Without expert knowledge, avoidable mistakes often occur when implementing ISO 27001. 4 of these mistakes occur particularly frequently. This guide will help you to avoid these mistakes and implement the right measures for successful ISO 27001 certification.
The top 4 most failed ISO 27001 controls
Information security is no longer an afterthought; it has proven to be the foundation for future resilience, business success and growth. In addition, many companies require their business partners to to provide an information security certification – such as ISO/IEC 27001, which specifies the requirements for an information security management system (ISMS). Without a structured plan, implementing ISO 27001 can be a major challenge. Based on our work with clients in a variety of industries, we have collated the most commonly failed controls along with advice on how your company can avoid mistakes we have seen repeatedly. Before we dive in, let's take a brief look at what ISO 27001 controls are.
ISO 27001 controls overview
There are a total of 10 main chapters in ISO 27001, as well as 14 sets of controls in it's Annex A, subsuming 114 detailed control objectives. The controls include areas such as Cryptography, Compliance, Operations Security, and several others. In a nutshell, Annex A can be understood as a catalogue of individual security requirements. The way you respond to these requirements when building your ISMS depends on the nature of your business. With that, let’s look at some of the most challenging controls for businesses to meet.
Measure 1: Supplier security
The objective of this control is to protect information assets that are handled by your suppliers. You must ensure that your suppliers continuously meet an agreed level of information security. For example, the expected level could be defined in supplier agreements.
Why this control is often failed
- Not every supplier is risk-assessed: The assessment and continuous monitoring of all suppliers is often deprioritised. It can be challenging to conduct a risk assessment for every supplier who has access to your assets.
- Documentation: It is important that everything related to risk assessment is documented; this often becomes a burden and leads to a lack of documentation.
- Supplier Criteria: You must define criteria that are adequate to the product or service the supplier is delivering. Said criteria for supplier collaboration is often missing or inadequate.
- Providing proof of compliance: Companies often fail to provide proof of compliance for all their suppliers. Here you are faced with another challenging task: either you audit each supplier individually, or you source sufficient evidence for their information security (meaning their own certifications, audits, reports, etc).
- Supplier checks: Usually, the purchasing department carries out supplier checks (checking pricing, quality, etc) – however, they are often not aware of ISO 27001 criteria in detail.
What you can do
- Consider enabling your purchasing department to properly assess the information security compliance of suppliers themselves. This can be done through training. Alternatively, you can involve someone with the necessary experience and expertise, such as an external information security officer (ISO), to support them during the procurement process.
- Always carry out risk assessments prior to acquiring new software or working with new suppliers. This will save you time and help avoid stressful situations down the line.
- Ensure that information security controls are mentioned in the contract and SLA you have with each new supplier. Via the contract, your suppliers can be obliged to report status updates on availability, downtime, etc. Example: If a cloud provider states in their contract that they provide 95% availability, then they should report it to you monthly so you can monitor and check if that is sufficient. This also gives you the power to renegotiate agreements if needed. Otherwise, you might need to find a new supplier if requirements are not met.
Measure 2: Operations security
The objective of this control is to ensure the secure and adequate operation of information processing facilities. The control therefore addresses operational procedures and responsibilities.
Why this control is often failed
- Missing details in the documentation: In our experience, organisations often do the right things but fail to document all the right operational procedures in detail, e.g., the exact details for the configuration of a firewall, a server, or other infrastructure components, thereby causing friction within their own processes.
- Lack of evidence: During the ISO 27001 audit, an auditor always wants to see evidence of what has been done. Describing the process is not enough - you need to prove it, e.g., showcasing documentation about your main systems, IT processes, settings, critical passwords, admin access, etc.
- Change management: Major changes such as introducing a new ERP system (e.g. SAP) that allows the creation of individual workflows, reports or interfaces can become an issue. For example, a self-coded new report could lead to inaccurate information. In the worst case, an insufficient interface could lead to system downtime if it has not been tested properly.
- Logging and monitoring of logs: Often, organisations do not really know what to monitor or how to properly define events for notification. That might result in too much logging, or worse, no logging at all. Organisations frequently lack a system to check the logs – or to be notified if something happens.
What you can do
- You absolutely must make sure to have correct and detailed documentation in place. To achieve this, you can work with templates, implement a standardised process for creating and updating documents, and train key stakeholders from various departments to keep the documentation up to date, e.g. if processes change.
- Implement software to help with logging and define trigger events which are important to monitor (e.g., Microsoft Office 365 can monitor logins from different countries that could be suspicious). As a result, you can react accordingly, e.g., by blocking affected accounts and ensuring that passwords are changed. Another example could be to implement two factor authentication for your email accounts.
Measure 3: Communication security
This objective refers to network security management. Its aim is ensuring that information processed in networks, as well as information processing facilities, is properly protected.
Why this control is often failed
- Lack of network protection: If a network is not set up in a secure way (e.g., by only providing one central network for any traffic), the entire network might be affected during an attack.
- Lack of Non-Disclosure Agreements (NDAs): Typically, businesses do not set up enough NDAs. Parties such as applicants or other companies often have access to important and confidential information via sales processes, application processes, etc. This critical information is then left unprotected.
- Lack of secure communication channels for highly sensitive information: Highly sensitive information is shared on a frequent basis in organisations, and rarely via secure communication channels. Email is a popular medium to share such information, but unfortunately it is not secure enough.
What you can do
- We recommend securing your networks by dividing them into different network areas based on function in order to increase your network's resilience. For example, networks could be divided by production and administration. In case of an attack, the impact of the attack would be limited to a certain area of your network, rather than being widespread.
