Auditor’s perspective

ISO/IEC 27001 Information Security Management Systems 

With information security breaches, now the new normal, security teams are compelled to take dedicated measures to reduce the risk of suffering a damaging breach.

ISO/IEC 27001 presents an effective way of reducing such risks. ISO/IEC 27001 is an internationally accepted standard for governing the information security management system (ISMS) of an organization. The ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

ISO/IEC 27001 guides organizations how to create and run an effective information security program through policies, procedures, and associated legal, physical, and technical controls supporting an organization’s information risk management processes. It is vital that the ISMS is integrated with the organization’s processes and overall management structure, and that information security is considered in the design of processes, information systems, and controls. 

Why organizations should consider certification against ISO/IEC 27001?

There can never be a more appropriate time for organizations all over the world to consider ISO/IEC 27001 certification as this helps to improve the management of information security risks and improves the effectiveness and efficiency of information security processes first and foremost.

There are several other benefits that organizations derive by implementing ISO/IEC 27001.

• Demonstration of strong commitment to security of global business partners;
• Increase customer trust and confidence; Helping the organization to prioritize information security budget and resources based on their specific risks;
• Effectively managing disparate standards like PCI DSS, BCMS, and SMS in a comprehensive and repeatable way and helps to show that an organization is proactive in its information security and compliance efforts, which could be just what is needed to stay ahead in the industry.

Moreover, in the modern times, ISO/IEC 27001 is being used as a precondition to generating sales, and it gives many organizations sales advantage as it is generally becoming more difficult doing business with large entities without having this certification.

ISO/IEC 27001 and Privacy – Relationship with ISO/IEC 27701 and GDPR

Certificates of conformity with ISO/IEC 27001 can be issued without a guarantee that data protection needs have been adequately met. While data protection naturally requires a degree of information security, it goes much further than simply protecting the information – the organization must also protect the rights of the data subjects, which cannot be ensured through information security alone.

ISO/IEC 27701 – Privacy Information Management System (PIMS) is an enhancing extension of ISO/IEC 27001, and they are closely related. ISO/IEC 27701’s approach acknowledges that information security (the preservation of the confidentiality, integrity and availability of information) is a key aspect for an effective privacy management. The ISMS requirements documented in ISO/IEC 27001 can support adding sector-specific requirements onto the ISMS without adding a new management system specification.

ISO/IEC 27701 defines the additional requirements for an ISMS to cover privacy and outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. These are supported by additional controls that relate specifically to data protection and privacy which create a Privacy Information Management System (PIMS).

Despite how neatly ISO/IEC 27701 ties into the ISO/IEC 27001, the truth is that they cover different topics. The former addresses organization’s privacy controls, while ISO/IEC 27001 addresses information security.

To explain it in another perspective, ISO/IEC 27001 relates to the way an organisation keeps data accurate, available, and accessible only to approved persons, while ISO/IEC 27701 relates to the way an organisation collects personal data and prevents unauthorised use or disclosure.

In a broad perspective, ISO/IEC 27001 is the over-arching standard for information security including privacy (ISO/IEC 27701). Organizations that are already ISO/IEC 27001 compliant will only have a few extra tasks to complete, such as a second risk assessment, to account for the new controls. Since the introduction of the EU’s General Data Protection Regulation (GDPR), and the ongoing growth in comparable data protection laws around the world, there has been an increasing need for a standard or code of conduct to support compliance.

ISO/IEC 27701 that was published in August 2019 aims to fill the assurance gap, and provides an international approach to data protection as an extension of information security.

Finding the right Certification Body to conduct your ISO/IEC 27001 certification audit

When an organization implements an information security management system according to ISO/IEC 27001, usually the following step is to get that management system certified by a certification body. Hence, a certification body is an independent third party responsible for the audit and certification process.

Organizations use certification bodies to obtain independent recognition. Today, there are thousands of certification bodies covering different boundaries. The task of finding the right one to conduct ISO/IEC 27001 audit is dependent on several factors. It should be noted that different organizations will value different things, while making their choice as there is no universal solution.

Focus should always be placed on value than just getting a piece of paper saying that you are certified.

Some of the factors to consider while making a choice should include:

• Reputation: the credibility of the certification body;
• Accreditation: if the certification body has the authority to issue accredited certificates;
• Specialization: the areas of competence of their auditors e.g., manufacturing, banking, oil & gas, etc.;
• Experience: the wealth of knowledge of their auditors which is very crucial;
• Flexibility: the ease at which changes can be accommodated e.g., do they have local auditors, how optimized are their processes, good use of technology, et al.

Choosing a certification body can be much more than just comparing prices in a commoditized market.

An organization can think beyond just compliance. Many organizations forget that they are the ones choosing and paying the certification body. Of course, certification bodies need to follow a code of conduct and their internal processes, and if your management system does not comply with the requirements of the standard(s), they have to raise nonconformities. But they may introduce a fresh, outside look that brings value to your management system.

