is – the problem is not that management doesn’t want to invest in information security, but that it is either uninformed about it, or that you cannot speak the same language with your management.

By understanding the five basic issues your management is concerned with and by establishing appropriate communication with them, you’ll dramatically increase your chances for your information security project.

You have probably heard that important web services like Reddit, HootSuite, Quora, Foursquare etc. have recently suffered a quite lengthy outage – what you also probably know is that this outage was caused by Amazon Web Services (AWS), their cloud computing service provider. What you probably didn’t know is that AWS is ISO 27001 certified.

But isn’t ISO 27001 a guarantee against such service outages? Didn’t a certification company check the AWS? What’s the point of ISO 27001 if such things can happen?

The answers are: No, Yes, and Lower risk.

Let me explain…

ISO 27001 certification does not guarantee that the Internet service provider is going to have uptime of 100%, or that none of the confidential information is going to leak outside the company, or that there would be no mistakes in data processing. ISO 27001 certification guarantees that the company complies with the standard and with its own security rules; it is guarantees that the company has taken all the relevant security risks into account and that it has undertaken a comprehensive approach to resolve major risks. ISO 27001 does not guarantee that none of the incidents is going to happen, because something like that is not possible in this world.

A certification body (in this case Ernst & Young CertifyPoint) probably did check whether Amazon Web Services complied to the standard and to their own security policies & procedures, including their procedures for incident response and business continuity plans; they should have also checked the AWS risk assessment and whether all the relevant risks were taken into account. However the certification body does not have a crystal ball to predict all the incidents that could occur, neither is that their job – their job is to check whether the company has done its homework – developed a security system.

So the final and the most important question is – what’s the point of ISO 27001 then?

The point is in lowering the risk of doing business. If your company is implementing ISO 27001, that means you will have to consider very carefully what could endanger the confidentiality, integrity and availability of your information; knowing those risks, you need to implement various security measures in order to decrease risks to an acceptable level. If you are doing business with a company that is ISO 27001 certified, you will know that this company has done all that.

Does it mean that ISO 27001 will eliminate all the potential problems? Obviously it won’t. But it will decrease the chances of something like that happening, and if it does happen, the reaction of the company will be much quicker and more efficient, and the damage to the business will be lower.

The importance of Statement of Applicability (sometimes referred to as SoA) is usually underrated – like the Quality Manual in ISO 9001, it is the central document that defines how you will implement a large part of your information security.

Actually, the Statement of Applicability is the main link between the risk assessment & treatment and the implementation of your information security – its purpose is to define which of the suggested 133 controls (security measures) from ISO 27001 Annex A you will apply, and for those that are applicable the way they will be implemented.

Why it is needed

Now why is such a document necessary when you already produced the Risk Assessment Report (which is also mandatory), and which also defines the necessary controls? Here are the reasons:

• First of all, during risk treatment you identify the controls that are necessary because you identified risks that need to be decreased; however, in SoA you also identify the controls that are required because of other reasons – i.e. because of the law, contractual requirements, because of other processes, etc.
• Second, the Risk Assessment Report could be quite lengthy – some organizations might identify a few thousand risks (sometimes even more), so such a document is not really useful for everyday operational use; on the other hand, the Statement of Applicability is rather short – it has 133 rows (each representing one control), which makes it possible to present it to management and to keep it up-to-date.
• Third, and most important, SoA must document whether each applicable control is already implemented or not. Good practice (and most auditors will be looking for this) is also to describe how each applicable control is implemented – e.g. either by making a reference to a document (policy/procedure/working instruction etc.), or by shortly describing the procedure in use, or equipment that is used.

Actually, if you go for the ISO 27001 certification, the certification auditor will take your Statement of Applicability and walk around your company checking out whether you have implemented your controls in the way you described them in your SoA. It is the central document for doing their on-site audit.

A very small number of companies realize that by writing a good Statement of Applicability you could decrease the number of other documents – for instance, if you want to document a certain control, but if the description of the procedure for that control would be rather short, you can describe it in the SoA. Therefore, you would avoid writing another document.

