How to define criteria for processes in ISO27001:2022 (Clause 8.1)

How to define criteria for processes in ISO27001:2022 (Clause 8.1)

How to define criteria for processes in ISO27001 (Clause 8.1)

This article gives some thoughts on how to approach the new requirement in ISO27001:2022 to establish criteria for processes. The overall requirement is:

“The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:

establishing criteria for the processes;

— implementing control of the processes in accordance with the criteria.”

My highlighting in bold shows the change from the previous version of ISO27001.

This is actually pretty vague as it does not say which processes (although it implies all of them) and does not say what sort of criteria you should define. However, a reasonable interpretation is that it is the criteria related to the successful operation of the processes.

What we mean by processes is all the things you do to operate and run your Information Security Management System (ISMS). This is all the 4 to 10 clauses (e.g. update the risk assessment) and all the controls that are processes (e.g. change management, information security awareness, email filtering). Note that some controls are not processes. For example the following are not processes - a security guard, a firewall, a locked filing cabinet.

I.e. What is it that is important that needs to be in place for these processes to operate effectively? It is likely that you are doing this already. After all, you would not think about putting in (say) web filtering without thinking about what it is needed for it to work properly. What this new requirement in ISO27001 asks is that you do this in a more formal way. What ISO27001 is also clear about is that this does not mean that you need lots of extra documentation about these criteria. What clause 8.1 also says is this:

Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.”

Note that a “criteria” might be considered the same as a “critical success factor” or “success criteria” but it depends on your definitions and usage of these terms. However, if it helps then I can’t see any reason why you can’t at least to some extent substitute the word “criteria” with “critical success factor” or “success criteria”.

One possible way of thinking about a criteria for is that it is a "control" that you put in place to help ensure that your process meets its objective. If you apply this approach to the processes for your controls (.e. your controls) then the criteria becomes a "control" over your control. This sounds a bit odd and recursive but can be an easy way of thinking about it.

This should also be applied to those processes that are important to the operation of the ISMS but are “external” to the scope of the ISMS. I.e. “outsourced” or undertaken by another part of the company not in the direct scope of the ISMS.

This requirement is in the other management system standards (e.g. ISO9001, ISO22301) and I know that it is not always fully considered in these. However, you will need to make decisions about:

1) How much and how far you go with this to help you manage your information security risks, and

2) What will your certification auditor be happy with?

At the risk of stating the obvious, when you have defined these criteria you then need to implement approaches to ensure that the processes operate to that criteria.

You also need to make sure that your approach to the criteria is also monitored using your performance management approach (Clauses 9.1 and 9.2) – for example your internal audit(s) will need to look at the criteria.

Note that you could just completely ignore this new requirement on the basis that your certification auditor may well not ask about it. But I don’t recommend that you do this.

How might this criteria be documented?

A very small organisation would not need or be expected to have much documentation on this but a much larger one might. Even if you don’t have documentation on these criteria, it is reasonable for you to be able to answer the questions:

? “Have you established criteria for the processes?”.

? “What are the criteria for the processes?”

? “Are the processes implemented in accordance with the criteria?”

This criteria could be documented in the policies/procedures, etc that describe the process. For controls, if appropriate, this could be documented in the control description. It might also be that this could be related to objectives (clause 6.2) or whatever performance management (clause 9.1) approach you have in place. I have suggested a possible approach later in this article.

Some possible criteria

Criteria could include:

Inputs to the process.

What are valid inputs to the process? Are there any time constraints on getting these inputs? For example, a criteria for the change management process might be that all change requests must be complete and submitted to the change advisory board at least 24 hours before the meeting.

Outputs from the process

What criteria is there for the outputs from the process? Are there any time constraints? These might be defined as quality requirements and/or acceptance requirements. For example, a criteria for a phishing exercise process might be that it is only considered to have been a success if less than 20% of people clicked on the link within 3 days.

Incidents and non conformities

We might say that the criteria for the success of a process is how many incidents or non-conformities are reported against the process. A criteria for the ISMS might be that there are no more than 5 information security incidents or 10 non conformities in the year.

