Cart Before The Horse - ISO 27001 versus Critical Controls
ISO 27001 provides a process framework that can help organisations to reduce risk, optimise security operations and create a holistic program, upon which a culture of information security can be built. Consequently, ISO 27001 has become a popular way for companies to communicate to their stakeholders that their approach to information security is based upon a best practice structured approach recognised across the globe.
However, prior to attaining such a valuable certification a company must first consider their current information security posture and if they are ready to embark upon such an exercise that will necessitate both a financial investment and investment in time and resources. The on-going maintenance of the accreditation will, in fact, typically require significantly more effort than the initial gaining of the certificate.
Why is this so important?
ISO 27001 standard instils a process to drive constant improvement in how organisations manage their information security processes. Information Security is not just the responsibility of the InfoSec team - an organisations security posture is impacted by the actions of employees in IT operations, business operations and 3rd party suppliers. This means that information security must be embedded within a company from the management team downwards. Without management buy-in and on-going support it is questionable whether the accreditation can be achieved.
How to start?
ISO 27001 defines seven mandatory clauses:
1. The context of the organisation
6. Performance Evaluation
Each clause contains a number of requirements. For example, clause no.1 references the organisation’s information security management framework, policies, and procedures. During the implementation process questions related to data, awareness and how a risk is defined and maintained need to be answered. It is therefore important that effective controls are already defined and in place before commencing the ISO 27001 accreditation process.
With this in mind a good place to start is assessing the controls that you already have in place against well regarded control frameworks. CIS Critical Controls and Cyber Essentials are a great place to start. They both provide sets of actions for cyber defence that provide actionable ways to stop today’s most pervasive and dangerous attacks. The controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners.
Starting here will help you close any vulnerabilities and reduce the risk of attack. They are recognised as best practices in the industry and as such can be used to demonstrate to business stakeholders, customers and regulators that your organisation is taking a rigorous approach to information security.
Once you are confident you have the right controls in place then focus on ISO 27001.