- Implement NDAs to all parties that have access to critical information about your business – including, but not limited to, applicants and other companies that you collaborate with. This will ensure contractual protection for your critical information.
- Ensure that you have a secure communication channel in place to process and share critical information. Secure/Multipurpose Internet Mail Extensions (S-MIME) or Pretty Good Privacy (PGP) encryption for end-to-end email encryption would make your email communication more secure.
Measure 4: Asset management
This objective aims to identify, protect, and account for information assets as well as to define ownership and acceptable use of those assets.
Why this control is often failed
- Shadow Information Technology: Particularly in start-ups, young companies and organisations with modern infrastructure (i.e., organisations working with lots of SaaS solutions), many information assets are processed by software and suppliers that nobody is aware of. For example, the Sales department uses a free online tool to convert a PDF into a Word Document. The business does not know the supplier behind the free online tool and whether critical information is being processed. This can result in a huge data leak, as there is no contract or NDA in place with these providers.
- Lack of awareness about all relevant information assets: If you are not aware of all your assets, then you cannot fully understand your risks. As a result, your risk management will be deemed insufficient. It is crucial to know which assets you are or should be protecting. Depending on the company, this can be exceedingly obvious for an auditor to spot. For example, if a software company with 2,000 employees only logs 150 laptops in their asset management, this would raise serious questions during an external audit and can lead to a failed certification.
What you can do
- It is crucial to document everything – optimally, you should have a dedicated process to make sure that all assets as well as the controls you have put in place are documented.
- There should be a responsible department or person to ensure that all assets are listed in the asset management document or catalogue. The responsible person needs to be informed by other members of the organisation to understand which information assets are being used and by whom. New software or hardware should be reported to this person so that they can keep a log, along with what information is being processed.
- In some cases, asset management should be aligned with the Data Protection Officer (DPO).
- This control affects other processes. A common example includes onboarding and offboarding employees: it is important to deactivate accounts when someone leaves the company. Otherwise, former employees might still have access to confidential company information. Abandoned accounts can also lead to an increased risk of being hacked.
How does ISO 27001 certification work?
Identifying weaknesses and starting implementation
The implementation of an Information Security Management System (ISMS) according to ISO 27001 is a multi-stage project. To ensure success, it is important to understand the organisation's current information security practices and identify the necessary improvements.
The first steps in implementing an ISMS according to ISO 27001 are:
- Understanding the ISO 27001 requirements: ISO 27001 defines the requirements for an ISMS. It is important to familiarise yourself with these requirements before starting the implementation.
- Gap analysis: A gap analysis helps to identify areas where the organisation's current information security practices do not align with the requirements of ISO 27001.
- Developing an implementation plan: An implementation plan specifies the activities that need to be carried out to meet the requirements of ISO 27001.
Establishing the ISMS
Establishing an ISMS according to ISO 27001 involves the following steps:
- Defining the scope: The scope defines which information and processes should be protected by the ISMS.
- Identifying risks: Risks to information security can arise from various sources, such as human errors, technical issues, or natural events. Risk identification helps to assess these risks and develop appropriate risk treatment measures.
- Implementing controls: Controls are measures used to mitigate risks to information security. Controls can be technical, organisational, or process-related in nature.
Protecting information assets
An organisation's information security objectives should consider the protection requirements for all relevant information assets. Information assets can include hardware, software, data, business processes, or reputation.
The following measures can help protect information assets:
- Identifying and categorising information assets: All relevant information assets should be identified and categorised according to their importance and value.
- Defining responsibilities: Responsibilities for the management and protection of information assets should be established.
- Implementing controls: Controls should be implemented to meet the protection requirements for all relevant information assets.
Completing the ISO 27001 audit
After completing the implementation of the ISMS, the organisation must undergo an external audit to verify compliance with the ISO 27001 requirements. The external audit is conducted by an accredited auditor.
Maintaining the ISMS
After certification, it is important to regularly review and update the ISMS to ensure continuous compliance with the ISO 27001 requirements.
Changes to the organisational infrastructure and evolving security threats can create new risks. To mitigate these risks, it is important to regularly review and update the ISMS. This includes:
- Risk assessments: Regular risk assessments help to identify new risks and develop appropriate risk treatment measures.
- Internal audits: Internal audits help to verify compliance with the ISO 27001 requirements and identify areas for improvement.
- Employee training: Employee training is important to ensure that all employees are aware of and able to comply with the ISO 27001 requirements.
To maintain certification, the organisation must undergo a re-audit every 3 years. It is helpful to undergo annual surveillance audits to regularly review the state of information security in the company.
Implementing ISO 27001 is a complex process that should be carefully planned and executed.
The four most common mistakes occur in:
- Supplier security: Failure to review information security
- Operational security: Inadequate documentation of operational processes
- Communication security: Inadequate protection of networks
- Asset management: Lack of overview of information assets
To avoid these mistakes, companies should take the following measures:
- Supplier security: Companies should conduct a risk assessment for all suppliers who have access to their information assets.
- Operational security: Companies should document their operational procedures in detail and provide evidence of the measures taken.
- Communication security: Companies should divide their networks into different areas and use secure communication channels for particularly sensitive information.
- Asset management: Companies should create a complete overview of their information assets and update it regularly.
Measures for successful ISO 27001 certification
With a well-structured plan and complete documentation of your measures, the implementation of measures according to ISO 27001 is successful. Involve employees and management levels in the processes and create awareness of information security in the company. By implementing the four measures mentioned, companies can improve their information security and reduce the risk of security incidents.
Do you have unanswered questions regarding the implementation of measures in accordance with ISO 27001? Don't hesitate to reach out to us for a free consultation.