Governance of Enterprise IT – Assignment

27

The ISO27001 audit

While some organizations might still debate the value of ISO27001 certifica-
tion (arguing that what matters is the implementation of an effective ISMS
rather than a badge), the market is moving against them, and a major objec-
tive of this book is to help those organizations that see the value in
certification to be successful in achieving it. The first three chapters clearly
explained all the benefits that accrue from a successful certification, and
these will not be rehearsed here; a certification audit is a practical and cost-
effective way of meeting the requirement in Control 18.2.1 for an
independent review of information security, and provides a means of demon-
strating compliance to ISO27001.

A certification audit will tend to use negative reporting (that is, it will
identify inadequacies rather than adequacies) to assess an ISMS to ensure
that its documented procedures and processes, the actual activities of the
organization and the records of implementation meet the requirements of
ISO27001 and the declared scope of the system. The outcome of the audit
will be a written audit report (usually available soon after the completion of
the audit) and a number of nonconformities and observations together with
necessary corrective actions and agreed time-frames.

Selection of auditors

Chapter 3 touched on some of the issues that should be taken into account
in selecting an ISO27001 certification body. Of course, any organization
seeking certification will want to be sure that there is a cultural fit between
itself and its supplier of certification services, and there will certainly be all
the normal issues of ensuring that there is alignment between the desires
of the buyer and the offering, including pricing and service, of the vendor.

IT GOVERNANCE366

It is completely appropriate to treat the selection of a certification body with
the same professionalism as the selection of any other supplier.

There are three key issues that need to be taken into account when
making this selection. The first is a general issue, the second is relevant to
organizations that already have one or more externally certified manage-
ment systems in place and the third applies specifically to organizations
tackling ISO27001.

The first key point is that you should only use an accredited certification
body (CB, also sometimes called a Registrar), one that is formally accredited
by a National Accreditation Body that is a signatory to the International
Accreditation Forum (IAF). These CBs deliver internationally recognized
certification services, and their certificates are recognized as valid by all
other IAF members; in other words, a UKAS-accredited certificate will be
recognized as equivalent to a locally issued certificate accredited by another
national accreditation body elsewhere in the world. There are a small
number of unaccredited certification bodies offering combined consultancy
and certification services outside the recognized international scheme; as
they operate outside of the internationally recognized framework it is
impossible to determine their competence, or extent of independence and
hence the value to put on their certificates in terms of both assurance and
credibility. Avoid them.

Secondly, it is essential that your ISMS is fully integrated into your organ-
ization; it will not work effectively if it operates outside of the management
and operation of the organization or exists outside of and parallel to any
other management systems.

Logically, this means that the framework, processes and controls of the
ISMS must, to the greatest extent possible, be integrated with, for instance,
your ISO9001 quality system; you want one document control system, one
set of processes for each part of the organization, etc. Clearly, therefore, the
certification body assessment of your management system must also be
integrated: you want only one audit, which deals with all the aspects of
your management system. It is simply too disruptive of the organization,
too costly and too destructive of good business practice to have anything
else. You should take this into account when selecting your ISO27001 certi-
fication body, and ensure that whoever you choose can and does offer an
integrated assessment service. However, the fact that a CB is accredited to
offer ISO9001 certification does not automatically mean it is accredited for
ISO27001; you will need to check with the CB. If you are currently using a
CB that is not accredited for ISO27001, you will have to consider switching
to one that is able to offer certification to both standards.

THE ISO27001 AUDIT 367

The third issue that you should take into account when selecting your
supplier of certification services is their approach to certification itself. An
ISMS is fundamentally designed to reflect the organization’s assessment of
risks in and around information security. In other words, each ISMS will be
different. It is important therefore that each external assessment of an ISMS
takes that difference into account so that the client gets an assessment that
adds value to its business (which includes positive feedback as well as non-
conformities), rather than one that is merely a mechanical comparison of
the ISMS against the requirements of ISO27001. Inquiring how a potential
provider of ISO 27001 certification ensures its auditors are appropriately
competent for your specific business is one means of helping ensure you
receive a valuable service.

Once an accredited certification body has been selected and terms agreed
(using the same basis of contracting as is applied to any other third-party
supplier), the organization can turn to the actual process of certification.
This process will be completely familiar to any organization that has already
undergone certification to ISO9000 or any other management system stand-
ard. The certification body will want to go through an initial two-stage
process. The first stage will be a Stage 1 audit, which enables the audit body
to become acquainted with the organization, to carry out a document
review, to assure themselves that the ISMS is sufficiently well developed to
be capable of withstanding a formal audit and to obtain enough informa-
tion about the organization and the intended scope of the certification
to plan their Stage 2 audit effectively. This visit is usually relatively short
and, depending on the size of the organization, may require only one or
two days to carry out. The certification body will use this visit to ensure it
has sufficient time and the appropriate competency profile in the audit team
to successfully complete the Stage 2 audit, as well as to ensure that your
organization is ready for that challenge.

Initial audit

The first formal audit, known as the initial audit, will usually take place over
two stages. The audit process involves testing the organization’s documented
processes (the ISMS) against the requirements of the standard (Stage 1, a
readiness review), to confirm that the organization has set out to comply
with the standard, and then testing actual compliance by the organization
with its ISMS (Stage 2, the implementation audit). The entire two-
stage audit will follow a pre-ordained plan, and the auditors will have

IT GOVERNANCE368

communicated with whoever is their liaison point (usually the information
security manager) about whom they will wish to interview and in what
order they will want to do it. There is no defined maximum period between
the Stage 1 and Stage 2 audits, although it is unusual for it to exceed three
months. Some negotiation is possible here, but usually over timing and
availability rather than subject matter.

