Do you believe the PDCA Model is an important part of the ISO 27001 process? If so, why? If not, why not? > What is the value of the ISO 27001 certification to a business? >

27

The ISO27001 audit

While some organizations might still debate the value of ISO27001 certifica- tion (arguing that what matters is the implementation of an effective ISMS rather than a badge), the market is moving against them, and a major objec- tive of this book is to help those organizations that see the value in certification to be successful in achieving it. The first three chapters clearly explained all the benefits that accrue from a successful certification, and these will not be rehearsed here; a certification audit is a practical and cost- effective way of meeting the requirement in Control 18.2.1 for an independent review of information security, and provides a means of demon- strating compliance to ISO27001.

A certification audit will tend to use negative reporting (that is, it will identify inadequacies rather than adequacies) to assess an ISMS to ensure that its documented procedures and processes, the actual activities of the organization and the records of implementation meet the requirements of ISO27001 and the declared scope of the system. The outcome of the audit will be a written audit report (usually available soon after the completion of the audit) and a number of nonconformities and observations together with necessary corrective actions and agreed time-frames.

Selection of auditors

Chapter 3 touched on some of the issues that should be taken into account in selecting an ISO27001 certification body. Of course, any organization seeking certification will want to be sure that there is a cultural fit between itself and its supplier of certification services, and there will certainly be all the normal issues of ensuring that there is alignment between the desires of the buyer and the offering, including pricing and service, of the vendor.

IT GOVERNANCE366

It is completely appropriate to treat the selection of a certification body with the same professionalism as the selection of any other supplier.

There are three key issues that need to be taken into account when making this selection. The first is a general issue, the second is relevant to organizations that already have one or more externally certified manage- ment systems in place and the third applies specifically to organizations tackling ISO27001.

The first key point is that you should only use an accredited certification body (CB, also sometimes called a Registrar), one that is formally accredited by a National Accreditation Body that is a signatory to the International Accreditation Forum (IAF). These CBs deliver internationally recognized certification services, and their certificates are recognized as valid by all other IAF members; in other words, a UKAS-accredited certificate will be recognized as equivalent to a locally issued certificate accredited by another national accreditation body elsewhere in the world. There are a small number of unaccredited certification bodies offering combined consultancy and certification services outside the recognized international scheme; as they operate outside of the internationally recognized framework it is impossible to determine their competence, or extent of independence and hence the value to put on their certificates in terms of both assurance and credibility. Avoid them.

Secondly, it is essential that your ISMS is fully integrated into your organ- ization; it will not work effectively if it operates outside of the management and operation of the organization or exists outside of and parallel to any other management systems.

Logically, this means that the framework, processes and controls of the ISMS must, to the greatest extent possible, be integrated with, for instance, your ISO9001 quality system; you want one document control system, one set of processes for each part of the organization, etc. Clearly, therefore, the certification body assessment of your management system must also be integrated: you want only one audit, which deals with all the aspects of your management system. It is simply too disruptive of the organization, too costly and too destructive of good business practice to have anything else. You should take this into account when selecting your ISO27001 certi- fication body, and ensure that whoever you choose can and does offer an integrated assessment service. However, the fact that a CB is accredited to offer ISO9001 certification does not automatically mean it is accredited for ISO27001; you will need to check with the CB. If you are currently using a CB that is not accredited for ISO27001, you will have to consider switching to one that is able to offer certification to both standards.

THE ISO27001 AUDIT 367

The third issue that you should take into account when selecting your supplier of certification services is their approach to certification itself. An ISMS is fundamentally designed to reflect the organization’s assessment of risks in and around information security. In other words, each ISMS will be different. It is important therefore that each external assessment of an ISMS takes that difference into account so that the client gets an assessment that adds value to its business (which includes positive feedback as well as non- conformities), rather than one that is merely a mechanical comparison of the ISMS against the requirements of ISO27001. Inquiring how a potential provider of ISO 27001 certification ensures its auditors are appropriately competent for your specific business is one means of helping ensure you receive a valuable service.