So, do your due diligence and choose the right certification body according to what is valued by your organization.

Leveraging on about 20 years of auditing experience I possess, and having worked with several accredited certification bodies, MSECB stands out of the pack, considering all factors mentioned above. 

Audit and certification process for ISO/IEC 27001 and importance of maintaining certification

Once an organization has implemented all the requirements of ISO/IEC 27001, the next step would be to complete an application form and sent it to MSECB by formally requesting an independent assessment of the management system. After this application has been reviewed and approved by the certification body, an auditor is appointed to conduct the independent assessment in the name of the certification body. If it is an initial assessment, two (2) stages of audit would be carried out namely Stage 1 and Stage 2 audit respectively.

During the Stage 1 audit, the auditor will assess whether your documentation meets the requirements of the ISO/IEC 27001 and point out any areas of nonconformity and potential improvement of the management system. Once any required changes have been made, the organization will then be ready for the Stage 2 audit.

During the Stage 2 audit, the auditor will conduct a thorough assessment to establish whether the implemented ISMS is in compliance with the ISO/IEC 27001 i.e., Stage 2 audit will validate whether the implemented system is operationalized in line with the system design that was verified in Stage 1.

If the auditor finds something that does not conform to the requirements of the standard, they will raise a “nonconformity”. These can be major or minor and, as the names suggest, these vary in importance. Some auditors take note of a third level of item often called an observation and/or opportunity for improvement. These are not nonconformities and so do not affect the result of the audit; but may be useful for improvement purposes.

Once the audit has been completed, the auditor will write up the report often whilst still on site. They will then tell you the result of the audit and go through any nonconformities that have been raised. 

Certification to the standard is conditional upon any nonconformities being addressed and upon the higher-level body that regulates the auditors agreeing with the report after the review and evaluation.

For most accredited certification bodies, this process normally takes a while to process so, even if you have no nonconformities, officially your organization is not certified yet. This is one of the unique strengths of MSECB as they ensure that all reviews and evaluations are concluded within the shortest period of time, upon submission of the audit documentations after the completion of Stage 2 Audit.

Having had the opportunity to audit several hundreds of ISO/IEC 27001 implementations in various countries and multiple sectors, I have noted that most organizations usually do not have information security practices properly spread across the organization as a key-man or concentration risk is a common weakness. The common trend is to have this one competent staff who fairly understands information security practices and the rest of the people are not well familiar with this discipline. This always limits the effect of information security as others are not able to adequately add the much-needed input to the success of the information security program in the organization, knowing fully well that an organization is as strong as its weakest link.

Another pitfall usually observed in most entities is the excessive focus on documentation and lack of operationalization of the established documentation. So, there are scenarios where organizations have established some fine policies and procedures, but the controls remain as mere documentation not backed up with necessary technical controls to put the policies into practice and thereby denying the organization of the expected benefit related to the implementation of ISO/IEC 27001.

Another common drawback noted in most organizations is their inability to improve the system. Typically, it is expected that as the management system matures, there should be continual improvement. How to practically bring about this improvement remains a mirage for most organizations.

One of the fastest ways to improve any management system including ISMS is to have an effective continual monitoring and evaluation process in place. For instance, focusing ISMS objectives/targets on areas that have shown significant weakness and de-emphasizing areas where strong achievements of objectives have been made will go a long way in improving the management system. In addition, as much as possible, all relevant tasks pre-defined to achieve established objectives must be measurable.

The slogan: Anything that cannot be measured would be difficult to improve.

A lot of time regulatory imperatives do have a big impact on the audit itself since one of the audit objectives is to demonstrate compliance to all applicable requirements which include regulatory imperatives. Hence, conformity with the ISO/IEC 27001 requirements alone may not be sufficient to attest that an organization’s established ISMS can be issued a conformity certificate. For instance, there was a case where I raised a major non-conformity against an organization’s ISMS implementation not as a result of non-fulfilment of the management clauses, but because of some infractions against local laws including non-payment of corporate taxes. This demonstrates that the ISMS must fulfil all applicable requirements including regulatory, contractual, legal, and business context alike.

Implementation of Information Security Management System (ISMS) using ISO/IEC 27001 is so vital for all organizations as the benefits are numerous:

• Improves the management of information security risks;
• Improves the effectiveness and efficiency of information security processes;
• Demonstrates compliance to legal/regulatory requirements, hence preventing revenue loss as a result of penalties/fines;
• Increases competitive advantage; and Increases customer confidence and trust.

In conclusion, the benefits of implementing ISMS using ISO/IEC 27001 out ways the cost i.e., overall gains derived are far greater than the financial outlay incurred to its implementation. Hence, it is almost certain that more organizations will embrace this standard year on year.