ISO 27001:2013 – It doesn’t have to be difficult

We’ve been working in and around ISO27001 quite a bit lately. Several new clients are working toward implementation, and it’s always interesting to see how differently organisations interpret and implement the standard. This has coincided with our own annual audit for both 27001 and 9001 (both passed, one observation for improvement, which is always welcome). Talking to the various clients, consultants and auditors involved, it seems that the same common mistakes are made time and again:

1. Rushed certification attempts

All ISO management systems are, well, systems. If you haven’t got at least six months of real-world experience (and hence data) existing in accordance with the standard(s), you’re going to be skating on thin ice. I understand the desire to demonstrate to the world that you comply, but you are not demonstrating a pile of documents, you’re demonstrating that you live them, and they are inextricably integrated within your organisation.

2. The year two lull

Receiving your certification is the start of your journey with the standard, not the end. Many organisations seem to take their foot off of the gas after initial certification, and this is something your annual audits will identify. You don’t return to normality after certification, you have created a new normal.

3. That’s not how it’s normally implemented

I don’t care. How you implement the standard is entirely your business. The auditor will be measuring your MS against the standard, and that’s all. There are no points for style. I’ve been on more than a few audits in which the auditor’s face lights up with glee and proclaims that they’ve never seen a particular part of the standard implemented in that way before. It’s not a bad thing.

4. Penetration testing isn’t vulnerability management

It’s part of vulnerability management, but so is the triage, rectification and confirmation of findings (subject to risk appetite). If you simply throw your penetration test report at the auditor and claim compliance with A.12.6.1, expect to be asked for the rectification plan.

5. Don’t over implement

ISO27001:2013 really isn’t a difficult standard to implement. This can, strangely, catch people out. They look for the hidden gotchas, and they struggle to believe that there aren’t any. Simple is best. I remember hearing the story of an organisation who failed their 27001 audit because the only person in the global organisation that could drive the hugely complex risk assessment software had missed their flight. This, ironically, wasn’t in the risk assessment……..