5 Common Fallacies Associated with ISO 27001 Certification

Implementing an information security management system (ISMS) and obtaining ISO 27001 certification, the International Standard for Information Security Management, offers several compelling benefits. The primary reason is that customers, clients, and stakeholders often seek the reassurance provided by an ISO 27001 certificate.

While embarking on an ISMS project and pursuing ISO 27001 certification may seem overwhelming at first glance, there are common misconceptions about the requirements and steps involved in achieving certification. This blog aims to address these misconceptions and debunk five prevalent fallacies associated with the ISO 27001 certification process.

1 – “My organisation is too large or too complex”

While undertaking an ISO 27001 project may appear overwhelmingly large or complex, it is possible to start with a smaller scope for the information security management system (ISMS). By initially limiting the scope, including the number of information assets, users, and associated risks, the ISMS certification project becomes more manageable.

Starting with a smaller scope allows for a smoother certification process, and the ISMS can later be expanded to encompass more areas of the organization. The initial certification audit, consisting of two stages, can be challenging. However, when extending the scope, usually only one stage is required. Moreover, as you have already gone through the certification audit process once, managing the extension audit is typically easier.

By starting small and gradually expanding the ISMS's scope, organizations can effectively manage the certification process, mitigate challenges, and ensure a smoother transition towards ISO 27001 certification.

2 – “I have to resolve all of my security issues first”

Obtaining certification to ISO 27001 does not imply achieving flawless security; rather, it signifies that an organization has established processes to effectively manage security risks. It is important to acknowledge that there will always be inherent risks that need to be accepted. By adopting a risk-based approach and developing comprehensive plans to address and mitigate those risks in a suitable and effective manner, organizations can successfully attain certification to the ISO 27001 Standard.

The key focus is on implementing robust risk management practices and ensuring that adequate measures are in place to address identified risks. ISO 27001 certification demonstrates that an organization has implemented a systematic and structured approach to information security, aligning its processes and practices with internationally recognized standards. It signifies the organization's commitment to managing security risks, continuously improving its security posture, and safeguarding sensitive information.

3 – “There are too many controls to implement”

Annex A of ISO 27001 includes a list of 114 information security controls (which will be reduced to 93 in the updated standard) that can be utilized to manage and mitigate risks to an acceptable level. However, it is not mandatory to implement all 114 controls. The organization should selectively choose controls based on their specific needs and requirements, aiming to reduce risks to an acceptable level and comply with applicable laws, regulations, and contracts.

Regarding laws, there are limited UK laws that mandate specific control requirements. For instance, the Data Protection Act 2018 requires the implementation of "appropriate" measures or controls to protect personal data. It is also prudent to consider relevant EU legislation, such as the General Data Protection Regulation (GDPR).

In terms of regulations, most regulated firms in the UK are obligated to manage various risks, including information security risks. However, there are generally few regulations that specify particular control types.

When it comes to contracts, organizations must implement any specific controls stipulated in the contract, regardless of ISO 27001 requirements.

It is worth noting that following a thorough risk assessment, the selected controls to mitigate identified risks and documented in the risk treatment plan do not necessarily have to be fully implemented prior to the certification audit. The important aspect is demonstrating a comprehensive understanding of the risks and having a well-defined plan to address them effectively.

4 – “It’s too expensive”

Having a robust information security capability is an essential aspect of conducting business, and ISO 27001 certification can often act as a business enabler and a differentiating factor in the market. Considering that the scope of the information security management system (ISMS) does not necessarily need to cover the entire organization and that only necessary controls are selected and planned, it is beneficial to reassess the actual costs involved.

Many of the processes involved in an ISMS may already exist within the organization, and with some initial external assistance, the activities related to managing the ISMS can generally be handled by existing personnel.

While there are costs associated with technical information security controls, it is important to note that cost-effective measures such as policies, training, and awareness programs can effectively reduce risks, sometimes even surpassing the benefits of additional software or hardware investments.

The implementation of the ISMS and the selected controls are typically the most substantial expenses, but these are necessary steps to manage risk regardless of pursuing certification. The actual certification process itself is relatively less expensive, involving payment for the certification body's time to assess the organization and provide a report on conformance, along with the issuance of a certificate.

In summary, the costs associated with an ISMS and ISO 27001 certification should be viewed in the context of managing risk and can often be accommodated within existing resources. The certification process itself is a relatively minor expense compared to the overall benefits it can bring.

5 – “It involves too much documentation”

ISO 27001 specifies only 10 essential process elements that must be documented, and these requirements are logical and reasonable. The specific method of documentation, whether written documents, process maps, or other formats, is at the organization's discretion. Additionally, regardless of whether an ISMS is in place or not, documenting other information security processes or activities can always be beneficial. It is up to the organization to decide which processes to document as policies, procedures, or records, based on what provides clarity and assistance.

The 114 controls listed in Annex A of ISO 27001 are theoretically optional. Each organization must determine whether to include or exclude each control and provide a rationale for their decision. For the controls that are included, certain supporting documentation is required, with some explicitly stating the need for a policy statement, while others allow for more flexibility. The following key areas suggest the need for supporting documentation:

A5: Policies for information security: A set of defined policies for information security should be approved by management, published, and communicated to employees and relevant external parties. Examples of policy topics include mobile devices and teleworking, information classification and handling, acceptable use of assets, access control, cryptographic controls, physical and environmental security, clear desk and clear screen, information transfer, protection from malware, backups, management of technical vulnerabilities, restrictions on software installation and use, communications security, supplier relationships, privacy, and protection of personally identifiable information.

During the implementation of an ISMS, organizations may identify additional areas that could benefit from having a policy. For example, the controls in A7, as part of ISO 27001 requirements, relate to HR security, encompassing screening, onboarding, disciplinary actions, and termination activities. Each of these elements could be addressed in standalone policies or consolidated into a comprehensive "HR policy." Regardless of the chosen method to capture the relevant information, it's important to note that any documentation supporting the ISMS, regardless of its format, must be controlled in accordance with the mandatory documentation requirements specified in the ISO 27001 Standard.