Each audit will start and finish with a management meeting. The audi-
tors, just like financial ones, will need a separate room for the duration of
the audit and appropriate arrangements made for refreshments. Many
audits will involve at least two auditors, who may have different areas of
expertise. There will be a lead, or principal, auditor, who will be responsible
for the overall progress of the audit. The organization being audited should
ensure that its liaison is on hand to support the auditors throughout the
process; this might include guiding auditors around the premises, introduc-
ing them to those staff next on their list to interview, and dealing with
queries and issues arising.

At the end of each day, there will usually be a brief wrap-up meeting
at which (usually) any areas of nonconformity with either the standard or
the ISMS are identified. This part of the process will again be completely
familiar to any organization that has gone through an ISO9001 certifica-
tion. Nonconformities can be either minor or major; minor ones tend to
vary in usefulness but major ones could very easily mean that the organiza-
tion is not (at this stage) capable of successful certification. Often, upon
identification of a major nonconformity the auditors will suggest that the
audit process be suspended and started afresh once the organization has had
time enough to address this major issue. This can be expensive and time-
consuming, and have a negative effect on morale and the commitment
within the organization to achieving certification.

There are two components to carrying out successful certification audits.
The first is the level of preparedness of the organization’s ISMS and the
second is the way in which the employees of the organization are themselves
prepared for the audit.

Preparation for audit

No audit can take place until sufficient time has passed for the organization
to have in place a working internal audit and management review pro-
cess and to demonstrate compliance with clause 10, the requirement for

THE ISO27001 AUDIT 369

improvement. In other words, auditors will be looking for evidence that the
ISMS is continuing to improve, not merely that it has been implemented.
This means that a period of time will have to elapse between completion of
the implementation and commencement of audit. How long will depend on
the complexity of the organization and its ISMS, but one should assume that
there will need to be good progress with the first cycle of internal audits for
all of the key processes and arrangements. (It is for the certification body to
determine exactly what it requires in order to be convinced of the establish-
ment, effectiveness and ongoing arrangements for internal ISMS audit and
management review, aspects it is required to confirm prior to issuing a certif-
icate, and hence possibly something worth asking when selecting your
certification body.)

The level of preparedness for an audit should then be assessed by carry-
ing out a comprehensive review. The detailed work should be carried out by
the information security adviser and by the quality function, and this should
all be reviewed by the management information security forum. A compre-
hensive review could use this book, starting with Chapter 4, and question
the extent to which adequate steps have been taken to implement the vari-
ous recommendations.

The Statement of Applicability (SoA) needs particularly detailed review.
It should be possible to identify the extent to which each of the controls
identified as necessary has been implemented and, where implementation
has been only partial, to determine what steps (and how long they will take)
will be necessary to complete its implementation. In particular, all instances
in which the organization has chosen not to implement a recommended
control should be reviewed in detail to ensure that this decision was appro-
priate, and that the justification for exclusion that is included on the SoA is
sufficient. Similarly, all instances in which a control has been implemented
to a greater or lesser extent than indicated as necessary by a proper informa-
tion security risk assessment should be reviewed, and if it is not possible (too
difficult, expensive, etc) to improve the level to which the control has been
implemented, managers should formally accept the highest level of residual
risk.

Once a comprehensive review has been completed and the management
steering group is satisfied that the ISMS is complete, complies with the
standard and has been adequately implemented (and at least one cycle of
internal audits of key areas of the ISMS as identified by the risk assessment
also needs to have been completed), then the organization can safely move
on to the Stage 1 visit by its external auditors.

IT GOVERNANCE370

Preparation of staff within the organization, prior to the audit, as to what
they might expect and how to handle auditors is also a valuable step. Staff
should be taught that auditors should be treated with complete honesty, and
direct answers should always be given, even if this requires admitting to a
lack of knowledge or error. Equally, staff should be trained to answer the
question asked by the auditor and not to provide more, or less, information
than is required. Auditors will usually ask for an explanation as to how a
particular component of the ISMS works and will then want to be shown.
This is normal and is how the audit is conducted.

ISO27001 Assessments Without Tears (available from https://www.
itgovernance.co.uk/shop/product/iso27001-2013-assessments-without-
tears-a-pocket-guide-second-edition) provides useful advice to those that
are likely to be interviewed by an auditor. ISO27007 and ISO27008 set out
guidelines for the ISO27001 auditor on how to conduct an audit. They are
valuable both to the organization’s internal audit teams as part of their
training and to the management information security forum so that they
understand the approach that the auditors will take and can ensure that the
organization is adequately prepared for the audit. The latter provides
detailed guidance on auditing Annex A controls.

The outcome of the initial audit should, if the organization has diligently
followed all the recommendations contained in this manual, be a positive
recommendation for certification of the ISMS to ISO27001 and the issue of
a certificate setting this out. The certificate should be appropriately displayed
and the organization should start preparing for its first surveillance visit,
which will take place about six to twelve months later. Any minor noncon-
formities should be capable of being closed out by mail, and any certificate
issued will be dependent on this happening within an agreed timescale.

The certificate will refer to the latest version of the SoA and auditors will
check for updates at their subsequent visits. Therefore, when supplying a
copy of the certificate to clients, stakeholders or other parties, the organiza-
tion should be prepared to provide a copy of the most recent SoA (whether
controlled or otherwise). While the SoA is a living document, updated as
and when necessary, the organization should endeavour to keep such
updates and alterations to a minimum.

