Demystifying ISO 27001:2013
Please feel free to download the slides here.
For organisations that have an existing certified ISO management system the addition of ISO 27001 (Information Security) can seem a daunting task. Whilst most of the management system elements are similar as they follow the same Annex SL structure, the information security controls are a whole new language.
The video looks at:
-
The differences between ISO 27001 and other ISO management system standards
-
Demystifying security risk assessment and treatment
-
Security control selection
-
Outsourced security
-
Supply chain security
- Free security services
If you have any questions or would like to speak to a member of the team about getting a quote for certification or booking training please get in touch with us here.
-------------------------------------------------------------------------------------------------------------------------
VIDEO TRANSCRIPT
Demystifying ISO 27001
00:04 - Good afternoon ladies and gentlemen and welcome to today's webinar demystifying ISO 27001.
00:11 - I'm Tim Pinnell and I'm your host for the next 45 minutes, but before I get into the meat of the subject a bit about NQA for those of you who have not previously attended one of our webinars.
00:24 - NQA is a world-leading certification body with global operations we're number one for aerospace certification in the US, we're top three in the UK for 9001, 14001, 45001, and 27001, number one in the Chinese automotive certification sector.
00:42 - We specialize in management system certification for quality, aerospace and automotive quality, environmental and energy, health and safety, information resilience which includes information security privacy and business continuity, food safety risk management and medical devices.
01:05 - We offer a range of training for all our specialisms including virtual learning, webinars such as this, in-house training on your premises restrictions permitting of course, and we can provide training at various public nationwide locations.
Your Presenter
01:22 - And a bit about me, I head up NQA's information assurance business unit where I specialize in information security, privacy and business continuity and this is the result from a long career in security compliance and governance and with a track record of running multiple information security management systems. So I have sat on the other side of the table from the
01:44 - auditor and I know what it's like to be audited. If you have any questions please type them into the chat box as soon as you think of them and then I can hopefully answer them during the Q&A at the end.
01:55 - As ever with all NQA webinars you'll receive a recording of the webinar from our marketing team.
Agenda For Webinar
02:05 - Now many organizations have realized the benefits of being certified to a management system standard such as ISO 9001, but for whatever reason wanting to either extend or certified ISO 27001 for information security. But information security can seem a daunting task with a variety
02:26 - of disciplines and often seemingly unfathomable terms for the uninitiated, particularly for those organizations that don't have in-house expertise and they may have heard anecdotally that 27001 has some significant differences not found in other standards. Well it does.
02:45 - So, this webinar is intended to demystify and clarify the differences. In particular I'm going to compare and contrast ISO 9001 and 27001 which are the most commonly paired standards when 27001 is involved. Then I'll take you through the heavy lift elements of 27001, that's the risk assessment
03:08 - and the risk treatment, which are reasonably straightforward but requires some understanding of information security which is why I'd always encourage the use of an experienced consultant to guide your 27001 journey. I've carried out some analysis of where organizations go wrong in their risk assessment and treatment, resulting in non-conformities during the audit.
03:30 - And then I want to finish on a hot topic during the pandemic which is the use of managed service providers in a 27001 context and how you really should be holding them to account.
NQA Annex SL Comparison Tool
03:46 - You can download this Annex SL comparison tool from NQA's website. It lists all those standards on a sub clause by sub clause basis to show the similarities and the differences.
03:58 - It's particularly useful if you're considering an integrated management system.
04:02 - The text surrounded in an orange box is where the text in the standard is to all intents and purposes the same. That said where there are differences such as clause 4.4 on screen there the requirements are still very similar and Annex SL is simply a standardization of the management system clauses, whilst also allowing for the subject matter differences.
04:27 - Differences such as clause 8 where in 9001 most of the heavy lifting is carried out. Where it's all about the processes to produce quality products for customers.
04:38 - Whereas in 27001 there is very little to be said in section eight, 27001 doesn't care about customers for example and over the next few slides I'll do a detailed clause by clause comparison of 9001 and 27001.
Clause Comparison Between ISO 9001 and ISO 27001
04:57 - Whereas in 27001 the heavy lifting takes place in clause 6, in particular 6.1.2 information security risk assessment and 6.1.3 information security risk treatment. 6.1.3 also introduces the statement of applicability which is unique to 27001. The statement of applicability or SOA is a list of 114 security controls in 14 groups 8.5 to 8.18 that are defined in Annex A of 27001.