Once an accredited certification body has been selected and terms agreed (using the same basis of contracting as is applied to any other third-party supplier), the organization can turn to the actual process of certification. This process will be completely familiar to any organization that has already undergone certification to ISO9000 or any other management system stand- ard. The certification body will want to go through an initial two-stage process. The first stage will be a Stage 1 audit, which enables the audit body to become acquainted with the organization, to carry out a document review, to assure themselves that the ISMS is sufficiently well developed to be capable of withstanding a formal audit and to obtain enough informa- tion about the organization and the intended scope of the certification to plan their Stage 2 audit effectively. This visit is usually relatively short and, depending on the size of the organization, may require only one or two days to carry out. The certification body will use this visit to ensure it has sufficient time and the appropriate competency profile in the audit team to successfully complete the Stage 2 audit, as well as to ensure that your organization is ready for that challenge.

Initial audit

The first formal audit, known as the initial audit, will usually take place over two stages. The audit process involves testing the organization’s documented processes (the ISMS) against the requirements of the standard (Stage 1, a readiness review), to confirm that the organization has set out to comply with the standard, and then testing actual compliance by the organization with its ISMS (Stage 2, the implementation audit). The entire two- stage audit will follow a pre-ordained plan, and the auditors will have

IT GOVERNANCE368

communicated with whoever is their liaison point (usually the information security manager) about whom they will wish to interview and in what order they will want to do it. There is no defined maximum period between the Stage 1 and Stage 2 audits, although it is unusual for it to exceed three months. Some negotiation is possible here, but usually over timing and availability rather than subject matter.

Each audit will start and finish with a management meeting. The audi- tors, just like financial ones, will need a separate room for the duration of the audit and appropriate arrangements made for refreshments. Many audits will involve at least two auditors, who may have different areas of expertise. There will be a lead, or principal, auditor, who will be responsible for the overall progress of the audit. The organization being audited should ensure that its liaison is on hand to support the auditors throughout the process; this might include guiding auditors around the premises, introduc- ing them to those staff next on their list to interview, and dealing with queries and issues arising.

At the end of each day, there will usually be a brief wrap-up meeting at which (usually) any areas of nonconformity with either the standard or the ISMS are identified. This part of the process will again be completely familiar to any organization that has gone through an ISO9001 certifica- tion. Nonconformities can be either minor or major; minor ones tend to vary in usefulness but major ones could very easily mean that the organiza- tion is not (at this stage) capable of successful certification. Often, upon identification of a major nonconformity the auditors will suggest that the audit process be suspended and started afresh once the organization has had time enough to address this major issue. This can be expensive and time- consuming, and have a negative effect on morale and the commitment within the organization to achieving certification.

There are two components to carrying out successful certification audits. The first is the level of preparedness of the organization’s ISMS and the second is the way in which the employees of the organization are themselves prepared for the audit.

Preparation for audit

No audit can take place until sufficient time has passed for the organization to have in place a working internal audit and management review pro- cess and to demonstrate compliance with clause 10, the requirement for

THE ISO27001 AUDIT 369

improvement. In other words, auditors will be looking for evidence that the ISMS is continuing to improve, not merely that it has been implemented. This means that a period of time will have to elapse between completion of the implementation and commencement of audit. How long will depend on the complexity of the organization and its ISMS, but one should assume that there will need to be good progress with the first cycle of internal audits for all of the key processes and arrangements. (It is for the certification body to determine exactly what it requires in order to be convinced of the establish- ment, effectiveness and ongoing arrangements for internal ISMS audit and management review, aspects it is required to confirm prior to issuing a certif- icate, and hence possibly something worth asking when selecting your certification body.)

The level of preparedness for an audit should then be assessed by carry- ing out a comprehensive review. The detailed work should be carried out by the information security adviser and by the quality function, and this should all be reviewed by the management information security forum. A compre- hensive review could use this book, starting with Chapter 4, and question the extent to which adequate steps have been taken to implement the vari- ous recommendations.

The Statement of Applicability (SoA) needs particularly detailed review. It should be possible to identify the extent to which each of the controls identified as necessary has been implemented and, where implementation has been only partial, to determine what steps (and how long they will take) will be necessary to complete its implementation. In particular, all instances in which the organization has chosen not to implement a recommended control should be reviewed in detail to ensure that this decision was appro- priate, and that the justification for exclusion that is included on the SoA is sufficient. Similarly, all instances in which a control has been implemented to a greater or lesser extent than indicated as necessary by a proper informa- tion security risk assessment should be reviewed, and if it is not possible (too difficult, expensive, etc) to improve the level to which the control has been implemented, managers should formally accept the highest level of residual risk.

Once a comprehensive review has been completed and the management steering group is satisfied that the ISMS is complete, complies with the standard and has been adequately implemented (and at least one cycle of internal audits of key areas of the ISMS as identified by the risk assessment also needs to have been completed), then the organization can safely move on to the Stage 1 visit by its external auditors.

