«
»

ISO 27001 – The Good and the Bad (Part I)

By cyberphob1a

Recently I’ve had the chance to attend an ISO/IEC 27001:2005 certification audit and see first hand what it’s like to fulfill all requirements of the standard.

Mostly, the audit was a good and interesting experience. However it showed me some problems I have with the standard. Don’t get me wrong – I am a strong advocate of Information Security Management Systems (ISMS) and ISO 27001 in particular. I think the active management of security and the provision of processes to reach a security level that is adequate for ones business is great and at least as necessary as regular penetration tests and technical security measures. However some parts of the standard might pose problems in real world scenarios.

My fear is that these problems cause companies to

  • do security efforts that are not necessary and therefor diminish the real value of the standard
  • security is reduced to the pure fulfillment of the formal requirements of the standard

The latter point was raised by the way the audit was conducted and seems to be a general problem with standards. Let me explain: The task of the auditor is to find issues in the implementation of the audited standard and – if one was found – raise a nonconformity. However, as you know, ISO 27001:2005 consists of two main parts: the requirements for the ISMS itself, and the appendix which lists the controls from ISO 27002:2005 (formerly ISO 17799:2005). The security measures are defined in the latter. The requirements for the ISMS demand that the company does a risk analysis to select the applicable controls from this list. The implication of this is that the company can implement – or omit – any control they want to (yes, they do need to justify omissions, but management can accept any risk they want to). The only thing an auditor can truly examine is therefor the requirements for part I. And these are rather formal and might not always make sense.

I will describe the requirements that are troubling me in particular in part II of this posting.

[Update: Part II of "ISO 27001 - The Good and the Bad" is online now]

Image of Keys by kk+

Tags: , , , , , , ,

This entry was posted on January 6, 2008 at 6:40 pm and is filed under ISMS, Rant, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “ISO 27001 – The Good and the Bad (Part I)”

  1. ISO/IEC 27001:2009 and ISO/IEC 27002:2009 « Cyberphobia Says:
    January 20, 2008 at 10:24 am | Reply

    [...] still did not get around writing the third part of my ISO 27001 – The Good and the Bad Series (see Part I and Part II), but the topic was going to be this exact clause of the standard. It’s great [...]

Leave a Reply