05:31 - I'll show later how we use Annex A to create the statement of applicability.
05:37 - The important point to note here is that the 114 security controls are considered to be information security industry best practice. So an organization implementing them is placing itself in a strong position to defend its information assets.
Clause 4
05:56 - So, clause 4 and the context of the organization in both standards is almost identical, except for 4.4 where I've highlighted the words and its processes. So although we conduct process-based audits, 27001 is not a process standard as such, but actually I'll audit the security controls operating on processes in order to do that the process is audited.
Clause 5
06:23 - In clause 5 the big difference is 5.1.2 customer focus, which as I said is not a consideration at all for 27001, in all other respects they are the same where, for example in 9001 5.2.1 and 5.2.2 are rolled up into 5.2 in 27001.
Clause 6
06:46 - Now all Annex SL standards have 6.1, actions to address risks and opportunities, but it's in 6.1.2 and 6.1.3 where you'll spend your time in 27001 as we'll see later. Although all the standards are risk-based it's explicit in 27001 and very important to get it right again as we'll see later.
07:09 - 6.2 are the same but 27001 doesn't have a 6.3, instead there's an annex a security control for change management but that is for managing changes to security controls not to the management system.
Clause 7
07:26 - To 9001 support is a very important clause and here we can see the focus on making stuff, not just the management system but people, infrastructure, environment, monitoring, and knowledge are really important to 9001.
07:41 - Whereas 27001 only says the organization shall determine and provide the resources necessary for the establishment, implementation, maintenance and continual improvement of the ISMS.
07:55 - Nonetheless it's still a clause which will be audited and for which evidence must be provided. And I've included the rest of clause 7 here just to show that they are identical.
Clause 8
08:08 - Now clause 8, remember how the meat of 9001 was in clause 8, all 27001 requires is that the organization conducts the risk assessment and risk treatment specified in clause 6.
08:21 - Clause 8 is not audited as such although if a risk assessment has not been conducted or the risk treatment plan not implemented then non-conformities can be raised against clause 8.
Clause 9
08:36 - In clause 9 the only real difference between the two standards is measuring customer satisfaction, which 27001 doesn't care about, of course in an integrated management system there are good economies of scale and deficiencies to be had in the internal audit program, where if you're auditing a 9001 process you can audit the security controls it uses as well.
Clause 10
09:00 - And finally, clause 10 where there is no difference. Again, in an integrated management system you can use the same corrective action process for example.
6.1.2 Information Security Risk Assessment
09:12 - Okay that's the compare and contrast done, let's look at the risk assessment as required by the standard I've audited countless variations on this and typically as management systems mature the risk assessment
09:25 - and the risk treatment becomes more mature and sophisticated. I recommend as does the standard that you obtain a copy of ISO 31000 which is the ISO's guidance for performing risk assessments.
09:40 - I've broken out each step as required by the standard into four parts, the first is where you define the risk assessment process and the particular criteria for accepting risks, criteria for when risk assessment should be carried out which ensure that risk assessments are repeatable and consistent, that is if you perform the same risk assessment again you or someone else would come up with similar results.
10:06 - There's no getting away from the fact that risk assessments are very subjective, I've seen all sorts of tools and methods in spreadsheets and apps but ultimately they rely on informed opinion.
10:17 - Typically, with a lack of data to support those opinions. So, anything you can do to make them consistent that is the risk assessments regardless of who performs them is really important.
10:29 - Part two is where you think of what kind of risks could hurt the organization, but these are security risks to your information and they're based on the tenets of confidentiality, integrity and availability, the CIA of information security and each risk must have an owner an unowned risk is uncontrolled under failing of the management system and the organization.
10:54 - Now part three is the really subjective part, first of all you estimate the impact of something going wrong, which is not too hard, in that you may have some experience of the costs of fixing problems and keeping customers happy. But then you have to guestimate the likelihood of something bad
11:11 - happening, which is where many people struggle as we'll see. Once you have the impact and likelihood you can plug the numbers into a simple formula or matrix to calculate the overall risk level for each risk. In part four you take your risks and compare them with your criteria to decide which are the most scary and need something done to help your CEO sleep at night.
