Hannah Suarez, SSCP, takes us through the experience of implementing the substantially revised ISO 27001:2022 and upgrading from the 2013 version of the framework.
It’s been more than a year since the ISO 27001:2022 standards were released,
replacing the 2013 version and including new and updated texts related to
Cloud Security, Digital Trust and Cybersecurity Leadership. For startups and
SMEs, these updates pose challenges around retrofitting their existing
workforce to tackle the new standards – be it upgrading or implementing an
ISMS (Information Security Management System). For organizations beholden to
regulatory rules, the focus on third party and supply chain assessments will
enable them to focus on securing business growth via the ISO 27001
certification process.
I’m writing this article fresh from finishing an ISO 27001:2022 implementation for a startup. I implemented their ISMS according to the previous standard, and now I want to share with the ISC2 community what it’s like to upgrade.
Non-Negotiable Clauses for Cybersecurity Leadership
While I can modify or customize the scope accordingly – following risk management analysis or strategic objectives – Clauses 4-10 are non-negotiable and mandatory, and are required for a company to be ISO 27001 compliant:
- Clause 4: Context of the Organization
- Clause 5: Leadership
- Clause 6: Planning
- Clause 7: Support
- Clause 8: Operation
- Clause 9: Performance Evaluation
- Clause 10: Improvement
I have observed that startups tend not to prioritize these clauses, instead making a beeline towards accepting all controls and guidelines – without risk assessment. This is problematic because, in the end, failing these clauses can be the end-game for successful implementation. Let’s look at how these clauses are relevant for startups and SMEs.
Cybersecurity Leadership and ISO 27001:2022
Executive Management Responsibilities
Before I agree to implementing and adopting the ISO 27001 standards, I check: “How involved is executive management?”
When I’ve seen a lack of buy-in and support from executive management, I’ve seen it result in unhappiness throughout the entire implementation process. I’ve seen executives inherit an ISMS without the motivation to maintain it, let alone upgrade to the 2022 version. Fortunately, this requirement is non-trivial and it forces the ISO 27001 Lead to address the problem in the very first instance. A failure of executive management to buy in, or to recognize its responsibilities, signals a potential root cause for failure to meet information security objectives overall.
Clause 4.4 requires planning for existing organizational processes and how it interacts with the ISMS. This is further strengthened by clause 8.1 which are the criteria for implementing these processes. When I work with startups where the CMM (Capability Maturity Model) is in its infancy, I expect major adjustments to processes, or even to document processes for the first time. I know that this work is a culture change for the organization – which requires explicit support from executive management.
Information Security Objectives Are Misaligned
The next problem I address is any misalignment between information security objectives and the overall strategic business objectives. In some ways, I’m educating executive management, so they understand the role and responsibilities of the CISO (or equivalent) and how it relates to the overall strategic and business objectives. In the ISO 27001:2022 standards, information security objectives are one of the main clauses.
Other reasons for misalignment that I’ve observed, and had to correct, include:
- Management and other interested parties are uncertain or ill-informed of their roles in the ISMS. To address this, I communicate the roles as per the new clause 5.3 of the 2022 standard
- A lack of support from all personnel and a lack of participation from interested parties. I’m supported in addressing this by clause 4.2.c, which states that interested party requirements must be addressed through the ISMS; and I’m further empowered via clause 9.3.2.c, under which the input of interested parties must also be part of the Management Review
- A lack of communication of the IS (Information Security) objectives and those of the ISMS. In startups, I actually find it easier to communicate because of the flat hierarchy
Information Security is Treated Only Within the IT Domain
This is an issue that I’ve seen regularly. In fact, I’ve had to change actual titles to reflect the reality that information security does not equal IT security – a common misperception that I’ve noticed particularly in startups and SMEs. Information comes in many forms, both intangible and tangible: written words, code, images, intellectual property, physical property, conversations and more. Restricting the ISMS to IT and tech only will render it unsuccessful.