It is possible that the issued accredited certificate mentions international
and national standards from which information security contols in the SoA
have been selected, such as ISO27017 and/or ISO27018.

THE ISO27001 AUDIT 371

Terminology

It is worth noting that different accredited certification bodies use different
terms to describe what are, without wishing to imply a preference or
endorsement of any one option, simply major and minor nonconformities.
Some of the descriptors currently in use are shown in Table 27.1.

TABLE 27.1 Terms used by different accredited certification bodies for major and
minor nonconformities

Major Minor

major nonconformity minor nonconformity

category 1 nonconformity category 2 nonconformity

nonconformity issue

major nonconformity nonconformity

Not all CBs will raise nonconformities at the Stage 1 audit; some will make
‘findings’, which should nevertheless be dealt with through your noncon-
formity and corrective action process like any nonconformity.

While variations in use of terminology is obviously annoying, given
that the accredited certification bodies work in the field of standardization,
this inconsistency needs to be acknowledged for other reasons. With the
increasing use of ISO27001-accredited certification in the supply chain, we
will no doubt see these terms being used to specify reporting requirements,
measure conformance and compare organizations. Obviously, unless the
terminology is clearly defined for such applications, it could lead to mean-
ingless comparisons.

3

ISO27001

Benefits of certification

There are a number of direct, practical reasons for implementing an infor-
mation security policy and information security management system (ISMS)
that is capable of being independently certified (or registered) as compliant
with ISO/IEC 27001. An accredited certificate tells existing and potential
customers that the organization has defined and put in place effective infor-
mation security processes, thus helping create a trusting relationship. A
certification process also helps the organization focus on continuously
improving its information security processes. Of course, above all, certifica-
tion, and the regular external review on which ongoing certification depends,
ensures that the organization keeps its information security system up to
scratch, and therefore that it continues to ensure its ability to operate.

Most information systems are not designed from the outset to be secure.
Technical security measures are limited in their ability to protect an infor-
mation system. Management systems and procedural controls are essential
components of any really secure information system and, to be effective,
need careful planning and attention to detail.

ISO27001 provides the specification for an ISMS, and in the related code
of practice, ISO/IEC 27002, it draws on the knowledge of a group of expe-
rienced information security practitioners in a wide range of significant
organizations across more than 50 countries to set out best practice in infor-
mation security controls. An ISO27001-compliant system will provide a
systematic approach to identifying and combating the entire range of poten-
tial risks to the organization’s information assets, the variety and impact of
which were described in Chapter 1. It will also provide directors of UK- and
US-listed companies, directors of UK government organizations covered by
the government’s ‘Orange Book’, and directors in the supply chains of both

IT GOVERNANCE38

public- and private-sector organizations with both a systematic way of
meeting their responsibilities under the UK Corporate Governance Code,
the FRC Risk Guidance and Sarbanes–Oxley, as described in Chapter 2, and
the wide range of interlocking data protection and privacy legislation to
which they are subject, and demonstrable evidence that they have done so to
a consistent standard.

It also enables organizations outside the United Kingdom and United
States to demonstrate that they are complying with their national corporate
governance requirements as well as the data protection and privacy legisla-
tion in their local jurisdiction. Equally importantly, an ISO27001 certificate
enables an organization to demonstrate to any of its customers that its
systems are secure; and this, in the modern, global information economy, is
at least as important as demonstrating compliance with local legislation.
ISBS 2010 identified that 68 per cent of large UK organizations had been
asked by their customers to demonstrate compliance with information secu-
rity requirements. Possession of a suitably scoped ISO27001 certificate
enables a supplier cost-effectively to answer the information security and
governance questions in request for proposal (RFP) and pre-tender ques-
tionnaires.

Certification to ISO27001 of the organization’s ISMS is a valuable step.
It makes a clear statement to customers, suppliers, partners and authorities
that the organization has a secure information management system. Many
countries in the world have their own central accreditation body (in the
United Kingdom, it is the United Kingdom Accreditation Service: UKAS).
This central accreditation body accredits the competence of certification
bodies – who might be based inside or outside the country – to perform
services in the areas of product and management system approval.

Organizations should use only accredited certification bodies when seek-
ing ISO27001 certification. This makes sure that the certification process is
independent, is of an appropriate quality, using competent personnel (includ-
ing auditors), and ensures that any certificate awarded will be recognized
internationally. A certificate is usually valid for up to three years.

The history of ISO27001 and ISO27002

BS7799, the UK standard that preceded ISO27001, was originally the
outcome of a joint initiative by the then Department of Trade and Industry
in the United Kingdom and leading UK private-sector businesses. The working

ISO27001 39

party produced the first version of BS7799 in February 1995. This was orig-
inally simply a code of practice for IT security management. Organizations
that developed ISMSs that complied with this code of practice were able to
have them independently inspected but there was initially no UKAS accred-
ited certification scheme in place, and therefore formal certification was not
possible. An alternative solution, known as ‘c:cure’, was adopted to provide
a framework for recognizing implementation of the standard, and was avail-
able from April 1997. The confusion around c:cure and the absence of
UKAS-accredited certification resulted in uptake of certification to the
standard being much slower than anticipated, and c:cure was effectively
withdrawn as an option late in 2000.

BS7799 underwent a significant review in 1998. Feedback was collated
and in April 1999 a revised standard was launched. The original code of
practice was significantly revised and retained as Part 1 of BS7799, and a
new Part 2 was added. Part 1 was retitled ‘Code of Practice for Information
Security Management’ and provided guidance on best practice in informa-
tion security management. As a code of practice, BS7799 Part 1 took the
form of guidance and recommendations. Its foreword clearly stated that it
was not to be treated as a specification. It became internationalized as ISO/
IEC 17799 in December 2000.