11:36 - So here's part one where we define criteria in this case I've said I'll accept any risk that scores less than six or is rated as moderate and we'll see what that looks like in a minute, but I'll treat that is mitigate any risk that is six or rated high or above or causes a revenue loss
11:56 - of more than 20 percent or could harm the company's reputation or causes harm to my employees, whether it be their privacy rights for example or even physical harm.
12:08 - Finally, if the business is doing something that extra attracts an extreme rating I've decided that whatever I'm doing is too risky so I'm going to stop doing it I will terminate it. I could also add another category of transfer, such as deciding to ensure against a risk rather than mitigating it.
12:26 - I then define criteria for when I'm going to perform assessments in general those are when an event triggers the need, but note that I've also decided to conduct a risk assessment every year which is just good practice and then I've defined criteria
12:42 - for impact and likelihood, note how that as well as terms and levels I've also provided a qualitative description and quantitative values to help guide thinking which is really important for the repeatability, but of course you would define criteria that works for you.
13:01 - So now we have to identify the information security risks and here I've invented seven risks for my fictional organization, note how I've listed in the second column the information asset but that some of them the website database and laptops down at the bottom are actually information bearing assets so it's good practice to assess risks to those as well.
13:24 - And then I list each risk by whether it's a confidentiality, integrity or availability risk followed by the risk description. Me and my fictional learned colleagues in this fictional organization have described each risk as cause and effect.
13:41 - All too often I see risk descriptions that are not fully formed and as such can't be considered a risk, often the auditory has to describe to me what the risk is, which by the very nature of the thing means it's not a repeatable process. So, you can see for risk one that the cause is a phishing attack that led to a data breach and the impact was an ICO fine and reputational damage.
14:05 - There's an important point here in this example not all personal data breaches cause a negative impact it might be such a low level that is handled as BAU.
14:15 - Therefore when you're in a room full of wise folk conjuring up potential risks to the organization, you should only concentrate on the risks that really matter. I've seen some risk assessments with hundreds of rows in a spreadsheet which just becomes harder to manage. Risk two is another risk
14:32 - to customer data only this time it's an availability risk, but I could also have multiple confidentiality risks to customer data and so on and so on. Note the laptop theft risk in this case I've assumed that the laptops are encrypted so I'm not worried about the data falling into the wrong
14:50 - hands just that for a short time the owner can't do anything until they get back into the office which is why I've called it an availability risk. And finally every risk is assigned an owner for audit purposes it's good practice to obtain acknowledgements from those owners.
15:10 - Now this is where we take the impact on likelihood criteria to each risk and then calculate an overall risk rating using the new table in the middle.
15:21 - For risk one I've assessed that the impact would be over 10 million and that it could happen every six months which results in a very high-risk rating. Whilst the impact is easier to work out we're attempting to predict the future when we assess likelihood, now I don't know about you but
15:38 - I don't have access to carol kirkwood's met office super computers in order to make predictions about future information security events, so it's always going to be best efforts. I recommend you don't go for the easy middle ground of it might or it might not happen, that doesn't really help business decision making, so stick your neck out and go for the ends of the scale.
15:59 - This is best achieved by discussion with a bunch of people who know the business its operating environment and ideally including someone with information ex security experience.
16:13 - And now I prioritize the risks which are the ones that I worry about the most. And these are prioritized and you can see here that risk 1 followed by risk 4 and so on are my selected order risks 6 and 7 are low enough to be way down the pecking order.
6.1.3 Information Security Risk Treatment
16:30 - Now that I've analyzed the risks I've got to do something about them, or do I? Let's have a look 6.1.3 is broken down into these steps which is where we will involve those industry best practice controls in Annex A to produce the statement of applicability. We start by determining what
16:52 - our options are and then what security controls we need to introduce to bring the risks down to acceptable levels. We then compile a statement of applicability and create a risk treatment plan which we must have approved and having done that we go back and calculate the residual risk.
17:13 - Note the new less left most column titled treatment, I've listed below the criteria for accepting risks risk 1 must be treated because it's rated very high, whereas risk 2 I can accept without doing anything more about it because it's only rated moderate.
17:31 - Now that doesn't mean I will ignore it, it will require monitoring, but that's easy to do because it exists in a management system in the plan do checkout cycle. And so here we can see that according to my criteria, I'm going to treat risks one, three, four and five and accept risks two, six and seven.
