4 minute read 16 Oct 2020
Rear view of man working on laptop in open office

What challenges arise when managing an ISO 27001 certification program

By Jatin Sehgal

EY Global ISO Leader and EY CertifyPoint Managing Director

ISO management systems guru and subject matter professional for ISO implementation, training and certifications. Go-getter and entrepreneurial. Growth hacker, well-traveled and sport lover.

4 minute read 16 Oct 2020
Related topics Consulting Risk Cybersecurity

The resulting trends from more than 200 information security certification audits are discussed to identify what’s going well, and not so well.

In brief
  • Areas that are going well include leadership and commitment to improve information security, and information security in supplier relationships.
  • Risk management, identity and access management, and asset management are the top three areas that are not going so well.
  • Among the top recommendations for organizations are ensuring their risk-evaluation method is fit for purpose and defining KPIs for the management system.

Across 2018 and 2019, EY CertifyPoint performed more than 200 information security audits for more than 65 clients of various sizes from a range of industries. Analysis of the key findings and strengths that were raised during the certification audits, as well as data on the certification scopes and how they changed over the years have provided insights on industry trends, typical challenges and pitfalls for using an information security management system (ISMS).

The analysis was performed against one or more of the following ISO standards audits:

  • ISO/IEC 27001:2013, which provides requirements for an ISMS.
  • ISO/IEC 27017:2015, which provides additional information security requirements for cloud service providers and cloud service customers.
  • ISO/IEC 27018:2014, which provides additional privacy requirements for cloud service providers.

Trends in certification scope changes:

From 2018–2019, 48% of organizations increased the number of locations within the scope of their ISMS. Sixty-seven percent of organizations increased the number of full-time employees within the scope of their ISMS.

Location increase

36%

Average percentage increase for locations in scope of ISMS certifications from 2018 to 2019.

Headcount increase

23%

Average percentage increase for employees in scope of ISMS certifications from 2018 to 2019.

As the organizations grow in size and complexity, managing the scope of the information security systems and integrating existing processes and systems into the new areas becomes more challenging. These areas could be new products, services, locations, people, departments, functions, innovations, tools or even entities or companies.

What is going well?

The analysis of results identified that the top two areas of strength for ISMSs were:

1. Top management’s involvement and commitment to improve information security and cybersecurity

Across organizations, top management has consistently shown involvement and commitment to the management of information security and cybersecurity. For example by aligning information security and cybersecurity activities to business objectives or by embedding information security processes within organizational processes. This is consistently true across large, medium and small organizations.

Top management’s involvement

3%

of organizations audited were issued with findings and improvement areas relating to leadership and top management topics in 2018 and 2019.

2. Information security in supplier relationships

The management of information security in supplier relationships was a consistent strength across organizations. For example, information security requirements for suppliers are defined, documented and addressed within the relevant supplier agreements.

Supplier relationships

6%

of organizations audited were issued with findings and improvement areas relating to information security management in supplier relationships in 2018 and 2019.

What is not going well?

Within the management and information security control topics, the three biggest challenges were:

1. Risk management

The assessment and treatment of information security risks were key challenges across organizations. This included activities such as the development of an organizational information security risk management methodology, the identification and assessment of information security risks, and the resulting treatment of these risks.

Risk management

35%

of organizations audited were issued with findings and improvement areas relating to risk management topics in 2018 and 2019.

2. Performance evaluation

Another area of challenge for organizations was performance evaluation. This includes performance monitoring, ISMS internal audit and management reviews. Performance evaluation is important to an effective ISMS, as it allows the organization to identify areas of strength and potential improvement for the ISMS, thus enabling the continual advancement and evolution of the ISMS.

Performance evaluation

26%

of organizations audited were issued with findings and improvement areas relating to performance evaluation topics in 2018 and 2019.

3. Identity and access management

In terms of information security controls, the biggest challenge for organizations was access control. Effective access control is vital to strong information security, as it prevents the unauthorized use of or access to information assets. Within this topic, findings were categorized into four subdomains:

  • Business requirements: which includes high-level controls such as an access control policy
  • User access management: which includes user-focused controls such as reviews of access rights
  • User responsibilities: which includes users’ responsibilities for access control
  • System and applications: which includes system and application level access controls.

Access management

16%

of organizations audited were issued with information security control findings and improvement areas relating to access management topics in 2018 and 2019.

Overall, the top three recommendations for organizations to help overcome the challenges identified in the audits are:

1. Ensure the risk-evaluation method in the risk management methodology is suitable for the purpose of the organization. The methodology may be quantitative or qualitive in nature. The main purpose should be to ensure that top management can clearly see the significant risks in the organization so that appropriate measures can be taken.

2. Define key performance indicators not only to measure the performance of the information security controls but also the management system performance. Cover all areas of the ISMS in terms of the information security controls and objectives as part of the monitoring of controls. Perform the internal audit on the entire scope of certification (or organization). Regularly discuss the results of the monitoring activities and the audits with top management and obtain feedback from the management to steer the program in the right direction.

3. For better identity and access management, follow the principles of (as applicable):

  • Centralizing your approach
  • Zero trust identity security
  • Least privilege
  • Automation of provisioning
  • Checking and rechecking
  • Multifactor authentication
  • Cracking down on orphaned accounts

Summary

The article discussed insights that EY CertifyPoint has seen during ISO/IEC 27001:2013, ISO/IEC 27017:2015 and ISO/IEC 27018:2014 audits, performed between 2018 and 2019. Some of the areas that are going well are leadership and commitment to improve information security and information security in supplier relationships, while risk management, identity and access management, and asset management are some of the areas that are not going well.

About this article

By Jatin Sehgal

EY Global ISO Leader and EY CertifyPoint Managing Director

ISO management systems guru and subject matter professional for ISO implementation, training and certifications. Go-getter and entrepreneurial. Growth hacker, well-traveled and sport lover.

Related topics Consulting Risk Cybersecurity