BS7799 Part 2, titled ‘Specification for Information Security Management
Systems’, formed the standard against which an organization’s security
management system was to be assessed and certified. BS7799 Part 2 under-
went a further review during 2002, and a number of significant changes
were made. This version remained current until it was first internationalized
as ISO27001 in 2005

BS7799–2 was internationalized as ISO/IEC 27001:2005 in 2005, and
ISO17799 was revised at the same time, thus ensuring that the correspond-
ence between the controls in the two standards would be maintained.
ISO17799 was, without further amendment, bought into the new ISO/IEC
numbering sequence for information security management standards in
2007 and identified as ISO/IEC 27002:2005, with the change in nomencla-
ture being described in the document as a corrigendum!

ISO27001 and ISO27002 underwent extensive revision from 2008
onwards, and new, updated versions were published in October 2013. These
are the current versions, and this book focuses specifically on them.

ISO27001 ‘forms the basis for an assessment of the Information Security
Management System (ISMS) of the whole, or part, of an organization. It
may be used as the basis for a formal certification scheme’. It is, in other

IT GOVERNANCE40

words, the specific document against which an ISMS will be assessed. It is
the most important standard in the emerging ISO27000 family; it provides
a specification, against which an ISMS may be assessed. Apart from ISO/IEC
27000, which is nominatively referenced from ISO27001, the other stand-
ards provide useful guidance and advice, and have no mandatory effect.

The ISO/IEC 27000 series of standards

ISO27001 is part of a much larger family, of which ISO/IEC 27000 is the
root for a whole numbered series of international standards for the manage-
ment of information security. Developed by a joint committee of the
International Organization for Standardization (ISO) in Geneva and the
International Electrotechnical Commission, these standards now provide a
globally recognized framework for good information security management.

The correct designations for most of these standards include the ISO/IEC
prefix, and all of them should include a suffix, which is their date of publica-
tion. Most of these standards, however, tend to be spoken of in shorthand.
ISO/IEC 27001:2013, for instance, is often referred to simply as ISO27001.

Many of the standards have been previously published and are undergo-
ing periodic revision; others are still under development. This book deals
specifically with ISO27001 and ISO27002, but it will refer, where appropri-
ate, to guidance contained in the supporting standards listed here.
Organizations interested in using or applying these standards should acquire
copies, which are available through www.itgovernance.co.uk/standards
(archived at https://perma.cc/LHC2-ZRB5) in both hard copy and down-
loadable formats:

●● ISO/IEC 27000 – ISMS Overview and Vocabulary;

●● ISO/IEC 27001 – ISMS Requirements;

●● ISO/IEC 27002 – Code of Practice for Information Security Controls;

●● ISO/IEC 27003 – ISMS Guidance;

●● ISO/IEC 27004 – Information Security Management – Monitoring,
Measurement, Analysis and Evaluation;

●● ISO/IEC 27005 – Information Security Risk Management;

●● ISO/IEC 27007 – Information Security Management System Auditing;

●● ISO/IEC TR 27008 – Guidelines for Auditors on Information Security
Controls.

ISO27001 41

There are then standards that provide guidance on specific topics such as the
integrated implementation of ISO 27001 and ISO 20000-1 (the service
management system management standard), information security govern-
ance (ISO 27014) and organizational economics (ISO TR 27016).

The following are standards detailing requirements for certification
bodies seeking accreditation for their ISMS certification scheme:

●● ISO/IEC 17021-1 – Conformity Assessment: Requirements for bodies
providing audit and certification of management systems – Part 1:
Requirements;

●● ISO/IEC 27006 – Requirements for bodies providing audit and
certification of Information Security Management Systems.

Finally there are standards that provide sector-specific guidelines on the
implementation of an ISMS. They include: inter-sector and inter-organiza-
tional communications (ISO 27010); telecommunications (ISO 27011);
cloud services (ISO 27017); processors of personally identifiable informa-
tion in public clouds (ISO 27018); energy utility (ISO 27019); and the health
sector (ISO 27799).

A full list of current and emerging ISO27000 standards is maintained
at www.itgovernance.co.uk/iso27000-family (archived at https://perma.cc/
X9EL-UMEX) and you should ensure that the version you are using has
been updated to reflect the 2013 standard.

Use of the standard

As a general rule, organizations implementing ISO27001 will do well to pay
close attention to the wording of that specific standard itself, and to be
aware of any revisions to it. Nonconformity with revisions or corrigendums
will jeopardize an existing certification. ISO/IEC 27001 itself is what any
ISMS will be assessed against; where there is any conflict between advice
provided in this, in a supporting standard or any other guide to implementa-
tion of ISO27001 and ISO27001 itself, it is the wording in ISO27001 that
should be heeded.

An external auditor will be assessing the ISMS against the published
standard, not against the advice provided by this book or any third party.
It is critical, therefore, that those responsible for the ISMS should be able
to refer explicitly to the clauses and intent of ISO27001 and should on
that basis be able to defend any implementation steps they have taken.

IT GOVERNANCE42

An appropriate first step is therefore to obtain and read ISO/IEC 27001
itself. Note that ISO27001 uses the word ‘shall’ to indicate a requirement,
whereas the other standards in the family use ‘should’ to indicate good prac-
tice which is not a requirement.

The UK Accredited Certification Scheme was launched in April 1998, and
there is an ISMS users’ group that enables users to exchange information
on best practice and enables members to provide feedback on a regular basis
to national standards bodies, and through them to the International
Organization for Standardization.

