Welcome to ISO/IEC 27001:2015. The good, the bad and the teleworker.
Have you heard the joke about the teleworker? In this article, I’ll explain how the international standard for information security, specifically ISO/IEC 27001:2015, hasn’t kept up with the times, yet still has some valuable gold that is worth mining.
In addition to pointing out some of the obviously distasteful parts of the standard, I’ll highlight:
For those with the right tools and knowledge, there’s always gold to be mined.
Anyone who has been through ISO/IEC 27001 alignment, compliance, certification – call it what you will – will know the joke.
But for those that haven’t, the Annex A of ISO/IEC 27001 which details the controls to be considered (more on that later), includes a control called ‘teleworking’ (reference A.6.2.2 to be precise).
You’ll have to cast your mind back to the days of modems and desktop computers that would be installed in the homes of senior executives for teleworking or rather ‘connecting back to the office and associated systems to keep working after hours, on weekends and even on holidays.’
The joke is that those days are long gone (the bit about modems and relying on physical security to protect devices at least), but we’re stuck with control A.6.2.2 in Annex A it seems for eternity (but maybe not).
Why is ISO/IEC 27001, or at least the controls in Annex A, so archaic? Because the standard is only updated approximately once a decade. 1 year is a lifetime in tech and cyber/information security, let alone 10 years. Where’s my dinosaur?
The death by committee approach taken by ISO in drafting, reviewing, approving and then strictly licensing ISO/IEC 27001 means that it takes about 10 years to go through that process.
Get this, even when they did go through that process between 2005 and 2013 for the last release, not much really changed! (at least in Annex A).
ISO aligned the mandatory requirements of ISO/IEC 27001 found in sections 4-10 with the standards of other management systems, like ISO 9001 for quality management. This was a smart move, making it easier for anyone implementing multiple standards or even an ‘integrated management system’. Consider this a gift from the standards gods.
Some people who feign interest in ISO/IEC 27001 apparently ‘know‘ the standard because of the controls listed in Annex A and further explained in ISO/IEC 27002.
Make sure you never forget that the mandatory elements are the mandatory requirements found in section 4-10 of the standard and they relate to the basic management machinery of:
Did you know the controls described in Annex A of ISO/IEC 27001 are actually optional!?
In fact, they should be considered the minimum set of considerations when implementing your information security management system.
I rarely, if ever, see a certified organisation go beyond considering the controls described in Annex A. It’s almost as if the 114 controls detailed in Annex A act as a distraction to prioritising the controls that will mitigate the highest degree of risk.
There’s also inadequate time during most certification audits to consider with any decent circumspect what other controls would be appropriate. Even when there is the time, it’s difficult to have the right people in the room with in-depth knowledge of the business, the industry, what matters most, what can go wrong, how to stop things from going wrong and how to make sure what needs to be done… gets done!
If you know about 6clicks, you should already know that we’ve built a platform that allows organisations to perform assessments against external compliance requirements such as ISO/IEC 27001 including both the mandatory requirements and the controls found in Annex A (even A.6.2.2 Teleworking – just so you can mark it).
You may not know that 6clicks now also helps organisations implement the requirements of ISO/IEC 27001, particularly these mandatory requirements:
In addition to the general availability of ISMS-related functionality to support ISO/IEC 27001 related activities, you can re-use this same machinery regardless of what standard or standards you seek to adopt. Sharing is caring!
The good news is that most regulations and standards require you to perform many of the same activities. 6clicks can help you implement a single system and translate between the various standards that apply to your organisation.
And don’t limit your mitigation of cyber and information security risk by sticking religiously to the controls described in Annex A.
By all means, leverage the management machinery from ISO/IEC 27001, but make sure you cast your net wider to other control libraries and to what matters most. We are obsessed with finding what works best for you. We’re here to help you take out the trash and make compliance a by-product of good business practice.
I am very interested in your thoughts on this, whether you agree or not. You can always get in touch at email@example.com. I’d love to hear from you.
For more information, Book a Demo with us today!