Skip to main content

The Pitfalls of ISO/IEC 27001 and ISO/IEC 27002 Standards Implementation

5th Oct 2016

The Pitfalls of ISO/IEC 27001 and ISO/IEC 27002 Standards Implementation

The ISO/IEC 27000 series is a growing set International Standards formulated and approved by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) for Information Security Management Systems. Information security is held in high regard by organizations (small or large) throughout the world. The overall success of an organization can be attributed to the security of information within the confines of their cache of data (ranging from information regarding their operations and activities, to information about organization members and/or the individuals involved in technical or operational functions).

ISO/IEC 27001 International Standard: Functions and Setbacks

The two most recently introduced series (published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)) are the ISO/IEC 27001 and the ISO/IEC 27002. The ISO/IEC 27001 series requirements were published last October (2005). This International Standard for Information Security Management provides specific security protocols (as dictated by specific management control). These management controls are essentially the 'requirements' that specify how to manage an organization's operations as far as information security in concerned (also ensuring the organization's ability to audit and certify complaints within the standards themselves).

To ensure total information security, ISO/IEC 27001 is normally used in conjunction with the ISO/IEC 27002 standards. While the ISO/IEC 27001 mandates that specific requirements must be met by the organization's management team, the ISO/IEC 27002 standard is needed to guide those who are implementing information security controls (by providing them with recommendations for efficient information security setup). A potential pitfall for ISO/IEC 27001 is that it may provide assurances that the information security of the organization is fully operational and efficiently doing its job, but still may not be able to deliver the status of the entire organization's information security. The ISO/IEC 27001 certificate ensures that an area meeting the requirements provided has secure information protection (however, this security may not reach other areas within the organization's management system).

To further stress how these requirements could potentially become a burden to an organization's Information security Management Systems, let us examine a scenario. Organizations are composed of departments (each with its own specific function(s). If one department (let's say the Finance department of the company) acquires an information security certification of ISO/IEC 27001, the users who actually implemented the standard(s) will have to establish the requirements. Anything located outside the scope of information security standards is considered to be an outside branch or a different kind of organization altogether. Other departments would have to achieve qualification and conform to the requirements laid out (to be able to access the organizations' information system). The purpose of information security is the preservation of confidentiality, integrity, and availability; only those who are within this scope can access the organization's information. Anything or anyone outside the scope is generally regarded as an external company or unauthorized person. Even if an organization has an ISO/IEC 27001 certification, this does not mean that all other departments (of the organization) are equally secured. A narrower scope moves closer toward total information security, but narrowing it too much will inhibit the workflow of an organization.

Alternative solution for ISO/IEC 27001 Implementation

A much better solution would be to forego a narrowed scope altogether and institute total security of an organization's information. Allowance agreements with all other departments would increase the scope (in that the requirements would dictate that only some information is accessible to those 'external links') of an organizations system (only if the information requested is within the context of an individual department's function(s).

 

ISO/IEC 27002 International Standard: Functions and Setbacks

ISO/IEC 27002 standards provide a list of security controls needed to ensure the best information security management available as well as additional information and implementation advice on the best practices for achieving desired objectives. Those people responsible for an organization's management system are directly responsible for its initiation, implementation and maintenance. (The Information Security Management Systems use ISO/IEC 27002. ISO/IEC 27002 revolves around the C-I-A triad that upholds the preservation of the confidentiality,integrity and availability of an organization's information).

ISO/IEC 27002 standard contains twelve main sections wherein the information security controls (and their specific objectives) are provided and explicitly defined. The ISMS security controls are regarded as the pre-eminent authority on these types of matters, and they guide the system toward successful implementation of their objectives. However, unlike the ISO/IEC 27001, a specific set of controls are not provided in 27002. The list of security controls is endless and ripe with possibilities, so it may be difficult or impossible to provide all of these controls as part of a general-purpose standard. The ISO/IEC 27002 only provides the suggested security control for each situation; it is in the hands of the organization's management team to create their own customized set of security controls. Thusly, 27002 may contain some of the requirements of 27001, but may still lack all encompassing management system elements. To ensure that an organization has the absolute best Information Security Management System, it must adhere to both the ISO/IEC 27001 and ISO/IEC 27002.

Some of the earlier problems observed in the use of ISO/IEC27002 are related to:

  • Personnel security (of the organization's employees)
  • An organization's security (in dealing with third parties or contractors)
  • System development and maintenance

Personal (employee) information may not be continuously updated and the contracts to which they were bound may not be checked regularly either, so some members should not possess the authority to access the organization's information database may still able to do so because the system was not updated. A regular system check-up and maintenance routine is needed to keep the information security system up to. To achieve this, IT personnel will need to be given the additional responsibility of checking the system (sometimes there are no available IT personnel who can add this burden to their responsibilities). And of course it's possible that an organization's security may not be updated at all. If reports are released detailing that no maintenance or improvements were made (after the regular check-up was observed) an organization may not take notice until drastic information stealing or hacking incidents have occurred. This particular problem is still being studied, and there is no clear-cut solution as of yet.

Want to know more about the ISO/IEC 27002 standard and want to prepare for a formal certification exam?Register for the ISO/IEC 27002 Foundation Class.

!