17:54 - Now I have to determine the necessary controls and this is where i figure out what I need to do to bring the risks down to acceptable levels. In this case I'm just going to use risk 1 as the worked example. It's the result of a phishing attack so i want to improve the training for all
18:10 - staff on how to recognize a phishing email and then I want to give them a button in outlook that will quarantine the suspect email and safely forward it to IT to deal with, in addition I want to procure a phishing detection tool for my email gateway and then in case phishing malware breaches my defenses I want to make sure my antivirus software will detect it.
18:33 - But for a belt and braces approach I want security alerts on the event logs for when suspicious activity is detected and I don't want access permissions to be abused by the malware so I'll perform a review on every user's information access and then because I allow users to access information from their mobile phones I'll implement a remote mobile device management tool.
19:02 - Now I compare all of my selected controls with those in Annex A to verify that not have been missed in order to compile a statement of applicability.
19:13 - So controls one and two for risk one are for phishing training, here is a screenshot of Annex A controls a.7.2.1 and a.7.2.2 which meet the need of controls one and two, so I'm going to include a721 and 722 in my statement of applicability and for the fish reporting button in outlook I can select 8.16.1.2 because it's about reporting a suspected security event, so I include that in my statement of applicability.
19:48 - The automated tool is a control against malware so I select a.12.2.1, I've also selected a.12.6.2 because another control against malware is to use active directory policies to prevent the installation of unapproved software.
20:08 - Having the conversation with my antivirus provider to determine if their software can detect phishing attack payloads is part of monitoring and reviewing the services of suppliers.
20:18 - So I add 8.15.2.1 to the statement of applicability. 12.4 is about logging and monitoring which nicely supports the aspiration for my automated event alerting and log analysis tool. So I've selected all the controls from a.12.4 for the statement of applicability.
20:41 - Section a.9 in Annex A is all about access control, there are many controls I could have selected from 8.9 but I've picked those which I think are the most relevant in particular the review of access rights 8.9.2.5.
20:57 - And finally for the mobile device management control I've selected a.6.2 mobile device policy, but I've also again selected a.7.2.2 for training because mobile users will need specific training, and I do the same for all the other controls I determined necessary for all the other risks.
21:21 - So now we have to produce a statement of applicability and having compared the controls my statement of applicability is starting to take shape.
21:29 - Note that the statement of applicability must list all of the 114 Annex A controls, you should state whether or not a control is included or excluded and provide a justification. In this example I've just listed a few controls to demonstrate the kinds of justification you might consider using.
21:49 - With 8.5.1.1 I didn't map it to a control but I've included it anyway because security policies are a general security requirement regardless and in fact are the first control against all risks.
22:03 - With 8.6.2.1 you'll recall it was mapped to one of the controls for risk one, for a.7.2.2 I've mapped it to risk 1 and some other risks but also as with all Annex SL standards there are requirements for communications and awareness. For a.12.2.1 I've included it in
22:24 - order to treat risks one and two but notice the implementation status of partial, the standard requires you to state whether or not the control is implemented and in this case I'm saying not yet but it's part of a plan, it's part of my risk treatment plan your auditor will like that.
22:41 - 8.14.2.1 is a commonly excluded control many organizations don't do software development and simply that is the justification for excluding it.
22:52 - And let's jump to 18.1.4 at the bottom again I've not mapped it to a risk treatment control but because I do business in the UK I've listed it as the legislation that I need to comply with.
23:06 - As a reminder you need to do this for all 114 Annex A controls when you're compiling the statement of applicability and this is usually done in a spreadsheet or a word document.
23:20 - You then have to formulate a risk treatment plan on screen is just an example every organization has its own way of project management and managing plans and so on, but the point is the standard requires you to have risk treatment plans and here you can see I've listed the risk treatments for
23:36 - risk one, the auditor will want to see your risk treatment plan or plans however you choose to do it and the audit will want to see that you're monitoring progress and performance against each risk treatment plan.
23:50 - And finally for risk treatment each risk owner must have approved the plans to treat their risks, emails will suffice as evidence, then you calculate residual risk the three rightmost columns are a recalculation of the risk as if the controls had been fully
24:05 - implemented notice for risk one that despite all those controls the impact hasn't changed that's because a big breach is a big breach but I have brought the likelihood down and therefore the risk level, but it's still rated high so according to my criteria I should continue to treat it.
24:23 - Instead I ask the risk owner to improve it, approve it if they don't I have to find more ways to mitigate the controls.