Tolerance/quality/performance

When operating the process how exact and effective and precise does it need to be? For example, a criteria for the anti-virus process might be that it is only to be considered to be working effectively if 95% of all workstations have up to date anti-virus definitions. As another example, a criteria for the annual information security training is that maybe you say that 85% of all staff must complete the training within 2 weeks. I partly covered this approach in section “Defining tolerance levels/criteria for controls” in this article https://www.dhirubhai.net/pulse/when-using-iso27001-controls-do-need-100-effective-chris-hall/

Post-delivery quality/performance checking

Another way of looking at quality/performance criteria is that the output of the process is “checked” on some basis. This might be very important for a process that you know is difficult to control or manage. Perhaps it is a manual process or a process that depends on people. A common example of this is information security awareness and training where a criteria might be created that is based on the results of checking awareness at regular intervals – e.g. with quizzes or phishing exercises. Another example might be that the criteria for system development and release processes is that a successful pen test is run against all new releases.

Resource to operate the process

What is needed from a resource perspective for the process to operate? For example, a criteria for the ISMS to operate effectively is that there is an ISMS manager.

Competence

What level of competence is needed to operate the process? This is partly covered by the competence requirement of clause 7.2 but is also at a process level. For example, a criteria for the system development and release processes could be that all system developers must be familiar with the OWASP top 10.

Training

What training is needed for the process to operate effectively? A criteria for the DevOps process could be that all users of the process must have completed the Azure DevOps training.

Documentation

What documentation - e.g. policies/procedures is needed for the process to operate effectively? For example, a criteria for the incident management processes is that it is documented.

Record keeping

What records should be kept to ensure the proper operation of the process. For example, a criteria for the visitors process might be keeping visitor records for 6 months. As another example, a criteria for the change management process might be that all change records are kept for 2 years.

Customer satisfaction

Is there some level of customer satisfaction that might be considered important to the operation of the process. For example, a criteria for the user change process is could be related to the level of customer feedback when the change has gone live?

A possible approach to doing all of this.

There are many possible approaches to this.

As I have said, these criteria do not all need to be documented but where you are going to document them then I suggest that a good start is to simply list in a table the “main” processes and for each one add some commentary on the criteria. In practice this would be a list of all the main ISO27001 clauses plus a list of all the controls listed in the Statement of Applicability that are processes. as applicable. It might be that the commentary on the criteria is simply a reference to the documentation on the process as it contains the criteria – e.g. policy/process documentation. I suggest that that the first time you do this you just do it for the controls that are processes and leave the clauses until later.

An Example

As an example, you have a control “Anti Virus”. What is needed for the implementation and operation of this control to be successful? There are lots of possibilities including such things as:

? Anti Virus is installed on all company workstations.

? Anti Virus cannot be switched off by the user of the workstation.

? Anti Virus definitions are kept up to date on all workstations as long as those workstations connect to the corporate network.

? Etc.

Summary

In practice you are probably already doing “criteria” for processes and if asked “what is needed to ensure that process X operates OK” you will almost certainly be able to answer even if you have to think about it for a bit. What this new requirement in ISO27001 requires you to do is to do your “thinking about it” in advance and be a bit more formal about all of this. Probably not a bad idea really.

Chris

www.btrp.co.uk

This was truly required document. Thanks

回复
Koenraad Béroudiaux

What’s at stake? What does ‘secure (enough)’ look like?

9 个月

"For example the following are not processes - a security guard, a firewall, a locked filing cabinet." Ok, but there are processes to determine what the guard should do, in normal condition and when they find something abnormal. Same for a firewall: it is an automated process, that sometimes needs change. A locked filing cabinet is of no use, unless someone opens it (and closes it after use) for some particular reason...

回复
Pim Lagrand

Adviseur informatiebeveiliging (ISO27001/27701/9001, NEN7510, SOC1, SOC2)

1 年

Excellent article, thnx Chris Hall . Processes and their interactions are also mentioned in clause 4.4. Are those the same processes as in this clause?

回复

Very nice to see this para..."What we mean by processes is all the things you do to operate and run your Information Security Management System (ISMS). This is all the 4 to 10 clauses (e.g. update the risk assessment) and all the controls (e.g. change management, information security awareness, email filtering)." There are some companies out there that are lead by would be security people that do not care about specific processes. Somehow people seem to forget that the processes in an ISMS are operations. It does not matter if it is a cyber defense process with Vuln Mgt or forensics or risk management...these are all ISMS operations.

Raghavendra Gururaj

Consultant & Trainer - Information Security, Data Protection & Privacy

1 年

Thank you very much for sharing. Very much appreciate your efforts.

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了