ISO/IEC 27002

In 1998, when the original BS7799 was revised for the first time, prior to
becoming BS7799 Part 1, references to UK legislation were removed and the
text was made more general. It was also made consistent with OECD guide-
lines on privacy, information security and cryptography. Its best-practice
controls were made capable of implementation in a variety of legal and
cultural environments.

In other words, the ISO/IEC 27002 Code of Practice is intended to
provide a framework for international best practice in information security
controls and systems interoperability. It also provides guidance, to which an
external auditor will look, on how to implement controls within a certifiable
ISMS. It does not, as the standard is currently written, provide the basis for
an international certification scheme. The guidance that this book provides
in implementing an ISMS will therefore start with the requirements of
ISO27001, will then look to ISO27002 for guidance as to the range of
actions that could be considered in implementing selected controls, and will
look to other best practice sources for more detailed input where relevant.

It is particularly important to note that, while ISO27002 provides inter-
national best practice in information security controls, it is not necessarily
up to date for more recent changes in the information security environment.
It has been written, and rewritten, over a number of years. The speed with
which information technology has evolved, and goes on evolving, already
means that some of the specific guidance in ISO27002 may be inadequate to
deal with newly identified threats and vulnerabilities and the most current
responses to them. That does not invalidate ISO27002; it simply creates an
opportunity for the practitioner to go beyond IS27002 when necessary.

ISO27001 43

This book has a bias towards implementing an ISMS within the United
Kingdom, as this is where the authors’ direct experience was gained. It does
also draw on our combined experience, over a number of years, working
with organizations around the world on their information security manage-
ment strategies. Its lessons are directly applicable for all ISMSs that are to be
certified by an accredited certification body anywhere in the world.

This book sets out how to implement an ISMS that is capable of certifica-
tion to ISO/IEC 27001:2013. It will do so broadly within the context of the
Microsoft suite of products, as these are the products most widely used in
those parts of the world likely to be interested in certification. The imple-
mentation steps set out in this book, however, apply in all software and
hardware environments. The standard itself was specifically written to be
technology independent.

This book will refer very explicitly to ISO27001 and to ISO27002 in
order to comment on the implementation steps necessary to reflect the
recommendations of ISO27002 and to comply with the standard. However,
the reader must obtain current copies of both documents (as well as any
others that may appear to be necessary) and use them alongside this book in
order to optimize an information security project and gain the full value of
this book.

Continual improvement, Plan–Do–Check–Act,
and process approach

The 2002 version of the standard for the first time promoted the adoption
of a ‘process approach’ for the design and deployment of an ISMS. This
approach, widely known as the ‘Plan–Do–Check–Act’ (PDCA) model, is
familiar to quality and business managers everywhere. While ISO27001:2005
mandated the adoption of PDCA, it is no longer specifically required; what
is a specific requirement is the adoption of a suitable and appropriate
continual improvement process. For many organizations, this will continue
to be the PDCA model but the way is open for organizations that, for
instance, already use ITIL or COBIT to adopt instead the continual improve-
ment models from those frameworks. The vast majority of organizations are
likely to adopt PDCA, not least because it is an easily understood model
which also lends itself to application in integrated management systems
which cover (for example) quality, environment, IT service management and

IT GOVERNANCE44

business continuity. This book will assume that the PDCA model is used,
and you should therefore make sure that you thoroughly understand it.

The 2013 version of the standard has been designed for better alignment,
or integration, with related management systems (eg ISO9000) within the
organization. Other ISO standards are being brought into accordance with
a consistent high-level structure and common terminology (known as Annex
SL, because it is an annex to an ISO directive on standardization) which will
simplify management system integration significantly; the concept of a
single, integrated management system, embedded within the standard oper-
ating processes of the organization, and capable of certification to multiple
standards, is becoming much easier for the average organization to achieve.

A note on numbering

ISO27001 adopts the same standard numbering methodology for its clauses
and sub-clauses as will other management system specifications. This means
that the requirements of the standard (what you have to do if you are to
claim compliance with it) are set out in clauses 4–10, with clauses 1–3 being
introductory and the annexes being excluded from the requirements.

ISO27002 follows a different numbering sequence, with clauses 1–4
providing general guidance on the use of the standard, and clauses 5 through
18 providing guidance on individual controls. Annex A to ISO27001 is
numbered from A5 to A18, in order to match the control clauses in ISO27002.
In this book, we refer to Annex A controls by means of the ‘A’ prefix (as in
A.5.1.1.) and to those same controls in ISO27002 by means of the ISO27002
numbering (as in 5.1.1). Where we identify clauses in ISO27001, we are
specifically referring to the stated requirements of the standard.

Returning to ISO 27001, the numbering is solely for the purpose of refer-
encing. The standard itself recognizes that the order and number of clauses
does not indicate relative importance or an order of implementation.

Structured approach to implementation

Although ISO27001:2013 allows the organization to tackle its clauses in
any appropriate order, it makes sense to have a structured approach to the
establishment of an ISMS. There are six steps to this ‘Plan’ stage of a project
(using the Plan-Do-Check-Act approach that used to be, but is no longer,
prescribed in ISO 27001):

ISO27001 45

1 Create the management framework: set up your implementation project,
define the internal and external context of the organization, identify the
requirements of any interested parties and, considering these issues, define
the scope of the ISMS; select a continual improvement model and
determine your approach to documentation.

2 Obtain top management commitment to the ISMS, define an information
security policy, and allocate roles and responsibilities – including a
‘management representative’.

