August 26, 2021

Just because ISO 27001 suggests a control, doesn’t mean you have to have it – in fact, you could be hurting yourself if you do by wasting money and have more trouble in an audit than you would otherwise.

Your controls depend on your risk — not ISO suggestions.

That’s just one of the many misunderstandings people have about the ISO 27001 standard. 

In this solo episode, host John Verry, CISO & Managing Partner at Pivot Point Security goes in depth on the most common misperceptions around ISO 27001 compliance.

Some notable examples:

  • Why your controls need to be in accordance with your risk
  • Why you don’t need to go crazy documenting absolutely everything
  • Why you shouldn’t overcommit on controls

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (Intro/Outro) (00:06):

You’re listening to the Virtual CISO Podcast. A frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there, and welcome to yet another episode of the Virtual CISO Podcast with you as always, John Verry. And not with me is Jeremy or Andrea or a guest, so what gives? Idea for this particular episode comes from client request where I’ve been asked a number of times and asked to put a presentation together with regards to what are the top X mistakes that we see people make when they’re trying to achieve ISO 27001 certification. So of course, being an old David Letterman fan, tried to get it to be a top 10. Thought about doing that fun countdown backwards, but that didn’t work. Really wanted to make sure that the thought process followed more logically if I went a different direction with it. So with no further ado, let’s get to those top 10 mistakes you do not want to make if you are prepping for ISO 27001 certification. The most common question I get when I jump on a phone with a client to talk about prepping for ISO 27001 certification is, “You’re going to start with a gap assessment, correct?”

John Verry (01:28):

And I say we can, but that’s really not the optimal way to do it. And a gap assessment makes a lot of sense when you think about it, and I understand why you would think that’s the right way to go about it. Gap assessment gives you a ton of information, where are we versus where we want to get to? How big is that gap? How long will it take me to close it? How much money might I need? It kind of sets the stage for the whole project. The reason with ISO that a gap assessment isn’t the best way to start is because of the nature of ISO 27001. ISO 27001 is not prescriptive, so it doesn’t tell you the specifics about the implementation of a control. Each control is implemented in accordance with your risk appetite and appropriate to your context or scope.

John Verry (02:11):

And that’s why ISO starts with context and starts with understanding risk, right? That’s the clauses say. So that first clause, clause four is context or scope. And what that’s about is what is it we’re protecting, and why are we protecting it, and what are we protecting it against? So what is the information that we’re trying to protect? Who we’re protecting it for? What are their expectation? Who are those stakeholders, right? What are the external and internal issues that influence that? What are the threats that I need to be concerned about? Those threats might be different if you’ve got a nation state adversary versus you don’t. What are the laws and regulations that govern the operation of that particular type of data? Do you have client contractual obligations? Where is the data being kept? Is the data in one HQ location? Is it scattered across the globe?

John Verry (02:56):

Do you have cloud locations where it’s being stored? Data centers? AWS? Do you have software service applications where you’re keeping the data? Who’s got access to the data? People on your team? People external to your organization? All of that is what we need to understand to properly understand risk, and understanding risk also allows us to optimally define the set of controls that would be necessary to mitigate that risk. And then once we know what those controls should look like, then we can do a gap assessment. Hopefully that makes sense. So again, scoping. First two or three of these are around scope and scope is the single most important element of ISO 27001. I like to say, you want to make sure that you’ve got the ladder against the right wall before you start climbing it. And a lot of times again, one of the mistakes people make is thinking about scope is, “Whoa! Well, I know I’m allowed to scope ISO 27001, right? I’m allowed to define what it is that I’m protecting. We’re going to just protect our email system and our SharePoint system.”

John Verry (03:59):

And then also somebody like, “Okay, well, what information is it? Why are you doing this? “Well, our clients want us to get ISO 27001 certified.” Is the only two places that you’re keeping the data for your clients on SharePoint and in email. “No, no, no. It’s in plenty of other places.” Then are you really giving the client the assurance that they’re seeking? And then there’s the answers, “Well, obviously no.” If the client sees email and SharePoint and they know that the data is on your consultant’s laptop, you’re going to have an unhappy client. They’re not going to accept that certificate, right? They’re not going to accept your scope. I always like to say that you should really let information define your scope.

