Classical myths about ISO 27001
Again and again. Despite the fact how long the ISO 27001 aka "golden standard of information security" actually exists, there are still the same misunderstandings. What are the main common ones?
Myth 1: ISO 27001 certificate proves 100% security
This one I consider the most dangerous one because it provides false sense of the security. I will state strictly in the beginning: Compliance with ISO 27001 or any different standard does not mean bulletproof security. Companies still get hacked and breached despite the ISO 27001, SOC2, PCI DSS, (add your favorite standard) compliance.
The ISO 27001 certification mainly proves (if properly implemented and audited) that you established successfully the Management System (security program/framework in the organisation),? you are proactively managing the security risks and?implementing the controls to mitigate the risks to the "acceptable" level.
In the end if you properly evaluate the risk and then accept most of the risks,? you can be still in compliance with the standard, but it does not mean that you are secure.
Secondly, at least from my experience, not all certification authorities and auditors are equal in terms of the experience, knowledge and spent time to go details of the controls, so the verified? security level may differ.
Myth 2: Organization needs to implement every listed control
I sometimes hear false?statements such are "Without this control, you cannot get certified. It is required by the ISO. You need to implement all controls...especially this one I am offering my product for" (followed with URL to product webpage).
In practice you do not need to implement everything. Exactly this is the reason why there is such a thing such "Statement of applicability" shortly "SoA".
In the SoA you define which controls do you consider relevant based on the evaluation of risks and legal requirements. By this definition you may also evaluate the controls as "non applicable" simply because you did not identify any relevant risk or legal requirement to implement the particular control. The main thing you need to do is document an evaluation and justification for excluded control.
Sure - try to justify that you do not need to implement access controls as there is no risks, but this is not case of every listed control.
Myth 3: The ISO 27001 implementation is a paper exercise
Just no. And if you are doing it this way. You are doing it wrong. Sure - the standard is documentation oriented and you will definitely need to develop at least basic policies and procedures. But in the end you need to implement it into the practice and daily operations.
That's applicable for your own security as well as for certification. A lot of professionals in this area have tendency to be so called "paper tiger". Try to keep it at minimum level practical for the organization (what may differ) and focus more energy on practical implementation of the controls. This will help you to increase maturity of implemented controls in practice and in the end also increase chances to successful end of your certification process.
领英推荐
Myth 4: One month is reasonable period for implementation
Maybe in case you are already perfect. Otherwise standard timeline for implementation from my experience is around 1 year. And that is in case most of the technical controls are already in place. Sometimes we are working with 2-3 years perspective. Especially if just do not run only for quick certification but you also want to practically and faithfully implement it into you environment. Is there a quicker way to do it? Sure I believe that there is a lot of companies that can support you in that, but "instant certifications" are not my area of interest.
Myth 5: The ISO 27001 requirements are too high to reach them?
For some people - ISO 27001 compliance/certification is the highest possible level of protection. I do not think so. I believe it is "basic hygiene" in most cases. The compliance with this standard is not something you should look for as something unachievable, but rather the basics to start with. Sure for some organizations it takes time to actually implement it in their complex and/or nonmature environment. But in the end that does not mean, that the controls are set too high or are somehow unrealistic and unreachable for most companies.
Myth 6: The ISO 27001 is compliance checklist
It can be. Especially it is the easy way how to "audit" it . But I prefer to think of it more as a holistic framework that is not just listing the controls but also providing you basic guidance if you want to develop the security program from scratch and you want to use already verified, structured and standardized approach.
Myth 7: I can fully outsource ISO 27001 implementation and operation
"I will hire you and you will do all the ISO stuff for me." Classic quote I still sometimes hear. Sure it may highly beneficial for you to hire the team that already successfully conducted the implementation in several other organizations, but they will not cover 100% of it. At some level, you still need to engage the leadership who will communicate and support the implementation across the organization, your IT Ops teams to actually follow their processes and make the controls operable, your legal department to update contracts and NDAs, your IT Governance, HR, facilities, IT security, Communications etc etc.
Myth 8: It is everything and nothing
"It is useless, it is not the real security" or on the other side "we need?100 percent focus on ISO - it will save all our issues - put everything else on-hold".? I do not understand why we still need to think about everything in binary - good/bad.? Think of the ISO 27001 as a tool to use. Is it perfect? Nope. But what is? On other hand there are some solid benefits to actually use it (if used properly). In short - think of it in the context, evaluate the benefits and costs of the implementation of this particular framework and decide how to use it for purpose of your organization. It is not the security silver bullet as well it may not be? just useless paper exercise.
Myth 9: I am already ISO 27001 certified I do not need pay attention to it anymore
This statement is bad because of two reasons:
And what myths did you came in touch? Please let me know.
IT-Security: Bodenst?ndig und mit Passion
10 个月Absolutely correct. Companies that fall in your mentioned pitfalls are usually victim of scammers, who invest high amounts of money for their false marketing. How can it be legal, to “guarantee 100% audit success in 3 months (or 6)”. Even a serious vulnerability management and monitoring (ISO 27k1:2022 !!!) can consume a year. Some companies are overwhelmed by maintaining an asset management. Some devs can not tell which libraries they need (not want) for their products (again, ISO 27k1:2022!!!). IMHO, it smells like corruption. Which honest 3rd party auditor recommends a certification by those "policy by templates" ISMS systems?