For example, the PCI standard dictates that you must use encryption at an appropriate level to protect the PAN (Primary Account Number), which is the card number, usually 16 digits in length across the middle of the card when it is in storage and when it is communicated. The ISO standard does not dictate when or where encryption should be used, but what it is good for is ensuring that you have good controls in place for the management of encryption should you wish to deploy it.

A second example would be that the ISO standard does not determine what information you can and cannot store or communicate, it simply gives you a list of controls which will help you to do so safely and securely. The PCI standard on the other hand will not allow you to store certain types of credit card information, such as the contents of the magnetic stripe, the contents of the chip on a chip and PIN card or the CVV2 security number which is printed on the signature strip of the credit card.

So, although both the ISO27001 and PCI Data Security Standards are both based on best practice, their approaches are different.

Choosing applicable controls for your chosen scope should be carefully considered through your risk assessment, and be aligned to your overall security objectives, and contractual requirements.

In practice, you will probably find that the vast majority of the 133 controls are applicable to you as they are all common controls to information security threats – and will therefore be applicable in most organisations.

However, if you do decide to exclude a number of controls these can be justified though your Statement of Applicability (SOA), or have an entry within your risk assessment to demonstrate that you have formally considered the risks associated with not implementing a particular control. The external certification body will then judge whether these control exclusions are appropriate or not.

Officially, your Statement of Applicability is a public document which sits alongside your ISO27001 certificate, and should therefore be appropriate for external viewing. You might not wish to include sensitive information that you would not want to share with a third party. Some organisations produce a ‘Summary of Controls’, with less detail than their SOA, and use this as their public-facing evidence of the extent of their implementation of the standard.

Remember that the number of controls you adopt will give any interested parties a clue as to the risk appetite of the organisation and a measure of thoroughness of your Information Security Management System. As a guide, we advise our clients to ask for more details if a certified organisation offering their services has adopted less than 120 out of 133 controls.

Over time previously excluded controls may come into scope as your business evolves, new threats emerge, and senior management develop their understanding of the risks and release more resources for the management of these risks.

The flexibility within the standard to choose controls is based upon you demonstrating a rigorous risk assessment process to justify your decisions. This particularly applies to control exclusions, limitations to the scope, and any risks that you decide to accept and not develop countermeasures for.

While the ISO 27001 standard provides a framework for managing information security, it does not provide an absolute level of security. Through the risk assessment process you may choose to accept risks and not necessarily eliminate them. It is therefore expected that you will have a number of identified risks that you partly mitigate against but that residual risks may still remain.

The importance of the risk assessment process is reflected by the fact that the required elements are all mandatory clauses within the ISO27001 standard.

The process can commence with a brainstorming exercise identifying a number of risk scenarios and their relationship to your key information assets. This should include assessment of the impact on these information assets where security incidents could involve:

Confidentiality – ensuring that information is accessible only to those authorised
Integrity – safeguarding the accuracy and completeness of information
Availability – ensuring that authorised users have access to information

Risk assessment must be an ongoing process which should be subject to regular updates and management review. As your ISMS develops, it should be central to your information security planning and decision making process.

Defining your ISMS scope should be one of the very first things you do when embarking upon an ISO 27001 project to ensure all your information assets have been identified and the associated risks assessed. Your chosen scope can be across geographical locations, internal departments, business processes or even individuals, it doesn’t necessarily need to be your entire organisation.

However, it is important to remember that in order for your ISMS to be effective, you need to ensure that the parts of the organisation certified align with the areas that could impact upon your security and will deliver you the most value. For instance; are all the people with access to your critical information included within the certification scope?

Clearly any security savvy client will want reassurance that the way in which you handle, process, store and even dispose of their sensitive information is covered within the scope of your certification, they may even insist that security measures be defined in your contracts.

Also, don’t forget, your chosen statement of scope will appear on your certificate, so it is essential to get it right!