John Verry (04:37):

And that’s really the way something like the payment card industry data security standard works. That’s really the way something like HIPAA works. It’s really the way that something like CMMC works. In fact, it’s the way all information security frameworks and programs should work, right? Is if a system stores processes or transit information, right? That is in scope, something that we’re trying to protect, then that would be what you should include within your ISO 27001 scope, right? Because you want to protect information through its full life cycle. And again, when that information is going to be touched by people, it’s going to be touched by systems, and it’s going to be touched by processes. We talked about the gap assessment, the concept that ISO is not prescriptive. And I always joke with people that the… They always ask, “Well, ISO will tell me…” Or “How many characters do I have to make my passwords in order to pass an ISO 27001 certification audit?” Or “How long do I have to keep logs in order to pass an ISO 27001 certification audit?”

John Verry (05:35):

And there is no answer to that. The answer to any question that somebody asks you on ISO 27001, virtually any answer is it’s what the risk assessment and scope told me. So if you ask me how many characters long should a password be? Well, that is going to depend on your risk, who we’re being protected against? Right? Who the threats agents that you’re worried about? Where is your data being kept? Which systems? Different systems probably have a different requirement for passwords based on the quantity and the criticality of the data that they protect. And that’s what ISO says. ISO says, implement your controls… And remember controls are mechanisms that reduce risk. So you should implement controls in accordance with your risk. And of course, risk is defined by your context.

John Verry (06:24):

Another misconception is that, “Well, ISO 27001 is about information technology and information security, and we’ll let the IT guys handle getting us prepped for it.” You really need to understand that ISO 27001 is about again, the full life cycle of information. And really, what it does is it covers through its full life cycle. We have to know that the people that are handling that data… Remember people process systems, right? So as an example, human resource management is important. Are the people that you’re hiring properly vetted and background screened? Are the people that you’re hiring appropriately qualified? Are the people that you’re hiring appropriately trained with regards to good security practices? Are they trained on your specific requirements for information security? Do you have good physical security? Because if you don’t have good physical security, Nick will walk into your office. It doesn’t matter if you’ve got good digital security, if you will.

John Verry (07:14):

And then again, legal and compliance. Does your organization understand the laws and obligations, right? Laws, regulations, client contractual obligations that they’re subject to. We did some work recently for a law firm and we asked to see some contracts and they said, “Oh, almost everything is done through our standard agreements.” But we did find some that were not standard agreements. And in there they specifically cited that if you’re going to do work with us, all of our work needs to be done on an isolated network on dedicated systems. So we said, “Hey, are you guys doing this?” And the answer was, “No. We didn’t realize that.” So that is why you can’t have just IT and IS handle it, right? You should involve a good cross-section of the organization, right? A lot of people need to be involved.

John Verry (07:57):

An analog to that is senior management tends to think “Hey, that’s ITIS and we really don’t need to be involved.” ISO 27001 makes it very, very clear that an ISMS, the information security management system that you’re certifying needs to be governed. And it needs to be governed by “top management.” Now, ISO doesn’t define top management, but clearly the IT guy is not top management. And that’s usually the person that’s leading this particular project. So typically we’ve got someone that’s higher up the food chain, minimally up into whoever’s overall responsible for information security. Usually someone that’s sitting in the CFO, COO seats, because it’s a business issue, right? Information security, especially these days, right? Some of the largest information security risk is no longer just InfoSec risk, it’s a business risk.

John Verry (08:50):

And you need to be assured as management, that that risk is understood, that that risk is being effectively managed on an ongoing basis and that you’re validating that. And that’s what ISO says. If you are seeking 27001 certification and you are “top management”, you will be playing a role in ISO 27001. Another question we get is, “How long is this going to take?” And “We really need to do it as soon as we can, because we have a contract we’re about to lose.” Or “We have a contract we can’t win.” Or “We can’t bid on this particular project unless we’re ISO 27001 certified.” And the answer to how fast can you get ISO 27001 certified is, probably you could get ISO 27001 certified in three or four months. I wouldn’t advise you of doing it, it’s not going to be a good implementation.