IT GOVERNANCE370

Preparation of staff within the organization, prior to the audit, as to what they might expect and how to handle auditors is also a valuable step. Staff should be taught that auditors should be treated with complete honesty, and direct answers should always be given, even if this requires admitting to a lack of knowledge or error. Equally, staff should be trained to answer the question asked by the auditor and not to provide more, or less, information than is required. Auditors will usually ask for an explanation as to how a particular component of the ISMS works and will then want to be shown. This is normal and is how the audit is conducted.

ISO27001 Assessments Without Tears (available from https://www. itgovernance.co.uk/shop/product/iso27001-2013-assessments-without- tears-a-pocket-guide-second-edition) provides useful advice to those that are likely to be interviewed by an auditor. ISO27007 and ISO27008 set out guidelines for the ISO27001 auditor on how to conduct an audit. They are valuable both to the organization’s internal audit teams as part of their training and to the management information security forum so that they understand the approach that the auditors will take and can ensure that the organization is adequately prepared for the audit. The latter provides detailed guidance on auditing Annex A controls.

The outcome of the initial audit should, if the organization has diligently followed all the recommendations contained in this manual, be a positive recommendation for certification of the ISMS to ISO27001 and the issue of a certificate setting this out. The certificate should be appropriately displayed and the organization should start preparing for its first surveillance visit, which will take place about six to twelve months later. Any minor noncon- formities should be capable of being closed out by mail, and any certificate issued will be dependent on this happening within an agreed timescale.

The certificate will refer to the latest version of the SoA and auditors will check for updates at their subsequent visits. Therefore, when supplying a copy of the certificate to clients, stakeholders or other parties, the organiza- tion should be prepared to provide a copy of the most recent SoA (whether controlled or otherwise). While the SoA is a living document, updated as and when necessary, the organization should endeavour to keep such updates and alterations to a minimum.

It is possible that the issued accredited certificate mentions international and national standards from which information security contols in the SoA have been selected, such as ISO27017 and/or ISO27018.

THE ISO27001 AUDIT 371

Terminology

It is worth noting that different accredited certification bodies use different terms to describe what are, without wishing to imply a preference or endorsement of any one option, simply major and minor nonconformities. Some of the descriptors currently in use are shown in Table 27.1.

TABLE 27.1 Terms used by different accredited certification bodies for major and minor nonconformities

Major Minor

major nonconformity minor nonconformity

category 1 nonconformity category 2 nonconformity

nonconformity issue

major nonconformity nonconformity

Not all CBs will raise nonconformities at the Stage 1 audit; some will make ‘findings’, which should nevertheless be dealt with through your noncon- formity and corrective action process like any nonconformity.

While variations in use of terminology is obviously annoying, given that the accredited certification bodies work in the field of standardization, this inconsistency needs to be acknowledged for other reasons. With the increasing use of ISO27001-accredited certification in the supply chain, we will no doubt see these terms being used to specify reporting requirements, measure conformance and compare organizations. Obviously, unless the terminology is clearly defined for such applications, it could lead to mean- ingless comparisons.

3

ISO27001

Benefits of certification

There are a number of direct, practical reasons for implementing an infor- mation security policy and information security management system (ISMS) that is capable of being independently certified (or registered) as compliant with ISO/IEC 27001. An accredited certificate tells existing and potential customers that the organization has defined and put in place effective infor- mation security processes, thus helping create a trusting relationship. A certification process also helps the organization focus on continuously improving its information security processes. Of course, above all, certifica- tion, and the regular external review on which ongoing certification depends, ensures that the organization keeps its information security system up to scratch, and therefore that it continues to ensure its ability to operate.

Most information systems are not designed from the outset to be secure. Technical security measures are limited in their ability to protect an infor- mation system. Management systems and procedural controls are essential components of any really secure information system and, to be effective, need careful planning and attention to detail.