3 Define a systematic approach to information security risk assessment and
the risk acceptance criteria.

4 Carry out a risk assessment to identify, within the context of the policy
and ISMS scope, the important information assets of the organization
and the risks to them. This is where you assess the risks.

5 Identify and evaluate options for the treatment of these risks, selecting,
where required, the control objectives and controls to be implemented.

6 Prepare a statement of applicability and a risk treatment plan.

Once these steps have been carried out, you would begin implementation
(the ‘Do’ stage) of the system.

The implementation process will go through its own five steps:

1 Finalize the risk treatment plan and its documentation, including planned
processes and any required supporting documentation.

2 Implement the risk treatment plan and planned controls.

3 Arrange appropriate training for affected staff, as well as awareness
programmes.

4 Manage operations and resources in line with the ISMS.

5 Implement procedures that enable prompt detection of, and response to,
security incidents.

The ‘Check’ stage – which drives continual improvement activity – has,
essentially, only one step: monitoring, reviewing, testing and audit. However,
monitoring, reviewing, testing and audit is an ongoing process that has to
cover the whole system, and a certification body will want to see evidence of
an effective internal audit programme in relation to the ISMS as part of its
certification activities.

Testing and audit outcomes should be reviewed by managers, as should
the ISMS in the light of the changing risk environment, technology or other

IT GOVERNANCE46

circumstances; improvements to the ISMS should be identified, documented
(where necessary) and implemented. This is known as the ‘Act’ stage.
Thereafter, it will be subject to ongoing review, further testing and continu-
ous improvement.

A ‘mini-PDCA’ approach could also be applied to each control or
group of controls, with the ‘Check’ phase contributing to the ‘measures of
effectiveness’ that will eventually feed into the management review (see
Chapter 4).

This book takes a sequential approach to the establishment and imple-
mentation of an ISMS. In reality, once they realize the scale of the information
risks they face, many organizations will want to tackle a number of the
necessary tasks in parallel. Certainly, as many organizations will come to
ISO27001 with some information security structures already in place, an
alternative approach built around completing an initial ‘gap analysis’ which
compares the requirements of ISO27001 with the ISMS processes already in
place and then builds the ISMS project as, in effect, an information security
improvement plan designed to close those gaps, may also be a practical
approach. In taking such an approach, however, bear in mind that an effec-
tive management system is one in which the way arrangements to address
the requirements of the standard relate to and work with one another in
order to provide a repeatable and dependable system that delivers required
outcomes is more important than simply addressing individual clauses.

If component tasks of establishing the ISMS are being carried out in
parallel, or the organization already has elements of an ISMS in place and is
driving gap analysis-based improvements toward the objective of ISO27001
conformance, it will be critically important to first have a thorough under-
standing of all the requirements of ISO27001 as well as a strong project
management methodology to keep everything together.

Implementation issues

Implementation of an ISMS will have significant impacts on the way
people work. It should be seen as a business project, not an IT or informa-
tion security project. Effective leadership, top management support, change
management and internal communication are all essential components of
any successful ISO27001 system roll-out. An overview of key issues that will
contribute to a successful implementation is set out below with more specific
information and analysis in later chapters.

ISO27001 47

Clause 6.1 of the Standard requires the organization to consider any
issues identified as part of its assessment of internal and external context, as
well as the requirements of interested parties (both of which are discussed
further in Chapter 5), and assess how these might impact the project to
establish an ISMS and the bearing they may have on the longer term effec-
tiveness of the ISMS. This requirement should be addressed as part of
creating the project and management framework; the authors recommend
that the implementation project itself produces and maintains a project-level
risk log. While one of the highest-potential impacts might be assigned to the
risk associated with gaps in senior managers’ understanding and commit-
ment, there may be other project-level risks arising from the organizational
context: a currently lax security culture, for instance, creates different imple-
mentation challenges than one that is already tightly and centrally controlled.

Management system integration

Some organizations that tackle ISO27001 already have an ISO9001 certifi-
cated quality management system in place, and may also have certifications
to ISO14001, OHSAS 18001 and other standards, such as ISO20000 and
ISO22301. ISO encourages integration of quality and other management
systems. The ISMS should be integrated with the quality management and
any other management system to the greatest extent possible (not forgetting
that any management system needs to be integrated with the business if it is
to deliver on all the benefits that it can offer). The adoption of a (largely)
consistent high-level structure, common core text and terms and definitions
across new and revised ISO management system standards since October
2013 lends itself to a single management system that addresses requirements
from multiple standards. In other words, the way in which an organization
addresses context, top management commitment, internal audit, continual
improvement and documentation can be largely the same for each and every
management system standard it adopts.

In the case, therefore, where an organization already has a management
system based on this consistent approach (commonly referred to as Annex
SL after its then position in the ISO Directives for standardization – just
after Annex SK and before Annex SM), implementation of ISO27001 is
simply going to be the extension of an existing management system to
include information security management, not bringing in a whole new

IT GOVERNANCE48

management system. This is an important message that should, in this
circumstance, underpin the change management and communication plans;
the smaller the perceived mountain, the more quickly will an organization
set out to climb it.

In circumstances where the organization does not already have an exist-
ing ISO9001-certified management system and wishes for guidance on the
documentation, document control (authorization, version control, status,
etc aspects of producing management system documents) and records issues
of ISO27001, it should obtain and use the guidance in any current manual
on the implementation of ISO9001:2015. Note that the ISO27001 specifica-
tions for document control (clause 7.5) include the control of records.

The organizations that are accredited to offer certification to ISO27001
are usually listed on the websites of national accreditation bodies. Not all of
them offer a truly integrated certification service. Each organization’s
website will set out what it does, and the links on the site should be followed
to explore the offerings of each company.

