What Cybersecurity Professionals Should Know about ISO 27001

Introduction

If you are a Cyber Security professional or involved in technical security looking to do ISO 27001 then this is everything you need to know. These are the facts no one else will tell you. No marketing, no fluff, no filler or padding we will cut straight to the nitty gritty and the reality of the ISO 27001 standard. Ready?

ISO 27001 is not an information security standard

As a cyber security professional you will be tasked with securing your organisation from threats and have a deep understanding of cyber security and information security.

What may shock you is that ISO 27001 is not an information security standard.

ISO 27001 is actually an information security management standard.

A more realistic summary would be that ISO 27001 is an information security risk management standard.

If you have expectation that this standard will tell you what security to put in place, set out some rules on what you need to do and make you more secure then you are sadly mistaken. There are other, better, more suited standards to achieve that.

What is ISO 27001?

ISO 27001 is a very straightforward and easy to implement management system.

This is about governance, risk and compliance and is a layer that sits above cyber security and information security. As a result is has a specific role to fill in legal and regulatory compliance.

This standard sets out how you manage information security in your organisation. At its heart is risk management and this is where it gets interesting and for you, perhaps a little uncomfortable.

If you are managing information security and you are managing risk, you will get your ISO 27001 certification.

Note here at no point have I referenced any technical requirements, technical security, cyber security or operational security.

To be clear, this is about managing information security and managing risk.

Whilst I personally would never recommend it, it is very possible to have incredibly weak cyber security with little to no information security controls and still pass the audit and get certified.

Let me restate, I would not advise it. But it is possible.

What is the minimum you need to do?

The bare minimum you need to do is implement the basic ISO 27001 clauses from the standard – I even show you how to do it and give you step-by-step guides with videos, for free, in the ISO27001:2022 Reference Guide

In outline you are going to:

• Define some roles
• Allocate people
• Write some policies
• Do risk management
• Audit and review yourself
• Continually improve.

A word about Risk Management

Let’s take a brief look at risk management. There is no doubt that you are doing this right now, if you work in the industry. The level of formality and the depth that you go into will vary but all cyber security is to a greater or lesser degree based on risk management.

In basic terms we work out what could go wrong and we put things in place to stop it happening.

The traditional approach is to tackle the ‘no brainers’. It is to tackle the things that we know and the things that we understand. This approach has it’s place.

Where ISO 27001 steps in is to make you think more broadly about the risks you may face, to prioritise them, to manage them to a degree based on the level of risk they pose and the wants and needs of the business.

I don’t understand – how can I be insecure and still certify?

The answer is simple, this is about risk management. The only requirement on your actual security is that you are managing risk. Risk management is a beautiful thing because it allows you and encourages you and wants you to implement security to a level that is appropriate to you and proportionate to you.

You identify your risks and you implement the level of security you need.

And guess what?

If it turns out you don’t need or want to implement some security, you don’t have to. You can just accept the risk.

There is a middle ground here, for sure, but to answer the question of what is the bare minimum you can get away with and still ‘pass’, the answer is shockingly straightforward.

I have good security already

There is no doubt and no one challenges your professional credentials. This is going to put you in very good stead when it comes to implementing controls that mitigate risks. Whilst others may accept the risk of no control, or may accept an implementation that follows the bare minimum of the guidance with what you would perceive as security weakness, you on the other hand are going to fly through this controls.

Once you have that basic information security management system in place, that is.

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

The Ultimate ISO 27001 Toolkit

What technical security does ISO 27001 actually want me to do?

Once you have your management system in place, you define your scope, you identify your risks and then you choose from a list of information security controls the controls that mitigate the risks you have.

The standard is pretty clear that this list of controls is the minimum you should consider and that you may well have more controls or other controls, which is also fine.

It sets out these controls in an Annex that is referred to as ISO 27001 Annex A.

This is a list of 93 controls.

It doesn’t actually tell you what to do, rather it sets out guidance for you to consider. Guidance on how to go about it.

This guidance is set out in another standard called ISO 27002.

To make your life easier I have a control by control reference guide that shows you what you should do, what auditors will check and how to pass the audit. It is here if you are interested: ISO 27001 Annex A Reference Guide.

The standard is pointless then?

I can see your perspective and it is not without it’s challenges. The level of how pointless it is for you is really down to your context. Let’s explore.

Clients Need

The main focus of having this standard is going to be client need and commercial benefit. It will be driven from marketing, sales and / or senior leadership.

The reason will be – if someone won’t do business with you unless you have it then you have a choice.

Get it and do business.

Or don’t get it and let your business move on to the next client opportunity.

What does having it actually tell our clients?

When you get ISO 27001 certification the only thing that it is telling your clients is that you are managing information security and you are managing your risks and this has been independently assessed as being true.

That is it.

The reality is that anyone that does what I do for a living will follow up with further questions, document requests and audits of you to assess the actual level of security that you have implemented.

That is where you and your passion and the controls that you have come in.

Those clients questionnaires are never going to stop.

What about other standards?

Each standard exists to fill a need and if we understand the need then we can understand the value. For technical security there are standards such as NIST, Essential 8, Cyber Essentials, PCI DSS even the CSA Star questionnaire. Whilst other standards are focussed more on technical security requirements there is no right or wrong way on how you approach this.

Having other standards will see a cross over that will benefit you, usually on the controls. It can be argued that by following or having them that the areas where you do cross over will excel and exceed the requirements of ISO 27001.

Should I be worried by how hard this is?

No, because it is not hard. It is management, paper work, buracacy and all the things most operational security professionals hate.

They scream – but it won’t make us more secure. As if this is a revelation and a reason not to do it.

And they are right. It won’t make you more secure if you don’t want it to, but it can. It really depends on how you approach it and your mindset.