Common myths, misunderstandings and misconceptions of the ISO 27001 standard
Internal audits
What the standard does NOT say: the standard does not say what the scope of your internal audit is. Nor does it state that a third-party provider or someone external from your organisation must perform the audit.
What the standard DOES say: that an internal audit must be performed by someone independent of those implementing the Information Security Management System (ISMS). This can be someone internal to your organisation, as long as they understand the ISO 27001 standard.
The general rule is ‘don’t make your own homework’. If you want the best value from an internal audit, utilise someone who understands the standard.
Statement of Applicability and Annex A Controls
What the standard does NOT say: the standard does not say that you can only use Annex A as the control framework for your ISMS.
What the standard DOES say: the standard states that Annex A is a non-exhaustive list of Information Security Controls and that additional controls outside of this list may be required to mitigate risks the organisation has identified.
A good example of this is if you were to determine a key risk for your organisation was potential losses as a result of being hacked, data being destroyed, extorted or stolen. Looking down the list of Annex A controls in the standard, you may not find an adequate control (like buying Cyber Liability Insurance) within the standard itself.
Procedures for document control
What the standard does NOT say: the standard does not say you need to have a formally documented policy/procedure for the production or maintenance of documents within your ISMS.
What the standard DOES say: that the organisation ensures the policies have clear version control, ownership, uniformed formats, are subject to review, are covered from loss of confidentiality or integrity and are centrally stored. However, this can all be implemented and true without requiring a formally documented policy to state it.
Climate Change
What the standard does NOT say: the standard does not stipulate or mandate that you need to create a climate change plan or implement a formally documented policy suite in relation to climate change.
The standard DOES say: as part of Clause 4.1, when determining the internal and external factors that may pertain to an organisation, they must now take climate change into consideration to determine if it is a relevant issue or not.
To consider something is far different from formally documenting something. Should your organisation identify specific internal or external issues relating to climate change, this would then need to feed through to the scope of your Information Security Management System and subsequent Information Security activities.
Clause 4.2 also notes that an organisation’s interested parties (parent company, stakeholders, investors, cloud service providers, to name a few) may also have requirements related to climate change. For example, if you have a parent company and that they stipulate that all organisations under them must have a climate action plan, then that would be something you need to do to meet the needs and requirements of an interested party.
Official wording and changes to Clause 4.1 and 4.2
ISO 27001 auditors
What everyone thinks: that ISO 27001 auditors are terrifying interrogators trying to catch you out, work against you, and do anything possible to avoid certifying you.
What working with AssuranceLab is like: our auditors cut through the copious amounts of confusing language within the ISO standards. Our auditors work with you to ensure you understand what the standard expects and what we expect to see. Our auditors are pragmatic and want to see you get certified!
We help over 400 technology companies in over 20 countries to build and strengthen trust with their stakeholders and unlock new commercial opportunities founded on that trust. Learn more about AssuranceLab.