Welcome to ISO/IEC 27001:2015. The good, the bad and the teleworker.
Have you heard the joke about the teleworker? In this article, I’ll explain how the international standard for information security, specifically ISO/IEC 27001:2015, hasn’t kept up with the times, yet still has some valuable gold that is worth mining.
In addition to pointing out some of the obviously distasteful parts of the standard, I’ll highlight:
- Some of the common pitfalls people experience when they choose to take on the mountain that is certification.
- How you can go about sorting the good bits from the bad.
- How you can benefit from extracting all the good stuff.
For those with the right tools and knowledge, there’s always gold to be mined.
First, back to the joke about the teleworker
Anyone who has been through ISO/IEC 27001 alignment, compliance, certification – call it what you will – will know the joke.
But for those that haven’t, the Annex A of ISO/IEC 27001 which details the controls to be considered (more on that later), includes a control called ‘teleworking’ (reference A.6.2.2 to be precise).
You’ll have to cast your mind back to the days of modems and desktop computers that would be installed in the homes of senior executives for teleworking or rather ‘connecting back to the office and associated systems to keep working after hours, on weekends and even on holidays.’
The joke is that those days are long gone (the bit about modems and relying on physical security to protect devices at least), but we’re stuck with control A.6.2.2 in Annex A it seems for eternity (but maybe not).
Why is ISO/IEC 27001, or at least the controls in Annex A, so archaic? Because the standard is only updated approximately once a decade. 1 year is a lifetime in tech and cyber/information security, let alone 10 years. Where’s my dinosaur?
The death by committee approach taken by ISO in drafting, reviewing, approving and then strictly licensing ISO/IEC 27001 means that it takes about 10 years to go through that process.
Get this, even when they did go through that process between 2005 and 2013 for the last release, not much really changed! (at least in Annex A).
So, what did change in the last release?
ISO aligned the mandatory requirements of ISO/IEC 27001 found in sections 4-10 with the standards of other management systems, like ISO 9001 for quality management. This was a smart move, making it easier for anyone implementing multiple standards or even an ‘integrated management system’. Consider this a gift from the standards gods.
Some people who feign interest in ISO/IEC 27001 apparently ‘know‘ the standard because of the controls listed in Annex A and further explained in ISO/IEC 27002.
Make sure you never forget that the mandatory elements are the mandatory requirements found in section 4-10 of the standard and they relate to the basic management machinery of:
- Identifying objectives
- Assessing risk
- Establishing policies
- Managing performance
- Running internal audits and management reviews
- And working towards continuous improvement.
Did you know the controls described in Annex A of ISO/IEC 27001 are actually optional!?
In fact, they should be considered the minimum set of considerations when implementing your information security management system.
It’s a real shame when the minimum bar becomes the high bar
I rarely, if ever, see a certified organisation go beyond considering the controls described in Annex A. It’s almost as if the 114 controls detailed in Annex A act as a distraction to prioritising the controls that will mitigate the highest degree of risk.
There’s also inadequate time during most certification audits to consider with any decent circumspect what other controls would be appropriate. Even when there is the time, it’s difficult to have the right people in the room with in-depth knowledge of the business, the industry, what matters most, what can go wrong, how to stop things from going wrong and how to make sure what needs to be done… gets done!
Warning, more dot points below
If you know about 6clicks, you should already know that we’ve built a platform that allows organisations to perform assessments against external compliance requirements such as ISO/IEC 27001 including both the mandatory requirements and the controls found in Annex A (even A.6.2.2 Teleworking – just so you can mark it).
You may not know that 6clicks now also helps organisations implement the requirements of ISO/IEC 27001, particularly these mandatory requirements:
- 4 Context of the organization in terms of facilitating information asset identification and classification including the third parties that may be involved so you can avoid one size fits all.
- 5 Leadership in terms of helping you develop and maintain a set of policies that clearly assign roles and responsibilities throughout your organisation (and third parties) so nothing is forgotten.
- 6 Planning in terms of allowing you to record and manage identified risk including risk assessment, treatment planning and associated with controls (such as those in Annex A).
- 7 Support in terms of enabling the effective communication of responsibilities defined in policies and suitably managing the documentation through version control.
- 8 Operation in terms of supporting ongoing risk assessment and treatment including assessment and remediation associated with third parties.
- 9 Performance evaluation in terms of supporting checks that controls are operating effectively and policy responsibilities are being met on an ongoing basis.
- 10 Improvement in terms of tracking areas of potential non-conformance to requirements along with associated remedial actions.
In addition to the general availability of ISMS-related functionality to support ISO/IEC 27001 related activities, you can re-use this same machinery regardless of what standard or standards you seek to adopt. Sharing is caring!
The good news is that most regulations and standards require you to perform many of the same activities. 6clicks can help you implement a single system and translate between the various standards that apply to your organisation.
And don’t limit your mitigation of cyber and information security risk by sticking religiously to the controls described in Annex A.
By all means, leverage the management machinery from ISO/IEC 27001, but make sure you cast your net wider to other control libraries and to what matters most. We are obsessed with finding what works best for you. We’re here to help you take out the trash and make compliance a by-product of good business practice.
I am very interested in your thoughts on this, whether you agree or not. You can always get in touch at firstname.lastname@example.org. I’d love to hear from you.