An Analysis of the Non-Conformities in ISO 27001
We've published an excellent Implementation Guide but we can't tell you how to implement and maintain your ISMS. But we can tell you where things typically go wrong during audits, and how they can often result in non-conformities.
In this series of blogs I'll go through every ISO 27001 clause and discuss the typical non-conformities found by our auditors. There are some common factors underpinning most non-conformities. Some of them can be avoided by paying close attention to the standard's requirements. Here's two as an example:
1. Missing mandatory documentation
There are 17 clauses and 10 Annex A controls where it is a requirement to retain documented information or document something. The auditor will expect to see evidence of these and their absence will almost certainly result in a non-conformity. In addition there are some controls that don't mandate documentation but the intent is the same, such as the cryptographic policy, clear desk policy, event logs, and data transfer policies. A common non-compliance is A.12.1.1 which requires operating procedures to be documented.
2. Failure to follow own procedures
Sometimes even a gold-plated ISMS is let down when the auditor visits the shop floor. Process operators reveal that either they're not following a defined information security procedure or they don't know that it exists. It could be sending sensitive emails insecurely, allowing people to tailgate, not reviewing system logs - there are many examples. One of the causes of this maybe that the organization has not effectively communicated or integrated the ISMS into the organization - the auditor will try to find out why in order to determine where the management system has failed. Some people don't follow procedures because they don't have the resources needed to follow them properly. Again the auditor will pick up on this because it's a top management leadership requirement ensure the resources are available.
Clause 4, Context of the Organization
Almost half the NCs raised against Clause 4 by NQA were because the ISMS didn't adequately define the external and internal issues affecting the organization's purpose. Why do you need to list the issues? Well, unless you know the issues affecting your organization you won't be able to integrate risk management into your operations - you can't manage risk if you don't understand your organization and its context.
Risk management can be difficult if your organization lacks security knowledge, which I'll be discussing in a future blog. But by knowing the issues that can affect you, you're laying the groundwork for managing your risks. Listing the issues is required by Clause 4.1 and are part of determining the scope of the ISMS, so inadequacy here also affects the scope definition required in Clause 4.3.
What does it mean, issues? External issues are the environment in which the organization operates. They're determined by what the organization does and how they affect its objectives. For example, a web retailer's external issues will be very different from a school's. Whilst internal issues also affect the organization's objectives, they're self-imposed, such as the culture and structure. ISO 31000:2018 contains useful guidance and examples you could consider.
Scope is the next most common NC, where it's either missing entirely from the ISMS or is incomplete. Clause 4.3 exactly defines what is required, but note the dependencies on clauses 4.1 and 4.2. Scope is important because it defines the boundaries of the ISMS. Sometimes it becomes apparent during an audit, as the auditor becomes familiar with the organization, that something is missing from the scope. Or perhaps the risk assessment lists information assets that are outside the scope. Or which are clearly in scope but haven't been included.
Understanding the needs and expectations of interested parties from Clause 4.2 often catches people out. But the standard wants you to explicitly consider interested parties information security requirements. It then helpfully notes that their requirements could be legal, regulatory or contractual, which essentially tells you what is required.
Our experienced auditors have frequently spotted some essential legislation is missing - there are many statutes that have an information security implication, even if it's not obvious at first glance. Note also that during the Stage 2 audit the auditor will also look at Annex A-18 which explicitly requires all relevant legal, regulatory and contractual requirements to be documented.
How do our auditors review your ISMS against Section 4? As you'd expect, they're well versed in current affairs and applicable legislation, they've listened to you and your top management describe the organization, they're experienced security professionals, and they likely have audited other similar organizations. They will know what to expect, both generally and as required by the standard. The standard sets out the minimum documentation requirements so anything missing will usually result in a non-conformity.
In my next blog I'll be looking at the typical reasons why non-conformities arise in Clause 5.
Authored by: Tim Pinnell, NQA Information Security Assurance Manager