ISO27001 provides the specification for an ISMS, and in the related code of practice, ISO/IEC 27002, it draws on the knowledge of a group of expe- rienced information security practitioners in a wide range of significant organizations across more than 50 countries to set out best practice in infor- mation security controls. An ISO27001-compliant system will provide a systematic approach to identifying and combating the entire range of poten- tial risks to the organization’s information assets, the variety and impact of which were described in Chapter 1. It will also provide directors of UK- and US-listed companies, directors of UK government organizations covered by the government’s ‘Orange Book’, and directors in the supply chains of both

IT GOVERNANCE38

public- and private-sector organizations with both a systematic way of meeting their responsibilities under the UK Corporate Governance Code, the FRC Risk Guidance and Sarbanes–Oxley, as described in Chapter 2, and the wide range of interlocking data protection and privacy legislation to which they are subject, and demonstrable evidence that they have done so to a consistent standard.

It also enables organizations outside the United Kingdom and United States to demonstrate that they are complying with their national corporate governance requirements as well as the data protection and privacy legisla- tion in their local jurisdiction. Equally importantly, an ISO27001 certificate enables an organization to demonstrate to any of its customers that its systems are secure; and this, in the modern, global information economy, is at least as important as demonstrating compliance with local legislation. ISBS 2010 identified that 68 per cent of large UK organizations had been asked by their customers to demonstrate compliance with information secu- rity requirements. Possession of a suitably scoped ISO27001 certificate enables a supplier cost-effectively to answer the information security and governance questions in request for proposal (RFP) and pre-tender ques- tionnaires.

Certification to ISO27001 of the organization’s ISMS is a valuable step. It makes a clear statement to customers, suppliers, partners and authorities that the organization has a secure information management system. Many countries in the world have their own central accreditation body (in the United Kingdom, it is the United Kingdom Accreditation Service: UKAS). This central accreditation body accredits the competence of certification bodies – who might be based inside or outside the country – to perform services in the areas of product and management system approval.

Organizations should use only accredited certification bodies when seek- ing ISO27001 certification. This makes sure that the certification process is independent, is of an appropriate quality, using competent personnel (includ- ing auditors), and ensures that any certificate awarded will be recognized internationally. A certificate is usually valid for up to three years.

The history of ISO27001 and ISO27002

BS7799, the UK standard that preceded ISO27001, was originally the outcome of a joint initiative by the then Department of Trade and Industry in the United Kingdom and leading UK private-sector businesses. The working

ISO27001 39

party produced the first version of BS7799 in February 1995. This was orig- inally simply a code of practice for IT security management. Organizations that developed ISMSs that complied with this code of practice were able to have them independently inspected but there was initially no UKAS accred- ited certification scheme in place, and therefore formal certification was not possible. An alternative solution, known as ‘c:cure’, was adopted to provide a framework for recognizing implementation of the standard, and was avail- able from April 1997. The confusion around c:cure and the absence of UKAS-accredited certification resulted in uptake of certification to the standard being much slower than anticipated, and c:cure was effectively withdrawn as an option late in 2000.

BS7799 underwent a significant review in 1998. Feedback was collated and in April 1999 a revised standard was launched. The original code of practice was significantly revised and retained as Part 1 of BS7799, and a new Part 2 was added. Part 1 was retitled ‘Code of Practice for Information Security Management’ and provided guidance on best practice in informa- tion security management. As a code of practice, BS7799 Part 1 took the form of guidance and recommendations. Its foreword clearly stated that it was not to be treated as a specification. It became internationalized as ISO/ IEC 17799 in December 2000.

BS7799 Part 2, titled ‘Specification for Information Security Management Systems’, formed the standard against which an organization’s security management system was to be assessed and certified. BS7799 Part 2 under- went a further review during 2002, and a number of significant changes were made. This version remained current until it was first internationalized as ISO27001 in 2005

BS7799–2 was internationalized as ISO/IEC 27001:2005 in 2005, and ISO17799 was revised at the same time, thus ensuring that the correspond- ence between the controls in the two standards would be maintained. ISO17799 was, without further amendment, bought into the new ISO/IEC numbering sequence for information security management standards in 2007 and identified as ISO/IEC 27002:2005, with the change in nomencla- ture being described in the document as a corrigendum!

ISO27001 and ISO27002 underwent extensive revision from 2008 onwards, and new, updated versions were published in October 2013. These are the current versions, and this book focuses specifically on them.

ISO27001 ‘forms the basis for an assessment of the Information Security Management System (ISMS) of the whole, or part, of an organization. It may be used as the basis for a formal certification scheme’. It is, in other

IT GOVERNANCE40

words, the specific document against which an ISMS will be assessed. It is the most important standard in the emerging ISO27000 family; it provides a specification, against which an ISMS may be assessed. Apart from ISO/IEC 27000, which is nominatively referenced from ISO27001, the other stand- ards provide useful guidance and advice, and have no mandatory effect.

