{"id":4736,"date":"2011-03-21T22:45:58","date_gmt":"2011-03-21T22:45:58","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/011\/03\/21\/the-biggest-shortcomings-of-iso-27001\/"},"modified":"2024-12-21T16:22:55","modified_gmt":"2024-12-21T16:22:55","slug":"the-biggest-shortcomings-of-iso-27001","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2011\/03\/21\/the-biggest-shortcomings-of-iso-27001\/","title":{"rendered":"The biggest shortcomings of ISO 27001"},"content":{"rendered":"<p>If you\u2019ve been reading my blog, you probably think I\u2019m convinced <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> is the most perfect document ever written. Actually, that\u2019s not true \u2013 working with my clients and teaching on the subject, usually the same weaknesses of this standard emerge. Here they are, together with my suggestions how to resolve them:<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Ambiguous terms<\/h2>\n<p>Some of the requirements in the standard are rather unclear:<\/p>\n<ul>\n<li>Clause 4.3.1 c) requires that <a href=\"\/27001academy\/iso-27001-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISMS documentation<\/a> must include\u2026 \u201c<strong>procedures and controls in support of the ISMS<\/strong>\u201d \u2013 does that mean that a document must be written for each of the controls that are applied (there are 133 controls in Annex A)? In my view, that is not necessary \u2013 I usually advise my clients to write only the policies and procedures that are necessary from the operational point of view and for decreasing the risks. All other controls can be briefly described in the Statement of Applicability since it must include the description of all controls that are implemented.<\/li>\n<li><strong>(Un)documented policies and procedures<\/strong> \u2013 in many controls from Annex A, policies and procedures are mentioned without the word \u201cdocumented\u201d. In effect, this means that such policies and procedures do not have to be written down, but this is not clear to 95% of the readers of the standard.<\/li>\n<li><strong>External parties \/ third parties<\/strong> \u2013 these terms are used interchangeably, which may cause confusion. It would be much better if one term was used.<\/li>\n<\/ul>\n<p><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Organization of the standard<\/h2>\n<p>Some of the requirements in the standard are either scattered, or unnecessary duplicated:<\/p>\n<ul>\n<li>Some controls are simply <strong>located in a wrong place<\/strong> \u2013 for instance, A.11.7 Mobile computing and teleworking is located in section A.11 Access control. Although when dealing with mobile computing one has to take care of access control, section A.11 is not the most natural place to define issues related to mobile computing and teleworking.<\/li>\n<li><strong>Issues related to external parties<\/strong> are scattered around the standard \u2013 in A.6.2 External parties, A.8 Human resources security and A.10.2 Third party service delivery management. With the advance of cloud computing and other types of outsourcing, it is advisable to gather all those rules in one document or one set of documents which would deal with third parties.<\/li>\n<li><strong>Employee awareness and training<\/strong> is required both in clause 5.2.2 of the main part of the standard, and in control A.8.2.2. Not only is this duplication unnecessary, but it also causes additional confusion \u2013 theoretically, each control from Annex A could be excluded, so you may end up excluding a requirement that is actually not possible to exclude because it is required by the main part of the standard. The same thing happens with Internal audit (clause 6 of the main part of the standard) and control A.6.1.8 Independent review of information security.<\/li>\n<li>Some of the controls from Annex A can be <strong>applied really broadly, and they can include other controls<\/strong> \u2013 for example, control A.7.1.3 Acceptable use of assets is so general so that it can cover for example A.7.2.2 (Handling classified information), A.8.3.2 (Return of assets upon termination of employment), A.9.2.1 (Equipment protection), A.10.7.1 (Management of removable media), A.10.7.2 (Disposal of media), A.10.7.3 (Information handling procedures) etc. I usually advise my clients to make one document that would cover all those controls.<\/li>\n<\/ul>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Problems or not?<\/h2>\n<p>Here are a few issues that are usually brought to attention as problematic, however I disagree with them:<\/p>\n<ul>\n<li><strong>The standard is too vague, it does not go into enough detail<\/strong> \u2013 if it did go into more detail about the technology that is to be used, it would soon be outdated; if it did go into more detail about the methods and\/or organizational solutions, it wouldn\u2019t be applicable to all sizes and types of organizations \u2013 a large bank has to be organized quite differently than a small marketing agency, however both should be able to implement ISO 27001.<\/li>\n<li><strong>The standard allows too much flexibility<\/strong> \u2013 by this the critics mean the concept of risk assessment where certain security controls can be excluded if there are no related risks. So they ask \u2013 \u201cHow would it be possible to exclude backup or anti-virus protection?\u201d Actually, with the progress of technologies like cloud computing, this kind of protection might not be the responsibility of the organization implementing ISO 27001. (However, in such case the risks of outsourcing would be rather high so other kind of security controls would be necessary.)<\/li>\n<\/ul>\n<h2 style=\"padding-top: 5px; padding-bottom: 10px;\">Now what?<\/h2>\n<p>This standard will certainly need to change \u2013 the current version of ISO\/IEC 27001:2005 is now six years old, and hopefully the next revision (expected in 2012 or 2013) will address most of the above issues.<\/p>\n<p>Although these shortcomings can often cause confusion, I think that positive sides of the standard outweigh the negative ones in large measure. And yes, I really am convinced this standard is by far the best framework for information security management.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To get the templates for all mandatory documents and the most common non-mandatory documents, along with a wizard that helps you fill out those templates,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a>\u00a0<em><span class=\"notion-enable-hover\" data-token-index=\"3\">of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><!-- notionvc: 486da407-7102-41b3-8e74-d5f967ba9f8d --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you\u2019ve been reading my blog, you probably think I\u2019m convinced ISO 27001 is the most perfect document ever written. Actually, that\u2019s not true \u2013 working with my clients and teaching on the subject, usually the same weaknesses of this standard emerge. Here they are, together with my suggestions how to resolve them: Ambiguous terms &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,1501],"class_list":["post-4736","post","type-post","status-publish","format-standard","hentry","category-blog","tag-iso-27001","tag-shortcomings"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4736"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4736\/revisions"}],"predecessor-version":[{"id":103341,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4736\/revisions\/103341"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}