Introduction
As an External Auditor, conducting Certification Audits on various standards for the Certification Bodies (CB), I have seen and experienced a lot of mistakes in implementing ISO/IEC 27001.
Some standards are fairly easy to audit, but then you encounter the super strong standards, such as ISO/IEC 27001:2022, Information Security Management System (ISMS). And believe me, if this is a standard that is difficult to audit because of its complexity and volume, you must understand the effort taken by the Auditee/Client to implement.
And this is where the road map gets a little distorted. I have encountered in my career, which spanned over 42 years, from operational level when I was young, to the top echelons of government and corporate entities. And every time I had to make sure that the managers, senior managers, and executives reporting into me, do not get lost in the detail and the operational requirements and make mistakes in implementing ISO/IEC 27001.
This is exactly what I am encountering when I am auditing ISO/IEC 27001:2022.
The article below will give you a short insight into the broad challenges and mistakes in implementing ISO/IEC 27001. I am not providing solutions in this article. This will be followed with another article.
Top 10 Mistakes in Implementing ISO/IEC 27001:2022
Always remember, you are seeking ISO/IEC 27001:2022 certification. Nothing else. But you need to be cognisant that every ISO standard implementation is part of the Integrated Management System (IMS2) methodology which is defined as:
- An integrated management system (IMS) is a management system which integrates all the organization’s systems and processes into one complete framework.
The table below will address each of these 10 mistakes:
Mistake #1 - No or very limited Context analysis, Internal and External context (Clause 4.1)
Understanding the Context in which the business is going to do business in, is extremely important. This is part of every strategic management process. This analysis is a requirement in terms of Clause 4.1. This stipulates that a company shall conduct an External and Internal Context analysis. Then it goes over to Note: Clause 5.4.1 of ISO 31000:2018. And this right there is where the biggest mistake, which will be a golden thread throughout the ISO/IEC 27001:2022 system is affecting.
ISO 31000 is an integral part of the ISMS, everywhere you see the word risk, it refers back to ISO 31000. The word risk is used 39 times and the word Risks, is used 18 times. We are receiving haphazard and weak attempts as evidence of External and Internal Analysis.
This is your business, and you need to know who your competitors are and what is the ecosystems you need to succeed in your business. You will see that in every Clause, there is a reference back to the work you have done in Clause 4.1 and 4.2, thus the poor product is infecting and affecting your total system. And this is one of the mistakes in implementing ISO/IEC 27001.
Mistake #2 - Scope (Clause 4.3)
A Scope document is a critical document. This must be a separate document, as your scope can change, increase, etc. This is how you ringfence your ISMS. And the scope document is every year in the audit, as this is the guide for the auditor to follow and keep his questions and your exposure to be limited.
Another one of the mistakes in implementing ISO/IEC 27001.
Mistake #3 - ISMS Manual/Plan (Clause 4.4)
This is detrimental to the ISMS. Every department has a plan. A Safety Plan, an Operational Plan, a Maintenance Plan, a Human Resource Plan, etc. Don’t be fooled by the shortness of the paragraph. This 3-sentence paragraph pack a huge punch.
The ISMS Manual / Plan is integrating the ISMS and explaining to everyone, in one document, what you are planning and how do you intend getting there. This is a real ISMS breaker and one of the mistakes in implementing ISO/IEC 27001.
Mistake #4 - Risk Management (Clause 6)
This is a huge challenge. It seems as if the implementation has been handed over to operational people to design, implement and execute. The immediate Major Non-Conformance (MaNC) is that the ISMS is not aligned with the strategic objectives of the company (See Clause 5.1 (a)).
We have been presented in this strategic Clause, with super low-level operational work, such as threat assessments, etc. This is not a strategic Risk Assessment. And then the Auditee does not even know what the ISO 31000 Definition of Risk is.
It is sometime shocking to see people look at you as the Auditor as this guy out of space, and they are sitting in front of you like a deer caught in a cars spotlight. And then, the interconnection with Clause 4.1 and 4.2 must be explicit.
Yes, any person must see it, read it, understand it ad can draw the connections between these two clauses, without an elaborate attempt to explain something that is not there. And as a result of the lack of pure ISO 31000 Risk Management knowledge, Clauses 6.1.2 and 6.1.3 just exacerbate the whole process.
This is a Systems killer. And we did not even get to the meat on the bone, this is just the system. Another of the mistakes in implementing ISO/IEC 27001.
Mistake #5 - Statement of Applicability (Clause 6.1.3 (e)
Another of the common mistakes in implementing ISO/IEC 27001 is that the products provided to serve as evidence are sometimes shocking.
