ISO 27001 Common Mistakes

January 31st, 2008 By Jasjit posted in Information Security

David Watson, one of the earliest exponents of the ISO 27001 standard and one of the most well known industry figures highlights some of the most common errors and mistakes in Information Security Management Systems, he has encountered over recent years:

  1. There is frequently a lack of traceability of the controls in the Statement of Applicability (SoA) to the Risk Assessment and Treatment Process (and back to the SoA);

  2. Risk Assessments often just look at technical risks and forget that the organization is a business with business risks;

  3. The SoA is often ill defined and difficult to use. Typically this is one of the main documents that the CB Auditor will work with during the audit and it has to be clear, link to all the appropriate places or documents, and be understandable;

  4. Lack of management commitment is a serious problem. Only too often do I hear that the barest minimum of staff have been put on the project and these are not ring fenced so the project suffers resource leakage;

( Read the complete newsletter here. )

Points 1 and 4 mentioned by David are more frequently repeated mistakes among most of my clients. I fail to understand why most people treat information security as a compliance requirement rather than as a business issue.

Not committing enough resources to information security results in a disaster sooner or later and is a major cause for Information Security Management Systems failing to achieve infosec goals of an organization.

Lack of traceability of the controls in the Statement of Applicability (SoA) to the Risk Assessment and Treatment Process may result in information security team’s inability to correlate business, information and technical risks and significantly affects the commitment to information security at all levels in the organization.

It is difficult for any business to achieve an efficient and effective Information Security Management System unless information security is treated as a business issue and Information Security responsibilities are included in key responsibility areas for general management, business operations, support functions and service providers.


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

MIT Open Courseware Project - A Revolutionary Idea »