Why it is useful

In my experience, most companies implementing the information security management system according to ISO 27001 spend much more time writing this document than they anticipated. The reason for this is they have to think about how they will implement their controls: Are they going to buy new equipment? Or change the procedure? Or hire a new employee? These are quite important (and sometimes expensive) decisions, so it is not surprising that it takes quite a lot of time to reach them. The good thing about SoA is that it forces organizations to do this job in a systematic way.

Therefore, you shouldn’t consider this document as just one of those “overhead documents” that have no use in real life – think of it as the main statement where you define what you want to do with your information security. Written properly, SoA is a perfect overview of what needs to be done in information security, why it has to be done, and how it is done.

Click here to download a free template of the Statement of Applicability.

If you’ve been reading my blog, you probably think I’m convinced ISO 27001 is the most perfect document ever written. Actually, that’s not true – working with my clients and teaching on the subject, usually the same weaknesses of this standard emerge. Here they are, together with my suggestions how to resolve them:

Ambiguous terms

Some of the requirements in the standard are rather unclear:

• Clause 4.3.1 c) requires that ISMS documentation must include… “procedures and controls in support of the ISMS” – does that mean that a document must be written for each of the controls that are applied (there are 133 controls in Annex A)? In my view, that is not necessary – I usually advise my clients to write only the policies and procedures that are necessary from the operational point of view and for decreasing the risks. All other controls can be briefly described in the Statement of Applicability since it must include the description of all controls that are implemented.
• (Un)documented policies and procedures – in many controls from Annex A, policies and procedures are mentioned without the word “documented”. In effect, this means that such policies and procedures do not have to be written down, but this is not clear to 95% of the readers of the standard.
• External parties / third parties – these terms are used interchangeably, which may cause confusion. It would be much better if one term was used.

Organization of the standard

Some of the requirements in the standard are either scattered, or unnecessary duplicated:

• Some controls are simply located in a wrong place – for instance, A.11.7 Mobile computing and teleworking is located in section A.11 Access control. Although when dealing with mobile computing one has to take care of access control, section A.11 is not the most natural place to define issues related to mobile computing and teleworking.
• Issues related to external parties are scattered around the standard – in A.6.2 External parties, A.8 Human resources security and A.10.2 Third party service delivery management. With the advance of cloud computing and other types of outsourcing, it is advisable to gather all those rules in one document or one set of documents which would deal with third parties.
• Employee awareness and training is required both in clause 5.2.2 of the main part of the standard, and in control A.8.2.2. Not only is this duplication unnecessary, but it also causes additional confusion – theoretically, each control from Annex A could be excluded, so you may end up excluding a requirement that is actually not possible to exclude because it is required by the main part of the standard. The same thing happens with Internal audit (clause 6 of the main part of the standard) and control A.6.1.8 Independent review of information security.
• Some of the controls from Annex A can be applied really broadly, and they can include other controls – for example, control A.7.1.3 Acceptable use of assets is so general so that it can cover for example A.7.2.2 (Handling classified information), A.8.3.2 (Return of assets upon termination of employment), A.9.2.1 (Equipment protection), A.10.7.1 (Management of removable media), A.10.7.2 (Disposal of media), A.10.7.3 (Information handling procedures) etc. I usually advise my clients to make one document that would cover all those controls.

Problems or not?

Here are a few issues that are usually brought to attention as problematic, however I disagree with them:

• The standard is too vague, it does not go into enough detail – if it did go into more detail about the technology that is to be used, it would soon be outdated; if it did go into more detail about the methods and/or organizational solutions, it wouldn’t be applicable to all sizes and types of organizations – a large bank has to be organized quite differently than a small marketing agency, however both should be able to implement ISO 27001.
• The standard allows too much flexibility – by this the critics mean the concept of risk assessment where certain security controls can be excluded if there are no related risks. So they ask – “How would it be possible to exclude backup or anti-virus protection?” Actually, with the progress of technologies like cloud computing, this kind of protection might not be the responsibility of the organization implementing ISO 27001. (However, in such case the risks of outsourcing would be rather high so other kind of security controls would be necessary.)

Now what?

This standard will certainly need to change – the current version of ISO/IEC 27001:2005 is now six years old, and hopefully the next revision (expected in 2012 or 2013) will address most of the above issues.

Although these shortcomings can often cause confusion, I think that positive sides of the standard outweigh the negative ones in large measure. And yes, I really am convinced this standard is by far the best framework for information security management.