ISO 27001 - Non-Conformities in Clause 7
24 February 2021
In this blog I look at the non-conformities typically found in Clause 7 - Support.
The findings are consistent whenever they arise and usually have the same root causes, for which I'll provide examples.
Clause 7.2 CompetenceThis clause can be summarised as: work out what competencies your organisation needs for information security performance, make sure your people have said competencies, and keep evidence of their competence.
It's important to note that doesn't mean you need information security experts - paragraph a. states: 'determine the necessary competence of person(s) doing work under its [ISMS] control that affects its information security performance'.
This means that the people within scope must be competent at their jobs where there is an information security aspect to it. For example, people in the IT department must know the implications of their activities on information security, whereas a call centre agent must be appropriately trained to validate the identity of customers.
It also means that Clause 7.3 Awareness is closely related, because everyone in scope has an information security role to play, through knowledge of the information security policies and procedures.
In order to comply the organisation must decide what the required competencies are, some of which are simply that staff know and follow the security policies. Although the standard doesn't require the required competencies to be documented, it is good practise to do so.
A common finding is that the organisation has not determined the required competencies. This is typically because it has not been done at all and/or it has been conflated with the listing of the existing competencies of the staff.
Again, work out what competencies you need and then if you have them, as per paragraph b.
Paragraph d. mandates that there should be documented evidence of competence and this is also a place for repeated non-conformities.
Incomplete or inadequate training records, CVs not up to date, professional qualification certificates missing, induction training not carried out are typical examples. Our auditors find these non-conformities when looking for documented sources and when interviewing staff.
It's important to note that experience is just as important as qualifications and training, although harder to document - CVs, annual performance reviews and other job-related records such as mentoring can all serve as objective evidence.
Clause 7.3 AwarenessAlmost all the organisations we audit define some form of awareness programme or regular communications to ensure staff are aware of the information security policy, their role in the ISMS and the implications of non-conformance. This often builds on the security elements of new joiners' induction programmes.
And almost all of the non-conformities arise during staff interviews. We ask client staff those three questions: their knowledge of the security policy, their role in the ISMS and the importance of it, and sometimes the staff just don't know. Sometimes they don't know where to find the policy and sometimes they just can't recall it.
This isn't a case of auditor's luck in finding non-conformities, instead it suggests that the awareness activities are not effective, which in itself presents a security risk to the organisation.
Clause 7.5 Documented InformationWe find that organisations frequently struggle to follow their own policies for creating and updating documented information. In part this is due to the volumes of data processed and the pace at which business is conducted. Paragraph 7.5.2 lays out the mandatory requirements for creating and updating documented information and then Paragraph 7.5.3 talks about the security controls for it.
Typical non-conformities include incorrect or missing classification labels, inconsistent naming, versioning or dating conventions, out of date references to superceded documents, missing documents and incomplete documents. In some cases the asset and risk registers are found to be out of date, or that they have been updated but the date and version numbers have not.
A lack of information retention policy or the IRP not being followed e.g. we've found old documents left on file servers or emails going back many years, are also causes of non-conformities.
In my next blog I'll look at Clause 9 - Performance Evaluation. I won't be looking at Clause 8 because that requires organisations to have implemented the activities of Clause 6.