24:31 - The other risks I have brought down to acceptable levels and also note I haven't run a residual risk calculation for risk 2, 6 and 7 because I didn't need to treat them in the first place.
Common Pitfalls – Causes of Non-Conformities
24:45 - And that's it for the most significant elements of 27001 hopefully I persuaded you to give it a go, I hope therefore that the next bit is also equally useful to you this is when things go wrong.
Common Cause of Minor NCs in 6.1.2 and 6.1.3
24:59 - I conducted an analysis of all the clause 6.1.2 and 6.1.3 non-conformities recorded in NQA's database, what you see is the result of that analysis which can be broadly broken down into a lack of conformant documentation or not following the standard or defined processes.
25:21 - Of these there's a few I want to call out which from experience cause difficulties for clients and sometimes consultants as well. Firstly the RA/RT SO linkage broken that's the risk assessment risk treatment statement of applicability linkage is broken. Hopefully you'll have seen that there's
25:40 - a flow from identifying risks through to treating those risks to selecting Annex A controls for the statement of applicability. Sometimes we just can't see that linkage or flow or the client can't explain it, if we can't see it as auditors then it suggests that the process hasn't been followed and there's something wrong in the overall risk process.
26:04 - Another one I want to talk about is where the statement of applicability content has not been justified. Now I can understand how they can be missed off an odd one or two because 114 is a lot to wade through, but otherwise there is no excuse for missing justifications act and the standard
26:20 - doesn't allow any leeway. And then finally, I want to call out missing risks, my fellow auditors and I have been at this for many years and we've all got a background in information security.
26:32 - We know what to expect we know what the typical risks are and if they are obviously missing we will call them out as non-conformities.
6.1.1 Actions to Address ISMS Risks and Opportunities
26:42 - I started the brief by going straight to 6.1.2 and 6.1.3 but in order to clarify some misunderstandings I must also discuss 6.1.1. I've audited many organizations who have conducted the risk assessment under 6.1.2 and claimed it covers 6.1.1.
26:59 - they're not the same risk assessment, 6.1.1 is about risks to the management system and that's common across all the Annex SL standards, whereas 6.1.2 is about risks to information. You don't need to conduct a full risk assessment for 6.1.1 but you do need to have plans to treat the risks and there on the slide you can see I provided some example risks and opportunities to the ISMS.
6.2 Information Security Objectives
27:27 - Clients often get information security objectives wrong as well the standards requirements are quite specific. So, I've listed the typical causes of non-conformities from which again I want to call a couple of act a couple out. Objectives not being derived from the security policy and not taking into account the risk assessment and treatment
27:48 - means they are objectives that have been conjured up from somewhere else. The whole point of the management system is that it's all joined up and pulling in the same direction.
27:57 - And then sometimes the objectives are words only they're slidewear only with no plans in place or forms of measurement of course smart is always a good idea and therefore it is often a suggestion that the objectives are not relevant or pertinent to the management system.
Outsourced Security and Managed Service Providers
28:16 - I promised I'd talk about the use of managed service providers. Increasingly during the lockdown I've seen organizations outsourcing large sways if not all their IT to external providers this usually means that the external providers are also operating many of the organization's
28:31 - security controls, but how good are they, how do the organizations know if the security controls are performing as they should do. Clause 9.1 is quite specific, it's quite explicit the organization shall determine what needs to be monitored and measured including information
28:50 - security processes and controls. It doesn't allow you to outsource and forget, if you're not doing the monitoring of your security controls and who is demand relevant and timely reporting on your security controls, seek assurance that they're applying critical patches in short order that
29:06 - your firewalls and anti-viruses repulsing attacks and so on and so forth. Now this may need mean that you need to revisit the contract with your managed service provider because it's something that some of them don't do as standard but I'm pleased to report they are slowly waking up to it.
What We Covered
29:25 - Now today I've covered the similarities and differences between 9001 and 27001 and then concentrated on the major difference the information security risk assessment and treatment and then followed it up with some advice on how to avoid common pitfalls.
29:40 - I hope you found it useful and interesting and that you're persuaded to implement ISO 27001 in addition to your existing management system. Now it's time for Q&A.
Q&A
29:57 - So just bear with me and I'll have your questions up. Oh plenty of questions already thanks very much.
