The (wrong) Annex A approach to doing ISO27001
[Updated 5th Oct 2024 to add a section for certification auditors]
I have already covered this in various ways in other LinkedIn articles but here goes with a bit more about it..
ISO27001 supports a wide range of different approaches to its implementation. This article looks at one of the more popular approaches. In some respects it is a bit odd because this approach, whilst very popular goes against the basic principles of ISO27001 and an ISMS built using this approach does not conform to the requirements of ISO27001. However, lots of organisations use this approach and lots of certification auditors and certification bodies “collude” in pretending that it is a valid approach. It isn’t.
Do you use this approach? Read on.
The process
The basic principle of this approach is to use Annex A as the core of the implementation. The information security risk assessment plays no or a negligible part in this.
The process used is the following.
Look down the list of controls in Annex A and decide if you think any of them apply to your organisation. The way you do this is by saying “Do we do this thing and if so then all the Annex A controls related to that will be deemed as applying to use”. For example, if you have some offices then you say that all the physical security controls (14 of them) apply. If you do systems development then all the systems development controls (8.25 to 8.34) apply. And so on. There are also some controls that you will almost certainly need using this process – for example the incident management ones (5.24 to 5.29), access control ones (5.15 to 5.18), and supplier controls (5.19 to 5.22), etc.
The idea is that you are very likely to end up with most of the Annex A controls being applicable and you have to justify any that you don’t think apply to you but the only real justification for excluding an Annex A control is because you don’t do the associated activity. As an example, if you don’t have any offices then you can exclude the physical security controls. If you don’t do any systems development you can exclude all the system development ones. If you don’t encrypt anything than you don’t need a cryptography policy, etc.
Out of this you end up with a list of Annex A controls that apply to you and perhaps a very small number that don’t and that you have a strong individual justification for excluding the ones that you have said don’t apply.
This all then gets documented in the Statement of Applicability. Controls determined. Job done!
You still have to do all the ISO27001 clauses 4 to 10 including creating the risk assessment. However, if you use the above process the risk assessment serves no useful purpose and is just done to “tick the box” and keep the auditors happy.
What is wrong with this?
The above process is completely wrong for lots of reasons, including:
1) There is no mention of risk.
2) It does not conform to the requirements of ISO27001 which states very clearly and explicitly that you must use a formal information security risk assessment to determine your controls. The above process does not do this.
3) The approach leads to you doing controls just because they are in Annex A rather than them being relevant and necessary for your organisation.
4) The approach means that is it easy to miss potentially important controls just because they are not in Annex A. For example, business continuity planning, cyber insurance, third party library management as well as potentially industry specific ones – e.g. for SCADA or IOT.
The big implication of this is that you can very easily and are very likely to end up with a list of controls that are not necessarily the best ones for your organisation.
What ISO27001 actually requires you to do is undertake a formal information security risk assessment and then determine the necessary controls needed to help manage the identified risks. These controls can be from Annex A but may not necessarily be all the ones related to the topic. As an example, if you have offices then you decide which of the 14 Annex A physical control you assess as necessary to manage the risks. It may be all of them but it might not be. Depending on the risks there might also be some other controls not in Annex A that relate to your offices that you also judge to be necessary. And so on.
Note that I actually think that above process is not necessarily a bad process as such for some companies and circumstances. But it does not conform to the requirements of ISO27001.
领英推荐
What should a certification auditor do if they see that the above process has been used?
If a certification auditor sees that an organisation has used the above process they should raise a major non conformity. The simplest non nonconformity could be based on something like this:
Requirements: "6.1.3 a) select appropriate information security risk treatment options, taking account of the risk assessment results"; and "6.1.3 b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;" have not been met.
The controls have not been determined as the ones necessary to implement the information security risk treatment option(s) chosen. They have been determined independently of the risk assessment results.
The evidence for this is:
[and/or]
[and/or]
There may also be other possible non conformities relating to the risk assessment. For example, the documented risk assessment process may not state the controls are to be determined from the risk assessment results. if so that is a non conformity against 6.1.3 a). Perhaps the risk assessment process does state that controls are determined from the risk assessment results but as indicated above there is no evidence that was done. And so on.
Summary
There is massive collusion in the ISO27001 world that treats the above process as a valid interpretation of ISO27001. It isn’t!
It is actually worse than that because:
1) some software that supports ISO27001 insists on the above process.
2) some ISO27001 training courses only cover the above process.
3) some ISO27001 consultants only understand the above process.
Even worse, much worse is that some certification auditors, some certification bodies and even some accreditation bodies actually insist that anyone doing ISO27001 must use the above process. Specifically they completely ignore the role of the risk assessment in determining controls.
Quite shocking really especially when ISO27001 is clear about this (but could be clearer!) as is all the supporting guidance documents – e.g. ISO27003, ISO27005 and ISO27007.
Chris Hall
#iso27001 #annexA #chrishalliso27001
Information Security | Smart metering compliance | Utility Warehouse My opinions are my own and no one else's.
1 个月Always said that a good ISMS starts from the risk register, and my foundation is in ISO27001. I do think the standard needs rewriting to support this though - and was a bit disappointed that 2022 does not!
Solving Cyber
1 个月Ah but risk assessment involves judgement and if you make judgement calls you could be wrong and then you have an issue or finding and it’s bad for career!
Starting with the punchline spoils the joke.
Making sense of governing Information Security, Cybersecurity, Artificial Intelligence, Data Protection, Business Continuity, IT Service, and Quality Management.
1 个月Interesting views Chris, as always. I don't disagree with your thoughts at all. However, it is unlikely that the issue would affect achieving a certification. If such blatent detachment between the risk assessment and the SOA exists, this should be picked up at stage 1. If it isn't, the CB/auditor needs to be pilloried. Secondly, no consultant of any worth should ever allow such a mis-sequenced approach to be *discovered* by an auditor! If they do, they deserve to be pilloried. I have seen and dealt with this on both sides of the fence numerous times and it is always down to a lack of experience, or the misplaced trust in a templated approach, or the company already has established security controls that are demonstrably mature and effective, and implemented long before any risk assessment. The former are easily corrected, either through the corrective action for a major nonconformity at stage 1 (i.e. before the certification decision), or a 'consultant' remediating the issue, likely with a rework of one of their well-thumbed templates! In the latter it is very likely that a risk assessment is created retrospectively and would be no less effective in a certification audit. Generally, either way, the outcome is the same. M.
Security Sales Executive | Transform Global Organizations securely and efficiently | Verizon Business
1 个月Thank you for sharing your thoughts on this. I am not regularly dealing with the ISO 27001 process so I wasn’t aware that the risk assessment part is that easy to be circumvented within the formal ISO certification process. The approach sounds to me a bit like cherry-picking leading to a self-constructed world but not something that satisfies the needs of a realistic and transparent certification. Risky as customers or suppliers rely on this certification.