The Improper Application of the Standards
Many startups and SMEs may be already considering or have already adopted a Compliance-as-a-Service SaaS solution. The problem is that they blindly follow the templates, where the ISO 27001 standards are applied in full scope. When the Statement of Applicability is done without risk assessment to determine the final scope, they face the problem of implementing controls in a way that is proper to the organization.
For example, I’ve worked with a remote-only startup with no requirements for a physical office. I had to spend months communicating that this startup had no physical office requirement. There was some push-back, but I was later approved to conduct the audit remotely.
This is when I need to escalate with executive management any risks. First, I train them in risk assessment and risk management. Second, I work closely with executive management on using their current organizational culture to build a security culture that improves domains such as Cloud Security and Digital Trust.
Consequences For Lack of Cybersecurity Leadership
Failure to meet the mandatory clauses signal a lack of cybersecurity leadership within any startup or SME. However, CISOs (or their equivalent) in startups and SMEs do not necessarily face the same regulatory consequences that apply to larger companies – for example, the SEC regulation on the reporting to shareholder of cybersecurity breaches with material impact. Clearly, though, this does not mean the consequences of an incident or a breach for an SME or startup will be inconsequential.
One of the common issues I run into working in startups and SMEs is the lack of resources and the potential reliance on few major partners. The consequences that I highlight as part of risk management is that there are unacceptable threats to the business in form of losing a major partner or two, or in being decimated by the financial impact of post-incident or post-breach contractual and regulatory requirements.
Cloud Security and ISO 27001:2022
The latest standards introduced new controls relating to cloud security. Digital transformation now relies on cloud computing which offers great flexibility through factors like variable pricing and the ability to scale where necessary.
For startups and SMEs, I see the following in the 2022 standards as relevant:
- A.5.21 - Managing information security in the information and communication technology (ICT) supply-chain
- A.5.23 - Information security for use of cloud services
There is neither enough space nor the time to explore cloud security in depth here. In fact, possibly this one new clause (A.5.23) can easily encompass more controls related to cloud security. Don’t fool yourself with this one addition though: take a complete risk-based approach when it comes to implementing assessing IS in cloud services. Depending on the use case, I have also made the decision to conduct a DPIA (Data Protection Impact Assessment) or some sort of cloud data protection assessment in relation to the cloud service.
Digital Trust and ISO 27001:2022
The definition of what is “Digital trust” differs. For this purpose, I placed the definition within the area of personal data protection, which ties in with the need to develop trust and accountability for new companies. From the perspective of both a customer and a business partner, exchanging personal data – in the knowledge that a company can be trusted in terms of handling personal data – is good for business.
The following new controls relate to the treatment of personal sensitive data:
- A.5.34 - Privacy and protection of personal identifiable information (PII)
- A.8.11 - Data masking
- A.8.12 - Data leakage prevention
The addition of these new controls reflect the current state of requirements to protect personal data. This aligns with the growing trend and reliance of cloud services and (various “as-a-service”) platforms that now interface with personal data. It’s also reflective of what I detect is part of the main core for the operational requirements of startups and SMEs.
Of course, there is a percentage that are running on-premise. But the option to simply spin up an instance, on the cloud; to use scale up or down depending on use cases; or to take advantage of “traditional” SaaS offerings (from customer information management to cloud service providers for business data) will continue to be a positive for many startups and SMEs.
Conclusion
This article is no more than an introduction to the comprehensive ISO 27001:2022 standards, based on my experiences. CISOs and other leaders with information security responsibilities of startups and SME can either meet the standards, or align with them. The trend of moving data from on-premise to the cloud is accelerating, and the new controls related to Cloud Security and Digital Trust help the standards align with current realities for startups and SMEs.
Hannah Suarez, SSCP, has almost a decade experience in IT and information security with a current focus on cloud security, ISO 27001 and third-party security in the telecommunications, software, marketing and airline industry. Hannah has also held technical roles, with responsibility for analyzing and implementing security standards.