The ISO/IEC 27000 series of standards

ISO27001 is part of a much larger family, of which ISO/IEC 27000 is the root for a whole numbered series of international standards for the manage- ment of information security. Developed by a joint committee of the International Organization for Standardization (ISO) in Geneva and the International Electrotechnical Commission, these standards now provide a globally recognized framework for good information security management.

The correct designations for most of these standards include the ISO/IEC prefix, and all of them should include a suffix, which is their date of publica- tion. Most of these standards, however, tend to be spoken of in shorthand. ISO/IEC 27001:2013, for instance, is often referred to simply as ISO27001.

Many of the standards have been previously published and are undergo- ing periodic revision; others are still under development. This book deals specifically with ISO27001 and ISO27002, but it will refer, where appropri- ate, to guidance contained in the supporting standards listed here. Organizations interested in using or applying these standards should acquire copies, which are available through www.itgovernance.co.uk/standards (archived at https://perma.cc/LHC2-ZRB5) in both hard copy and down- loadable formats:

●● ISO/IEC 27000 – ISMS Overview and Vocabulary;

●● ISO/IEC 27001 – ISMS Requirements;

●● ISO/IEC 27002 – Code of Practice for Information Security Controls;

●● ISO/IEC 27003 – ISMS Guidance;

●● ISO/IEC 27004 – Information Security Management – Monitoring, Measurement, Analysis and Evaluation;

●● ISO/IEC 27005 – Information Security Risk Management;

●● ISO/IEC 27007 – Information Security Management System Auditing;

●● ISO/IEC TR 27008 – Guidelines for Auditors on Information Security Controls.

ISO27001 41

There are then standards that provide guidance on specific topics such as the integrated implementation of ISO 27001 and ISO 20000-1 (the service management system management standard), information security govern- ance (ISO 27014) and organizational economics (ISO TR 27016).

The following are standards detailing requirements for certification bodies seeking accreditation for their ISMS certification scheme:

●● ISO/IEC 17021-1 – Conformity Assessment: Requirements for bodies providing audit and certification of management systems – Part 1: Requirements;

●● ISO/IEC 27006 – Requirements for bodies providing audit and certification of Information Security Management Systems.

Finally there are standards that provide sector-specific guidelines on the implementation of an ISMS. They include: inter-sector and inter-organiza- tional communications (ISO 27010); telecommunications (ISO 27011); cloud services (ISO 27017); processors of personally identifiable informa- tion in public clouds (ISO 27018); energy utility (ISO 27019); and the health sector (ISO 27799).

A full list of current and emerging ISO27000 standards is maintained at www.itgovernance.co.uk/iso27000-family (archived at https://perma.cc/ X9EL-UMEX) and you should ensure that the version you are using has been updated to reflect the 2013 standard.

Use of the standard

As a general rule, organizations implementing ISO27001 will do well to pay close attention to the wording of that specific standard itself, and to be aware of any revisions to it. Nonconformity with revisions or corrigendums will jeopardize an existing certification. ISO/IEC 27001 itself is what any ISMS will be assessed against; where there is any conflict between advice provided in this, in a supporting standard or any other guide to implementa- tion of ISO27001 and ISO27001 itself, it is the wording in ISO27001 that should be heeded.

An external auditor will be assessing the ISMS against the published standard, not against the advice provided by this book or any third party. It is critical, therefore, that those responsible for the ISMS should be able to refer explicitly to the clauses and intent of ISO27001 and should on that basis be able to defend any implementation steps they have taken.

IT GOVERNANCE42

An appropriate first step is therefore to obtain and read ISO/IEC 27001 itself. Note that ISO27001 uses the word ‘shall’ to indicate a requirement, whereas the other standards in the family use ‘should’ to indicate good prac- tice which is not a requirement.

The UK Accredited Certification Scheme was launched in April 1998, and there is an ISMS users’ group that enables users to exchange information on best practice and enables members to provide feedback on a regular basis to national standards bodies, and through them to the International Organization for Standardization.

ISO/IEC 27002

In 1998, when the original BS7799 was revised for the first time, prior to becoming BS7799 Part 1, references to UK legislation were removed and the text was made more general. It was also made consistent with OECD guide- lines on privacy, information security and cryptography. Its best-practice controls were made capable of implementation in a variety of legal and cultural environments.

In o