John Verry (09:40):

It might get certified, but it’s not going to maintain certification and believe it or not, it may actually negatively impact your overall security posture. And it’s going to cost you a lot of money to fix it after the fact. So getting ISO 27001 certified in most organizations should take… Six months is a pretty quick timeframe. And I would say 10, 11 months is typical and anything longer than that is a little on the slower side. But if you’ve got an organization where there’s a lot of people involved, large organization with some complexity, that’s not unusual for the project to take a year or so. But the reason I say moving too fast is actually counterproductive is that there are elements of an ISO 27001 management system that are hierarchical and interdependent. So as an example, data classification, we can’t classify data until we understand what data there is. And data classification takes place by asset owners.

John Verry (10:36):

And so until you have the concept of asset ownership, data custodians, you can’t actually have data classification. And until you have asset management, you don’t have the idea of asset custodians. Those are three distinct controls that we’re configuring and setting up. If we do them in parallel, as you might imagine, you’re going to have things not work quite properly. It’s a common thing, we’ll jump on the phone and someone will say, “Hey, we just need you to come in do an internal audit” and I’ll say, “Oh, so you’re ready for ISO 27001?” “Yep.” Okay. What have you done? “Well, we went out and bought a policy set and we’ve got every control documented.” And my answer is always. “What about your ISMS? What about your scope statement? What about your risk assessment statement applicability security metrics? What are your control objectives?”

John Verry (11:24):

Because ISO is really not about documentation. People have this misconception that, “I need to document everything.” You don’t need to document nearly as much as you think you need to document because an auditor can come in and he can find that there are certain controls that are observable, right? You didn’t need to document them because the systems or processes you follow actually enforce those controls. So as an example, in our environment we no longer have a separate document that’s our employee off boarding and onboarding procedures. And why is that? Because we actually control that through our help desk ticketing system. So when the auditor comes in and says, “Hey, have you hired any new people this year?” We say, “Yeah, we hired six new people this year.” They say, “Great. Where can we find evidence of that process being followed?” “Hey, here’s the help desk tickets that actually align with that.”

John Verry (12:10):

We manage a lot of our ISMS so according to our ISMS, we have to have a ISMSC, an information security management system committee meeting, ideally quarterly, but no less than three times per year. And when they ask for that evidence, they’re going to find that in our Wrike project management system. Passwords. Most people have a password policy, but if the only systems that people have access to is through Microsoft Office 365, really all I need to go is to your active directory and look at the right screenshot and I know what your password policy is. So be aware, documentation is good and you will definitely need a fair amount of documentation to get 27001 certified, but ISO 27001 is not about documenting everything. Another challenge we have is that folks get very focused on getting to 27001. And I always like to take a step back and say, okay, let’s talk about what you’re trying to achieve today. And let’s try to think about where you might be going in the future.

John Verry (13:12):

And the reason that’s important is that if you are choosing to get ISO 27001 certified, that means that you are… Usually it means you’re processing someone else’s data, and you’re being asked for a strong form of attestation. And it’s highly likely that you’re going to be asked for one or more other forms of attestation. So as an example, if you are processing medical claims, well then HIPAA comes into play and maybe you’re signing business associate agreements. And as we’re proceeding towards ISO 27001 by overlaying HIPAA on top of that, and then either through the internal audit process or through the certification audit process. Actually auditing and validating the HIPAA controls and being able to provide an additional layer of attestation there, we’re able to provide double duty, right? We’re killing two birds with one stone. You’re saving a little a bit of money.

John Verry (14:06):

The second thing is that as we think forward, it’s important that we make good decisions now in order to capitalize on that effort and not cost us to lose any ground in the future. So, as an example, if you’re dealing with personal information and your CCPA and APAC and GDPR apply, you might want to look at ISO 27701. There’s a value to doing 27701 at the same time you do 27001, right? Your net out savings are going to be a lot higher if we do it that way. Not that you can’t add 27701 later, but you might save $30,000 this year. And if you were already thinking about dealing with that next year, beginning with that end in mind is going to be valuable.

John Verry (14:49):

Last way I think it’s really important to be not focused too much on the near term is to understand where you might be going in terms of additional attestations moving forward, because that’s going to help shape who your, what we call ISO 27001 registrar or the body that’s going to come in and do the audit at the end of the process is. If you are somebody who might need CMMC certification, or you might have to proceed towards fedRAMP or you might want to go towards SOC 2 in the future, you’re going to want to make sure that you pick a registrar that is able to do whichever of those that you’re going to require, right? So the registrar, if you want to go to SOC 2 needs to also be a CPA firm. If you want to go towards a CMMC, you want a registrar that’s also a C3PAO.

