The ISO 27001 standard is made up of a set of mandatory clauses and 133 controls. While compliance with all the clauses is required, it is not mandatory to adopt every single control.
Choosing applicable controls for your chosen scope should be carefully considered through your risk assessment, and be aligned to your overall security objectives, and contractual requirements.
In practice, you will probably find that the vast majority of the 133 controls are applicable to you as they are all common controls to information security threats – and will therefore be applicable in most organisations.
However, if you do decide to exclude a number of controls these can be justified though your Statement of Applicability (SOA), or have an entry within your risk assessment to demonstrate that you have formally considered the risks associated with not implementing a particular control. The external certification body will then judge whether these control exclusions are appropriate or not.
Officially, your Statement of Applicability is a public document which sits alongside your ISO27001 certificate, and should therefore be appropriate for external viewing. You might not wish to include sensitive information that you would not want to share with a third party. Some organisations produce a ‘Summary of Controls’, with less detail than their SOA, and use this as their public-facing evidence of the extent of their implementation of the standard.
Remember that the number of controls you adopt will give any interested parties a clue as to the risk appetite of the organisation and a measure of thoroughness of your Information Security Management System. As a guide, we advise our clients to ask for more details if a certified organisation offering their services has adopted less than 120 out of 133 controls.
Over time previously excluded controls may come into scope as your business evolves, new threats emerge, and senior management develop their understanding of the risks and release more resources for the management of these risks.
Risk assessment is the one area of certification that causes many organisations difficulty. It can require a comprehensive technical understanding of information security threats, combined with the ability to express these in a business language that can be understood by decision makers. Your decisions regarding information security developments, and how you interpret the results of incident reviews, and audits (internal and external), are based on this process.
The flexibility within the standard to choose controls is based upon you demonstrating a rigorous risk assessment process to justify your decisions. This particularly applies to control exclusions, limitations to the scope, and any risks that you decide to accept and not develop countermeasures for.
While the ISO 27001 standard provides a framework for managing information security, it does not provide an absolute level of security. Through the risk assessment process you may choose to accept risks and not necessarily eliminate them. It is therefore expected that you will have a number of identified risks that you partly mitigate against but that residual risks may still remain.
The importance of the risk assessment process is reflected by the fact that the required elements are all mandatory clauses within the ISO27001 standard.
The process can commence with a brainstorming exercise identifying a number of risk scenarios and their relationship to your key information assets. This should include assessment of the impact on these information assets where security incidents could involve:
Confidentiality – ensuring that information is accessible only to those authorised
Integrity – safeguarding the accuracy and completeness of information
Availability – ensuring that authorised users have access to information
Risk assessment must be an ongoing process which should be subject to regular updates and management review. As your ISMS develops, it should be central to your information security planning and decision making process.
There are a number of variables that directly impact the scale and complexity of any ISO 27001 Information Security Management System (ISMS), perhaps the most significant of these is your chosen scope.
Defining your ISMS scope should be one of the very first things you do when embarking upon an ISO 27001 project to ensure all your information assets have been identified and the associated risks assessed. Your chosen scope can be across geographical locations, internal departments, business processes or even individuals, it doesn’t necessarily need to be your entire organisation.
However, it is important to remember that in order for your ISMS to be effective, you need to ensure that the parts of the organisation certified align with the areas that could impact upon your security and will deliver you the most value. For instance; are all the people with access to your critical information included within the certification scope?
Clearly any security savvy client will want reassurance that the way in which you handle, process, store and even dispose of their sensitive information is covered within the scope of your certification, they may even insist that security measures be defined in your contracts.
Also, don’t forget, your chosen statement of scope will appear on your certificate, so it is essential to get it right!