The Biggest Shortcomings of ISO 27001

If you’ve been reading my blog, you probably think I’m convinced ISO 27001 is the most perfect document ever written. Actually, that’s not true – working with my clients and teaching on the subject, usually the same weaknesses of this standard emerge. Here they are, together with my suggestions how to resolve them:

Ambiguous terms

Some of the requirements in the standard are rather unclear:

  • Clause 4.3.1 c) requires that ISMS documentation must include… “procedures and controls in support of the ISMS” – does that mean that a document must be written for each of the controls that are applied (there are 133 controls in Annex A)? In my view, that is not necessary – I usually advise my clients to write only the policies and procedures that are necessary from the operational point of view and for decreasing the risks. All other controls can be briefly described in the Statement of Applicability since it must include the description of all controls that are implemented.
  • (Un)documented policies and procedures – in many controls from Annex A, policies and procedures are mentioned without the word “documented”. In effect, this means that such policies and procedures do not have to be written down, but this is not clear to 95% of the readers of the standard.
  • External parties / third parties – these terms are used interchangeably, which may cause confusion. It would be much better if one term was used.

Organization of the standard

Some of the requirements in the standard are either scattered, or unnecessary duplicated:

  • Some controls are simply located in a wrong place – for instance, A.11.7 Mobile computing and teleworking is located in section A.11 Access control. Although when dealing with mobile computing one has to take care of access control, section A.11 is not the most natural place to define issues related to mobile computing and teleworking.
  • Issues related to external parties are scattered around the standard – in A.6.2 External parties, A.8 Human resources security and A.10.2 Third party service delivery management. With the advance of cloud computing and other types of outsourcing, it is advisable to gather all those rules in one document or one set of documents which would deal with third parties.
  • Employee awareness and training is required both in clause 5.2.2 of the main part of the standard, and in control A.8.2.2. Not only is this duplication unnecessary, but it also causes additional confusion – theoretically, each control from Annex A could be excluded, so you may end up excluding a requirement that is actually not possible to exclude because it is required by the main part of the standard. The same thing happens with Internal audit (clause 6 of the main part of the standard) and control A.6.1.8 Independent review of information security.
  • Some of the controls from Annex A can be applied really broadly, and they can include other controls – for example, control A.7.1.3 Acceptable use of assets is so general so that it can cover for example A.7.2.2 (Handling classified information), A.8.3.2 (Return of assets upon termination of employment), A.9.2.1 (Equipment protection), A.10.7.1 (Management of removable media), A.10.7.2 (Disposal of media), A.10.7.3 (Information handling procedures) etc. I usually advise my clients to make one document that would cover all those controls.

Problems or not?

Here are a few issues that are usually brought to attention as problematic, however I disagree with them:

  • The standard is too vague, it does not go into enough detail – if it did go into more detail about the technology that is to be used, it would soon be outdated; if it did go into more detail about the methods and/or organizational solutions, it wouldn’t be applicable to all sizes and types of organizations – a large bank has to be organized quite differently than a small marketing agency, however both should be able to implement ISO 27001.
  • The standard allows too much flexibility – by this the critics mean the concept of risk assessment where certain security controls can be excluded if there are no related risks. So they ask – “How would it be possible to exclude backup or anti-virus protection?” Actually, with the progress of technologies like cloud computing, this kind of protection might not be the responsibility of the organization implementing ISO 27001. (However, in such case the risks of outsourcing would be rather high so other kind of security controls would be necessary.)

Now what?

This standard will certainly need to change – the current version of ISO/IEC 27001:2005 is now six years old, and hopefully the next revision (expected in 2012 or 2013) will address most of the above issues.

Although these shortcomings can often cause confusion, I think that positive sides of the standard outweigh the negative ones in large measure. And yes, I really am convinced this standard is by far the best framework for information security management.

Leave a Reply