I can see there is an attempt, but again as mentioned above, it seems as if the ISMS has been handed over to a junior person and everything this person delivers is a huge success, in terms of the persons capabilities and knowledgebase.
The Clause is clear, sit, read and read again and ponder on what is asked and then start with the development. The Statement of Applicability is nothing else than a Gap Analysis, of where you are and where do you want to be, with the Scope as your guidance.
Mistake #6 - ISMS Objectives (Clause 6.2)
I have seen this so many times. CIOs provide the Objectives for the ISMS, no problem, it is there. But take a step back. Clause 5.1 (a) askes the ISMS Objectives aligned or in support of the Strategic Objectives (SO) of the company.
When asked, demonstrate the alignment from the SO, and the integration of the ISMS Objectives into the SO, then the evidence is very limited. It was not even considered that the ISMS shall / must be derived from the Strategic Objectives and that the ISMS shall / must drive the company’s business forward to success. This is another of the common mistakes in implementing ISO/IEC 27001.
Mistake #7 - Documentation (Clause 7.5)
Organisation's ISMS documentation is another of the mistakes in implementing ISO/IEC 27001.
The biggest frustration and challenge that any auditor is encountering is for the Auditee to struggle obtaining his own evidence, meaning documented proof. Usually, the documents are in 1 Folder. All over 200 documents.
And for them to find the specific document or evidence requested is a treasure hunt of note. And the time is ticking by for the audit to be a successful audit within the timeframes allocated.
Mistake #8 - Continuous Improvement (Clause 10.1)
This is usually a trick question and as the auditor I am asking the following question, verbatim: Please provide and explain the Continuous Improvement Strategy for the ISMS. And just there the waffling begins.
Everyone is trying to convince the auditor of the work that was done, but no one has a strategy, 3-5 years going forward. Not one documented evidence could be presented to proof and commit everyone to the same strategy.
This is what Continuous improvement is. Not crisis management and not operational rhetoric, but a solid and demonstratable plan of action doing business in the future and how do you “Future Proof” your ISMS. Another of the common mistakes in implementing ISO/IEC 27001.
Mistake #9 - Annexure A: Controls
This Annexure is the single biggest downfall of every ISO/IEC 27001:2022 Certification process I have audited. And I am meaning the ISO/IEC 27001:2022 Certification. It needs to be recognised that the Annexure A is ISO/IEC 27002, it is a different standard, which has been documented as a different standard with a purpose.
The focus is so big on the 94 controls that the Auditee is missing the elephant in the room, ISO/IEC 27001:2022 against which they want to be certified.
When I started this article, I explained between Strategic vision and work and Operational Outlook and work. Please see the difference. Operations has an outlook, and they cannot have a vision if not aligned with the Company vision.
And this is where everyone trip. Annexure A can be explained, and documents could be found, but please, these are operational controls. And in this process ISO/IEC 27001:2022, the ISMS is haphazardly implemented. This is one of the mistakes in implementing ISO/IEC 27001 that will kill your ISMS.
Mistake #10 - Integration of Standards
The last big one of the mistakes in implementing ISO/IEC 27001, and possibly one that is critical for the whole ISO environment, is that no one reads the Bibliography of the standard they are working with. And specifically in the case of ISO/IEC 27001:2022.
The last page is a critical page of the standard as it provides you with the Competency requirements to be measured against in terms of ISO/IEC 27001:2022 and this includes:
- ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls
- ISO/IEC 27003, Information technology — Security techniques — Information security management systems — Guidance
- ISO/IEC 27004, Information technology — Security techniques — Information security management
- ISO/IEC 27005, Information security, cybersecurity and privacy protection — Guidance on managing information security risks
- ISO 31000:2018, Risk management — Guidelines Questions:
Do you have these standards? Did you go through these standards? Did you obtain training in these standards? And is this included in your Skills Development Plans and the Continuous Improvement Strategic Plan for the People investment?
Conclusion
ISO/IEC 27001:2022 is the foundation of the Digital Transformation of companies and the certification is proof of the fact that the Auditee met the minimum requirements of the Standard.
As I went along writing this article, example on example flashed in front of my eyes regarding every paragraph and clause in the ISO/IEC 27001:2022 Standard. As a purist ISO expert, I must honour the primary standard prior to look at an annexure, which is the operational part of Clause 8.
And this is where the paradigm shift of the auditee is happening. As stipulated in the article, some are dumbstruck, others are really sitting like deer in oncoming lights, frozen. And you cannot blame your consultants if your run into these mistakes in implementing ISO/IEC 27001.
You are the risk owner, you are the ISMS owner, you need to account, not the auditors.
Various articles will follow. And please refer to the other articles written regarding the 10th Biggest mistake. This will improve your knowledgebase and improve the ecosystem of your company.
