The Biggest Shortcomings of ISO 27001

Monday, March 28, 2011

Dejan Kosutic


If you've been reading my blog, you probably think I'm convinced ISO 27001 is the most perfect document ever written.

Actually, that's not true - working with my clients and teaching on the subject, usually the same weaknesses of this standard emerge. Here they are, together with my suggestions how to resolve them:

Ambiguous terms

Some of the requirements in the standard are rather unclear:

  • Clause 4.3.1 c) requires that ISMS documentation must include... "procedures and controls in support of the ISMS" - does that mean that a document must be written for each of the controls that are applied (there are 133 controls in Annex A)? In my view, that is not necessary - I usually advise my clients to write only the policies and procedures that are necessary from the operational point of view and for decreasing the risks. All other controls can be briefly described in the Statement of Applicability since it must include the description of all controls that are implemented.
  • (Un)documented policies and procedures - in many controls from Annex A, policies and procedures are mentioned without the word "documented". In effect, this means that such policies and procedures do not have to be written down, but this is not clear to 95% of the readers of the standard.
  • External parties / third parties - these terms are used interchangeably, which may cause confusion. It would be much better if one term was used.

Organization of the standard

Some of the requirements in the standard are either scattered, or unnecessary duplicated:

  • Some controls are simply located in a wrong place - for instance, A.11.7 Mobile computing and teleworking is located in section A.11 Access control. Although when dealing with mobile computing one has to take care of access control, section A.11 is not the most natural place to define issues related to mobile computing and teleworking.
  • Issues related to external parties are scattered around the standard - in A.6.2 External parties, A.8 Human resources security and A.10.2 Third party service delivery management. With the advance of cloud computing and other types of outsourcing, it is advisable to gather all those rules in one document or one set of documents which would deal with third parties.
  • Employee awareness and training is required both in clause 5.2.2 of the main part of the standard, and in control A.8.2.2. Not only is this duplication unnecessary, but it also causes additional confusion - theoretically, each control from Annex A could be excluded, so you may end up excluding a requirement that is actually not possible to exclude because it is required by the main part of the standard. The same thing happens with Internal audit (clause 6 of the main part of the standard) and control A.6.1.8 Independent review of information security.
  • Some of the controls from Annex A can be applied really broadly, and they can include other controls - for example, control A.7.1.3 Acceptable use of assets is so general so that it can cover for example A.7.2.2 (Handling classified information), A.8.3.2 (Return of assets upon termination of employment), A.9.2.1 (Equipment protection), A.10.7.1 (Management of removable media), A.10.7.2 (Disposal of media), A.10.7.3 (Information handling procedures) etc. I usually advise my clients to make one document that would cover all those controls.

Problems or not?

Here are a few issues that are usually brought to attention as problematic, however I disagree with them:

  • The standard is too vague, it does not go into enough detail - if it did go into more detail about the technology that is to be used, it would soon be outdated; if it did go into more detail about the methods and/or organizational solutions, it wouldn't be applicable to all sizes and types of organizations - a large bank has to be organized quite differently than a small marketing agency, however both should be able to implement ISO 27001.
  • The standard allows too much flexibility - by this the critics mean the concept of risk assessment where certain security controls can be excluded if there are no related risks. So they ask - "How would it be possible to exclude backup or anti-virus protection?" Actually, with the progress of technologies like cloud computing, this kind of protection might not be the responsibility of the organization implementing ISO 27001. (However, in such case the risks of outsourcing would be rather high so other kind of security controls would be necessary.)

Now what?

This standard will certainly need to change - the current version of ISO/IEC 27001:2005 is now six years old, and hopefully the next revision (expected in 2012 or 2013) will address most of the above issues.

Although these shortcomings can often cause confusion, I think that positive sides of the standard outweigh the negative ones in large measure. And yes, I really am convinced this standard is by far the best framework for information security management.

ISO 27001 and BS 25999-2 Webinar Schedule:

ISO 27001

ISO 27001 Lead Auditor Course Preparation Training

ISO 27001 Benefits: How to Obtain Management Support

ISO 27001: An Overview of ISMS Implementation Process

ISO 27001 Foundations Part 1: ISMS Planning Phase, Documentation and Records Control

ISO 27001 Foundations Part 2: Implementation, Monitoring and Reviewing, Maintaining and Improving the ISMS

ISO 27001 Foundations Part 3: Annex A Overview

ISO 27001 and ISO 27004: How to Measure the Effectiveness of Information Security?

ISO 27001 Implementation: How to Make It Easier Using ISO 9001

BS 25999-2

BS 25999-2 Foundations Part 1: Business Impact Analysis

BS 25999-2 Foundations Part 2: Business Continuity Strategy

BS 25999-2 Foundations Part 3: Business Continuity Planning

BS 25999-2: An Overview of BCM Implementation Process

ISO 27001 and BS 25999-2

ISO 27001/BS 25999-2: The Certification Process

How to Become ISO 27001 / BS 25999-2 Consultant

ISO 27001 & BS 25999-2: Why is It Better to Implement Them Together?

Internal Audit: How to Conduct it According to ISO 27001 and BS 25999-2

ISO 27001 / BS 25999-2 Management Responsibilities: What Does Management Need to Know?

How to Write Four Mandatory Procedures for ISO 27001 and BS 25999-2

ISO 27001 and BS 25999-2 Strategy

Risk Management Part 1: Risk Assessment Methodology and Risk Assessment Process

Risk Management Part 2: Risk Treatment Process, Statement of Applicability and Risk Treatment Plan

Organization of Information Security; External Parties; Raising Awareness, Training and HR Management

Asset Management and Classification

Cross posted from ISO 27001 & BS 25999 blog - 

Possibly Related Articles:
Compliance Security Audits ISO 27001 Monitoring Information Security Policies and Procedures
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.