30:06 - First question, is it advisable to refer to ISO 22301 when assessing a17 of ISO 27001? Well a17 yes is information security aspects of business continuity. Certainly if you are certified to ISO 22301 or have implemented some form of 22301 compliant business continuity set of measures that are appropriate to the scope of your 27001 certification then absolutely refer to them you've probably done the best thing you can do but they must be relevant to it.
30:44 - The next question said there is a six year time gap between the two standards. I don't quite understand the question I'm not sure if referring to 22301 and 27001, if you can clarify that question that would be great thank you very much. Then I have
31:02 - from Gandhi which risk assessment approach is better asset based or process based than either better or worse than each other and you could certainly do them in conjunction with each other both of them will bring out different aspects of risk they'll bring out a different way of looking at potential impacts to your organization, so I would certainly recommend both approaches.
31:32 - From Sandley has the determination of the risk level at the guest stage taken into account the existing controls, that's a good point because as you saw when we do the residual risk treatment, a residual risk calculation, that's following the risk treatment plan the answer is
31:52 - when you're doing it at the first stage then yes you take into account the existing controls absolutely, I have seen some organizations that perform the risk assessment if they were to assume nothing was in place and I don't see the value in that because everything is exposed and everything is vulnerable. So yes perform the risk assessment based on your existing set of controls.
32:13 - If you find as a consequence that your existing set of controls aren't sufficient then your risk treatment plan should bring the risks down to an acceptable level which you calculate in the residual risk calculation stage. During audit for certification can a control be not fully
32:31 - implemented that's from Georgios. Absolutely it can, if it's not fully implemented but from an auditor's point of view what I want to see is that you are doing something about that control, either some top management has decided to accept the consequences of the control not being fully
32:47 - implemented, we've got plans in place to fully implement them fully implement the control and you're working towards it. A partially implemented control left hanging is not a good place to be, it won't help your organization at all, Claire I assume you're not on the on the
33:04 - call anymore, I got called to an urgent meeting will there be a recording? Absolutely there will be, every attendee will be sent a recording of this webinar. Alan has said is penetration testing always necessary? No it's not, it really does depend on your risk profile,
33:23 - your risk appetite, the kind of industry you're in, the extent to which you have an internet facing, an internet presence or information assets that are accessed over the internet. If you take cyber essentials for example to two levels to that but ostensibly there's
33:41 - an element of vulnerability assessment only. So no penetration testing is not always necessary but I would say they're a very good thing to have if you if you can afford them.
33:54 - Suraj, I'm not sure your question please ensure risk deviation and treatments. If you can clarify that question in the question and answer box that would be great thanks very much.
34:05 - Falter, you've asked how to planning. Again sorry I'm not sure what question you're asking there.
34:15 - Rick Belton, how does 27001 compare with 45001 and 14001 in terms of compliance obligations? I assume you mean there in terms of compliance obligations by applicable legislation? If that's the case there is some fairly specific legislation
34:36 - that would set the context of the organization from an information security point of view such as the data protection act, the computer misuse act and so on and so forth, but with most of these standards when you're defining the contents of the organization there's often a much broader
34:52 - list than that goes beyond the subject matter, but the point is they're inaccessible standards so they have a broadly a similar requirement in terms of compliant obligations.
35:05 - So Mithila you've tried the clarification yes the time gap referred to the two standards, I'm not sure what you mean by, I'm sorry this is not the ideal environment for clarification but I'm not sure what you mean by the time gap referred to the two
35:19 - standards, which time gap you're referring to yeah. I finally clarified your question how to make planning of internal audit requirements approach or process approach. Well the requirements are in the standard however you will be operating a set of processes in your organization. So first of all
35:40 - from an auditor's point of view I would expect you to meet the requirements of the standard, but you could cover off those requirements by operating a process for approach and particularly if you have attached 9001, attached 27001 to 9001 you're operating in a process environment anyway with a start a set of transformation processes and a bunch of outputs.
36:04 - That's a very good way of conducting internal audits as long as you make sure you've covered off the requirements within the standard and as I referred to earlier you can audit the security controls that operate on the processes that you have, bear in mind that the process approach might not cover all of your security controls so but essentially both work together.
36:30 - So you've just talked about, it's about risk deviation and treatments and you clarified that I think by saying as they're categorized into major minor critical and how different they are from 9001 and 27001. Again I'm sorry I'm struggling to understand what you mean there.