Documentation

As set out above, the organization should adopt, for its ISO27001 system, at
least the same documentation principles as are required for ISO9001. A
properly managed ISMS will require documentation. Clause 7.5 of the
standard describes the minimum documentation that should be included in
the ISMS to meet the requirement that the organization maintain sufficient
records to demonstrate compliance with the requirements of the standard.
The types of documents that are typically required for an effective ISMS
include the following:

●● The information security policy, the scope of the ISMS (including the
internal and external issues, and the requirements of interested parties),
the risk assessment methodology and risk assessment results, the control
objectives, the statement of applicability (developed as described in
Chapters 5 and 6). These might, together with a description of the
Continual Improvement (PDCA) approach, and the rules for document
and record control, form the core of an ISMS manual.

●● Evidence of the actions undertaken by the organization and its
management to specify the scope of the ISMS (business architecture
diagrams. organization charts, network maps, etc) the minutes of board
and steering committee meetings, as well as any specialist reports).

ISO27001 49

●● A description of the management framework (steering committee, etc).
This could usefully be related to the organizational structure chart.

●● The risk treatment plan and the underpinning, documented procedures
(which should include responsibilities and required actions) that
implement the specified controls. A procedure describes who has to do
what, under what conditions, or by when, and how. A work instruction
is an even more detailed description of how to perform a specific task.
Procedures (there might be one for each of the implemented controls) and
work instructions might be identified in the ISMS documentation, but
would be subject to a lower level of authorization than the manual.

●● The procedures (which should include responsibilities and required
actions) that govern the management and review of the ISMS. These
should be developed in line with the guidance contained in this chapter.

The ISMS documentation should be controlled documents, available to all
staff. It can be done in paper form but is most effective either on a shared
drive, an intranet, a SharePoint server or through a document management
and policy support software tool. SharePoint is increasingly widely used and
it ensures that the current version of any procedure is immediately available
to all members of staff without inconvenience. Remember that any shared
resource will have its own challenges in terms of organization and control;
ownership of assets, archiving and data integrity are key issues. SharePoint
installations should be subject to their own specific governance arrange-
ments if they are to produce maximum benefits.

A structured numbering system should be adopted that ensures ease of
navigation of any manual or related documentation and ensures that initial
document issue is controlled, that replacement pages and changes are
tracked and that the manual is complete. Staff should obviously be trained
in how to use the ISMS; this is usually best done as part of the staff induc-
tion process.

Clearly, there will be a number of security system documents that them-
selves need to be subject to security measures. These will include documents
such as the risk assessment, the risk treatment plan and any non-public
versions of the statement of applicability, which contain important insights
into how security is managed and which should therefore be classified and
restricted in accordance with the type of information classification system
described in Chapter 9. Access should be limited to people with specified
ISMS roles, such as the information security adviser.

IT GOVERNANCE50

ISO27001 clearly recognizes that there is no such thing as a ‘one size fits
all’ approach. Instead, it recommends that the ISMS documentation be scaled
to reflect the complexity of the organization and its security requirements.

The ISO27001 ISMS Documentation Toolkit (www.itgovernancepublishing.
co.uk/product/iso27001-2013-isms-standalone-documentation-toolkit
(archived at https://perma.cc/JGK5-DPVY)) was created specifically to
accompany this book. It contains a comprehensive set of ISMS documents
that are designed for adaptation to meet the specific requirements of any
individual organization.

Leadership

Leadership, like all key business initiatives, has to be provided from the top.
The whole of clause 5 of the standard deals with leadership and sets out a
number of ways in which top management must evidence their commitment
to information security in the organization.

This is very much a clause that looks for ‘Tone from the Top’. Ideally, the
CEO should be the driving force behind the programme, and its achieve-
ment should be a clearly stated goal of the current business plan. The CEO
needs to understand completely the strategic issues around IT governance
and information security and the value to the company of successful certifi-
cation. The CEO has to be able to articulate them and to deal with objections
and issues arising. Above all, he or she has to be sufficiently in command of
this part of the business development to be able to keep the overall plan on
track against its strategic goals. The chairperson and board should give as
much attention to monitoring progress against the ISO27001 implementa-
tion plan as they do to monitoring all the other key business goals. If the
CEO, chairperson and board are not behind this project, there is little point
in proceeding; certification will not happen without clear evidence of such a
commitment. This principle, of leadership from the top, is of course essential
to all major change projects.

No certification body will certify an ISMS without getting firm evidence
of the commitment of senior managers. If this commitment is not clearly
demonstrated, the ISMS simply will not be adequate and the risks to the
organization will not have been properly recognized or fully addressed, and
the strategic business goals are unlikely to have been considered.

ISO27001 51

Change management

There have been many books written about change management programmes
and initiatives. Many such programmes fail to deliver the benefits that have
been used to justify the expense of commencing and seeing them through.
Successful implementation of an ISMS does not require a detailed change
management programme, particularly not one devised and driven by
consultants. What it does require is complete clarity among senior manag-
ers, those charged with driving the project forward and those whose work
practices will be affected as to why the change is necessary, about what the
end result must look like and why this result is essential.

The design and implementation of the ISMS should be driven by a project
team that is drawn from those parts of the organization most likely to be
affected by its implementation as well as a very small number of functional
experts, including HR or personnel experts. The balance is important: a
properly functioning ISMS depends on everyone in the business understand-
ing its processes and applying its controls, and if the project team is made up
of a preponderance of non-technical people, it is more likely to produce
something that everyone in the business understands. The team certainly
should include at least one experienced project manager, who will be respon-
sible for tracking and reporting progress against the planned objectives.
The project team or sponsor should report directly to the CEO (or equiva-
lent management authority that has responsibility for the entire scope of the
ISMS) and have the appropriate delegated authority to implement the
board-approved plan. Clause 5.1.c requires the provision of adequate
resources to establish the ISMS, and this is the first step to doing so.

