There is no questioning the advantages of choosing an information security standard as the framework for an information security management system. There are also many commercial benefits to be gained from taking the next step and certifying it against a standard such as ISO27001 (2013).
A requirement of such a certification is the need to internally measure compliance against an organisations ISMS. However, is this always approached in the right way? Do organisations risk misinterpreting the objectives of the ISMS and misshaping their operational processes, with the result that the ISMS hinders rather than supports their business objectives?
Internal Audit Function
In the past year we have seen examples of organisations using their internal audit function to measure their compliance against their information security standards and policies. In some instances the resulting amendments to simple processes and controls has over complicated them. The most striking recent example was the additional physical security controls that were added to robust logical access controls. The result was that the simple task of obtaining the systems configuration, a process which usually takes minutes, required a whole series of change requests and planning. The task then took many weeks rather than the minutes it should. What the organisation in question also mistook was that the over complication of a simple process had not been impacted as part of their business continuity and disaster recovery planning. An organisation can forget operational service level agreements unless senior management treat obtaining the configuration an exceptions process. This then introduces significant risk of abuse and a lack of auditability and accountability. The organisation explained that internal audit had recommended the additional controls and they were implemented without testing their impact operationally. Sadly, this is not the only such example that we have seen in the past 12 months.
Organisations should consider, as part of their information security awareness and training, the need for security professionals (possibly independent to ensure impartiality) to educate the business and their internal audit departments to ensure there is a comprehensive understanding of the concept of information security risk management, and a sense of proportionality, to ensure that security supports and does not hinder business objectives.