36:53 - In terms of the audit standards there's no difference in major and minor non-conformities they're the same whether it's 9001 or 27001.
37:03 - And in terms of risk if you mean major and minor risks or critical risks, well I'm sorry I'm trying to guess at what your what your question is here but actually 9001 doesn't really talk about it in the same manner perhaps you can drop me an email
37:21 - and we can answer your question more properly. You told us that the flow is r-a-r-t-p, SOA, can we reverse the flow I can we perform the state multiplicity first brain interviewing department heads or relevant key personnel to get a picture of the existing implementation at their company?
37:38 - Typically when you've got a group of wise folk together performing the risk assessment they know the organization, they're able to bring that information into the discussion and so yes you could work backwards but this is meant to be a risk-driven approach, so it may will
37:55 - be that you start with the risks and you start with the SOA and you meet in the middle with your risk treatment plan. So you can identify a bunch of risks and then someone else can say yes we have logging and monitoring in place and that can help inform your risk treatment plan
38:10 - and whether or not you need additional logging and monitoring for example. Ryan has asked what is the most controls you have ever seen excluded and they passed the audit? I like that question.
38:23 - Four I think is the most I've ever seen excluded, bear in mind that the Annex A controls or industry best practice so it's there are very few occasions where you don't include those controls.
38:40 - I would also recommend that people get hold of a copy of ISO 27002 which is information security guidance it offers guidance for all of the Annex A controls it's a really useful document.
38:55 - Okay Vivek does a17 require business continuity planning or will it suffice if information security aspects during a crisis are met outside the dedicated business continuity plan? Well I'll tell you what I'll do, I'll get a copy of the stand and have a quick look through it.
39:13 - It does talk about the requirement for information security aspects of business continuity and it says the organization shall determine its requirements for information security and the continuity of information security management in adverse situations.
39:29 - So typically you'd have a business continuity plan but it's up to you to determine how you're going to do it and it then expects you to establish and document and maintain processes for information security continuity and then it goes on to expect you to rehearse and practice those measures. Again business continuity planning is probably the best way of doing it,
39:52 - but you don't have to but you do have to comply with a17 however you choose to do it.
39:57 - Do we need to audit all controls annually? You need to order all controls within the certification cycle. What we're looking for in the when we're doing the audit that the organization is operating that continual improvement cycle.
40:15 - And when I come in and do the audit I will do a sample of the controls over three years so you could do the same and I'm presume here you're talking about the Annex A controls not the management system requirements. The question is really for the organization what do you need to check, monitor and measure to make sure that your security controls are performing correctly.
40:37 - So that works with clause 9.1 as well. If your view of the, so this is from Julie, if your view of the impact of a risk differs from that of your assessor as long as you provide an explanation will this suffice will they make recommendations for improvements? Yes and possibly yes if,
40:59 - I've seen it, where an organization has assessed a risk and I have seen an element of that risk which I believe is not correct or they've missed out and I can discuss that with the organization as long as the organization has got a fully formed argument for why it is, what it is.
41:14 - It's the organization's risk it's not mine if I think the way off the mark I could certainly recommend some improvements to them and if it's completely not the aftermarket might even be non-conformity but that's not what's going to be the case. But yeah as long as the organization is able to correctly justify why or what not it's their risk then that will suffice.
41:38 - Will the session be uploaded anywhere for catch-up viewing? Edward you'll be sent a copy of this.
41:43 - Can a risk owner be a department or a number of people ideally not a department you we can assign it to a role rather than named individual because of course individuals move from in and out of roles but if the role owns it.
42:00 - The standard talks about ownership the important thing in the standard is that you demonstrate that ownership is there and it's active it's a living thing, it's not just a box ticking exercise. Hannah Mantha your question how to integrate cyber security in ISMS.
42:21 - I don't fully get the question but cyber security, information security, IT security the sort of descriptions for by and large the same thing particularly where organizations are conducting business or internet connected which is particularly about cyber security.
42:39 - The point is that ISO 27001 embraces all aspects of information security regardless of where they sit. I should also add there are bolt-on standards for cloud security such as ISO 27017 which further embrace the cyber security concept.
42:59 - Scepter sorry just lost your question just going back up. If the company have existing risk matrix risk assessment treatment based on 31000, 9001 and other science, should we make another base basis due to 27001? No if it's based on 31000
43:18 - in a really good place the important thing is that the risk treatment has that statement of applicability in it and if you can demonstrate in an audit that you've got a fully formal functioning risk assessment process then no well done and you should be congratulated for doing it, please don't have a second go at it because it'll just make it more difficult.