John Verry (15:35):

If you need to go towards FedRAMP, you’re going to need a registrar that’s also a 3PAO. In the card industry data security standards, maybe you need a QSA plus registrar. So it’s important to kind of understand where we’re going, what does one year, two years, three years look like for us? That way, as we’re building the information security management system, and we’re creating our partnerships with the people that we’re going to need to achieve them and certify them, we make sure that we’re accounting for the future. Another thing which is again, a focus for folks is I’ll jump on the phone and the opposite side of that documentation wrote a similar side to that documentation, “Hey, we’ve got all the documentation done, we’re ready” is we’ve implemented all 114 of the Annex A controls, we’re ready to get ISO certified.

John Verry (16:20):

ISO is not really about the controls. ISO 27001, the actual certification is not on 27002 which are the actual controls that are listed in Annex A of ISO 27001. Actually, the certification is on clauses four through 10. So really, what we’re talking about is it’s the management system. It’s the process by which you understand what you’re protecting. You understand risk. You have repeatable, consistent mechanisms to recognize changes in the environment create changes in risk, and that our information security management system responds to that, right? Our controls are updated based on those risks that we’re setting objectives each year for what we’re trying to do, that we’re demonstrating continuous improvement. And that we’ve got processes in place, security metrics, internal audit, external audit, right? Which are all used to validate the effectiveness of the audit. Those controls are only looked at in what we call stage two of your audit after we’ve confirmed in stage one that all of the management system stuff clauses four through 10, are properly implemented and operating effectively.

John Verry (17:32):

And one kind of interesting thing about ISO 27001 and one of the ways it’s different than let’s say, SOC 2 is because we have the management system. The audit focuses on the management system, because if the management system works well, we can trust the output. We can trust that the controls that it specifies and validates should be there. And then what we just do is logically do a little bit of a sampling each year of those controls. SOC 2 doesn’t have that management system to rely on. So what it does is it “bangs the hell out of the controls” right? It looks at each control in depth. Don’t over-commit and under-deliver, and I hope some of you get the goat referenced, I think LeBron James. And what I mean by this is that again, clients will jump on the line, they’ll say, “Okay. Hey, we updated our password policy and now our password policy accounts for these 14 things.”

John Verry (18:27):

And I’ll say, “What did your password policy account for before this?” And they were like, “Well, we only had four of the 14 attributes that ISO mentioned that you might want to use.” And I would say, “Well, were you successful? Did you ever have password breaches? Were you ever…” “No, no. We didn’t have any problems, but the standard says that, so we want to make sure we conform with it.” No. The standard doesn’t say we need all 14. In fact, you would be far better off documenting what you do. Right? And then only adding those things which are absolutely necessary to get there. Because what happens, I see this all the time is they were doing these four things within this one control, ISO mentioned eight other things, so they added those eight other things, they did four of them.

John Verry (19:11):

So now they’ve done eight out of the 12. They really didn’t need to do those second four, which means that they’re spending money for nothing, right? It’s very inefficient. And then on top of that, because they didn’t do the last four, they’ve got nonconformities on their audit because the auditor’s responsibility is to say, “Well, I thought the fact that you added these 12 things to this control means they were all necessary to mitigate risks to an acceptable level. So if you didn’t do these four, we have a problem.” So A, don’t over commit on controls. Most organizations are doing 80, 90% of the stuff right already. If I asked you, if you have multi-factor authentication on Office 365, and you say yes, and I asked you why? You’d say, “Well, the risk of not having it, it’s too high.”

John Verry (19:55):

Guess what? That’s ISO, right? Understand risk and then implement controls proportional to risk. You implemented your authentication controls in a way that reflected the risk associated with somebody getting into your Office 365 accounts. So document what you do. Start there, and then only gap assess from there forward and determine whether or not you need to do any more than that. In many instances, you don’t need to do much more than that. Second thing is that ISO is about continuous improvement. And each year your auditor is going to ask you to demonstrate continuous improvement. So starting at the minimum of where you need to be at and then moving forward each year, also provides via that way. So, that was fast. Appreciate everyone’s time and have a good day. Let’s all be safe out there.

Narrator (Intro/Outro) (20:45):

You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in favorite podcast player. Until next time, let’s be careful out there.