Last Updated on January 13, 2024
Organizations that are pursuing ISO 27001 certification often think that the standard is all about the controls. When you’ve implemented and documented all 114 controls in ISO 27001’s Annex A, you’re good-to-go for your certification audit, right?
But wait a tick… Unlike many other cybersecurity standards, ISO 27001 doesn’t focus on controls. That is, it doesn’t prescribe a “one-size-fits-all” control set to implement. In fact, it doesn’t even certify your controls per se. So, how do you know what controls you should implement to get ISO 27001 certified?
To address these kinds of common misunderstandings and help SMBs course-correct on their ISO 27001 preparation journeys, Pivot Point Security CISO and Managing Partner, John Verry, recorded a “free consultation” podcast based on his hands-on experiences with clients.
How ISO 27001 really works
In conversations with ISO 27001 clients, John often hears, “We’ve implemented all 114 of the Annex A controls, so we’re ready to get ISO certified.”
“But ISO 27001 is not really about the controls,” John clarifies. “The certification is not on ISO 27002, which are the actual controls that are listed in Annex A of ISO 27001. The certification is on clauses 4 through 10 [of the standard]. So really, what we’re talking about is the management system. It’s the process by which you understand what you’re protecting.”
Emphasis on the information security management system
John explains: “You understand risk. You have repeatable, consistent mechanisms to recognize changes in the environment create changes in risk, and then your information security management system [ISMS] responds to that. Your controls are updated based on those risks, and you’re setting objectives each year for what you’re trying to do, plus you’re demonstrating continuous improvement. And you’ve got processes in place: security metrics, internal audit, external audit, right? Which are all used to validate the effectiveness of the ISMS.”
“Those controls are only looked at in what we call stage two of your audit, after we’ve confirmed in stage one that all of the management system stuff in clauses four through 10 are properly implemented and operating effectively,” John stresses.
Sampling controls
One of the major differences between ISO 27001 and more prescriptive cybersecurity frameworks like SOC 2 and CMMC is this ISMS construct. An ISO 27001 audit focuses mainly on the management system because, if the management system works well, you can trust that the controls that the ISMS specifies and validates are functioning effectively.
Yes, your ISO 27001 external audits will include sampling your controls. But unlike SOC 2, for instance, which doesn’t have a management system to rely on, it’s not typical for auditors to “bang the hell out of the controls,” as John puts it.
What’s Next?
Want to get to ISO 27001 by the shortest and smoothest route possible? Then you’ll love this “consultation-in-a-podcast” with ISO 27001 thought leader John Verry: EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security
Looking for some more meaningful information around managing your ISO 27001 Process? Check out this related podcast: EP#59 – John Verry – Governing Cybersecurity: A Process for Becoming Provably Secure & Compliant – Pivot Point Security