43:39 - Anthony you recommended ISO 31000, would you recommend ISO 27005 instead or in addition? 31000 is it I thought it had been I thought 31000 replaced 27005 anyway. Stephen thanks very much nice feedback there.
44:04 - Yeah it's assumed that questions make a statement I completely uh get where you're coming from you and I seems to have shared experiences there, so I'm glad that it helps.
44:13 - Ryan, what are the challenges associated with a remote based organization from a physical security expert perspective, will the audience take a sensible approach with regards to section 11?
44:23 - Ryan the lockdown has meant that we are conducting remote audits and of course information security is great because it's online and you can do loads of screen sharing and conduct almost the entire audit remotely. So what we've been doing for
44:37 - physical security is somebody has been logging on to a teams call from their mobile phone and walked around the location, I've been grabbing screenshots and asking them questions and done it like that so it's been a virtual physical security tour of the premises. Now that's not ideal
44:56 - we can't guarantee we're getting everything so going forward post pandemic most audited organizations are moving to what we call a blended or a hybrid approach whereby most of the auditing certainly
45:07 - from a 27001 point of view will be done remotely but for certain aspects such as physical security we will go on site and actually that works quite well from a travel point of view.
45:21 - Anthony you say would you recommend 27003 yes absolutely the entire 27000 series are excellent.
45:30 - Next one who ideally are interviewed in order for you or us as consultants to execute the risk assessment process, I know it all depends on the scope of the certification but who are they ideally and generally? That's a really good question for a previous organization I worked
45:46 - with when I was performing the risk assessment I gathered a whole bunch of people in, so I had people from I think was the head of the IT department, I had the customer service department there, I had a solicitor there, I had two bean counters there that you need to be encountered
46:03 - there you can talk you can talk about impact, I had a privacy expert in there. The more people you can bring in and who are correctly briefed on what you're trying to do bring in that organizational and contextual knowledge and really will help you in the first place assess the impacts,
46:22 - work out what the typical impacts are going to be, the operational financial reputational and so on and so forth. And I said assessing likelihood is much more difficult, but if you've got say the security guy there and the it guy there they've got a reasonable feeling for when things go wrong from an information security point of view, taking the security guys.
46:43 - So that helps build that common understanding of what the likelihood of things going wrong are.
46:52 - Harriet, would you recommend seeking compliance with 27001, 27018 for a service based security project well I would because I'm in NQA and we're a certification company and we do offer those standards. First of all there are
47:05 - unaccredited standards so you would get 27001 certification but 27017 will be bolted on to that. 27017 is really good if you're a cloud user or a cloud service provider you may wanna be both. 27018 is about privacy
47:25 - in the cloud you could use that. On the other hand you could belt on 27701 which is a privacy information management system as well but certainly very good standards.
47:40 - How to, Hannah Mantha, how to integrate PIMS in ISMS process? That is the subject of a separate briefing and webinar more than go through in this subject but that's something we can certainly we certainly have discussed in a previous webinar. What if the premises of people's
48:01 - houses the organization's fully remote? Yes Ryan I have come across this particularly new startups have got everything in microsoft azure and they work in their kitchen table across three or four houses. Yeah I'm not going to go in and audit their their houses because all they've
48:17 - got is broadband and a laptop but we don't audit those, so it begs the question of them what do we do about the physical security audit. Well that's down then to the risk assessment and the extent to which the organization decides whether or not there are physical security controls in scope.
48:32 - How much of fair risk assessment methodology can be used during risk assessments in an organization where all risk impact criteria don't have financial values associated to them?
48:42 - That's a good question well yes you can use the fair risk assessment methodology, what you have to determine is whether or not it's an appropriate methodology for you.
48:51 - Most or many risk assessments in an information security context affect the bottom line, it's not the same with health and safety for example, so fair may not be the most appropriate or maybe you can fine-tune or adjust it or combine it with another methodology.
49:10 - Okay that's the last question it's now 10 to 3 we've earned our overrun by five minutes but they were great questions so thanks very much for asking them. I'll close the webinar now so again thanks very much for joining and I hope you found it useful and as a reminder again you will be receiving a copy of this recording from our marketing department thanks very much.