There needs to be an outline timetable and top-level identification of
responsibilities and the critical path to completion. This should be prepared
by the project team and, once it has been critically tested by the CEO and
top managers, approved by the board. This plan should fit onto two sides of
A4 and should provide sufficient scope for those who will have to imple-
ment it to find appropriate solutions to the many operational challenges that
there will be.

A key preliminary step in any successful change programme is to identify
and isolate, or convert, potential opposition. Where an ISMS roll-out is
concerned, there is sometimes internal resistance from the IT department.
There are a number of possible reasons for this, including the desire of the
head of IT not to lose control of IT security, the IT department’s desire to
maintain its mystique and the fear that its existing controls might be found

IT GOVERNANCE52

to be inadequate. This is not surprising. ISO27001 does require the organi-
zation’s board and senior management to take control of its ISMS and the
whole organization to get behind and understand key aspects of security
policy. The resistance of the IT department must be expected and overcome
at the outset. There are circumstances where this can lead to a change in IT
staff, either forced or unforced, and the organization should expect this and
prepare appropriate contingency plans.

Training will be an important facilitator of the change programme.
ISO27001 requires that those who have key roles within the ISMS are
appropriately competent (clause 7.2) and this might cover ISMS implemen-
tation (for the person/people determined as having responsibility for
ensuring the ISMS meets the requirements of ISO 27001, as per clause 5.3
a) and audit competence, as well as initial training for the project team in
the principles of ISO27001, the methodology of change and project manage-
ment and the principles of internal communication. Staff throughout the
business will need specific training in those aspects of security policy that
will affect their day-to-day work. The IT manager and IT staff will all need
competency in information security, and if this needs to be enhanced by
training, this should be delivered by an organization that recognizes and
understands the technical aspects of ISO27001 training.

Communication

Underlying any successful change management programme, and especially
necessary for the successful roll-out of an ISMS, is a well-designed and effec-
tively implemented internal communications plan. Compliance with clause
7.4 (which deals with communication) suggests that key components of this
plan might include the following:

●● Top-down communication of the vision – why the ISMS is necessary,
what the legal responsibilities are, what the business will look like when
the programme is complete and what benefits it will bring to everyone in
the organization.

●● Regular cascade briefings to all staff on progress against implementation
objectives. These briefings should quickly become part of the existing
organizational briefing cycle, so that ISO27001 progress becomes part of
the normal business process – ‘just another thing that we’re doing’.

●● A mechanism for ensuring that key constituencies and individuals within
the business are consulted and involved in the development of key

ISO27001 53

components of the system. This ensures that they buy in to the outcome
and to its implementation.

●● A mechanism for ensuring regular and immediate feedback from people
in the organization or in affected third-party organizations so that their
direct experience of the initial system as it is implemented is used in the
evolution of the final version.

●● These face-to-face communications should be underpinned with an
effective information sharing system. Most usually, this will be part of the
corporate intranet, on which regular progress reports as well as detailed
information on specific aspects of the ISMS are posted. E-mail alerts can
tell staff to access the intranet for new information whenever it is posted
and the site could encourage feedback by means of a ‘write to the CEO’
function. Organizational Facebook and Twitter accounts could also be
pressed into service as part of the project.

Reviews

Clause 9.1 of the standard requires the effectiveness and performance of the
management system, as well as effectiveness of relevant controls to be meas-
ured and monitored and for management to carry out periodic reviews of
the effectiveness of the ISMS. This will be discussed in some detail in
Chapter 6. The records of the management body (to be discussed in Chapter
4) that is responsible for implementing the ISMS should document that
these reviews were carried out on particular dates, what the results of the
reviews were and what actions, if any, were required as a result.

Continual improvement and metrics

Clause 10.2 of the standard requires the organization ‘to continually
improve the suitability, adequacy and effectiveness’ of the ISMS. The correc-
tive action requirements of clause 10.1 are met by an effective ISMS audit
programme (Chapter 27), competent review and management of non-
conformities (which often, for the ISMS, involves the information security
manager), the incident response procedures (Chapter 24) and related docu-
mentation. Prevention, as a specific process, has been removed from the
standard, as the ISMS itself is now seen as the preventive tool that manage-
ment deploys in order to prevent compromises of information security.

IT GOVERNANCE54

The combination of effective monitoring, measuring, and corrective
action processes, together with a formal review process and strong internal
audit structure, within the context of an ISMS developed in line with the
recommendations of this book, will enable an organization to start demon-
strating its approach to continual improvement. A long-term approach to
continual improvement must include measuring the effectiveness of the
ISMS and of the processes and controls that have been adopted. ISO27001
requires effectiveness measurements (also see Chapter 6 and ISO/IEC 27004)
to be undertaken and results from them included in the input to the manage-
ment review meeting. Clearly, information security as an organizational
function needs to be measured against performance targets in just the same
way as are other parts of the organization. In order to develop a useful set
of metrics, an organization will have to identify what to measure, how to
measure it and when to measure it.

Some of the areas that should be considered for measurement include the
effectiveness and value adding capability of the incident handling process,
the effectiveness and cost savings provided by staff training, the improve-
ment in efficiency generated by access controls and external contracts, and
the extent to which the current scope is meaningful and relevant in the
changing business environment.