ISO 27001 – The Good and the Bad (Part II)

In my last post about ISMS (Part I of ISO 27001 – The Good and the Bad) I wrote about why it may be dangerous to reduce the ISO 27001 standard to just its formal requirements. This time I’d like to specifically name a couple of sections I don’t 100% agree with.

The first section is 4.2.1-d: Identification of Risks. This is one of the key requirements of the standard. It’s the requirement that made the standard such a success. I don’t have a problem with the requirement itself – quite on the contrary. The need to do a risk assessment means for most companies that they concern themselves with risks to information security for the first time. What I do not like is the phrasing of the requirement: “Identify the risks“. “The risks” is a rather broad term. It can be everything and nothing at the same time.

However what I think is really bad is the approach that has to be taken to analyse the risks. The sub requirements demand (among others) to identify the threats and the vulnerabilities that might be exploited by those threats. While of course to know the threats is important, the requirement to identify vulnerabilities is IMHO problematic for a two reasons. The first one is that there are many, many vulnerabilities for practically every threat to any asset. Just think about how many vulnerabilities might cause data to be stolen from a laptop.

IT assets are especially dangerous because apart from there being reams of vulnerabilities, the second problem hits: chances are high you either forget or just don’t know the vulnerabilities. Maybe this is because I come from penetration testing, but how the heck are you supposed to know vulnerabilities in Windows. And I don’t even talk about the vulnerabilities that have not been discovered yet.

In my opinion it is more important to know your threats and find out how to counter the threats. Knowing the vulnerabilities can help in some cases, but what I want to know is: The people who wrote the standard, did they ever do this? To identify all assets and threats in a medium sized company is more than enough work. Also having to take stock of all vulnerabilities is just unfeasible in practice.

The impact of the requirement is quite fatal: Since it’s almost impossible to find all vulnerabilities, companies either put endless amounts of time into the risk analysis (which just is not the intent of the standard as I understand it) or the inventory of vulnerabilities is incomplete and therefore totally useless, or the auditor has to certify an ISMS that does not completely fulfill the standard. In most cases it’s one of the two latter possibilities.

Since this post is already rather long, I’ll make a third part (and probably also a forth since I have some more ideas what to write about) continuing this ISO 27001 rant.

Picture of high-security gate by slimmer_jimmer

Tags: 27001, Certification, Information Security, ISMS, ISO 27001, ISO27001, Rant, Security, Standards