Implementing ISMS Controls Is Only First Step

Control maturity and effectiveness measurement of implemented ISMS controls are often the  overlooked keys to success.

Your company has decided to pursue the ISO/IEC 27001:2013 certification and now the business of meeting the requirements are underway. The strategy has been created and projected over a period of time probably between six months to a year. The management team has taken the first steps to establish the scope of the ISMS, drafted the ISMS policy and started designing the Risk Management Strategy.

Annex A – ISO/IEC 27002

Now it’s time to become very familiar with the ISO27001 Standards’ requirements and recommended security controls in Annex A. Remember that you aren’t obligated to use the controls provided in Annex A, also known as ISO 27002 — a more complete listing of each control with best practice implementation guidelines — but these proven security controls are an excellent choice for a successful ISMS. The best way to begin the familiarization process is to perform a Gap analysis by reading through each clause in ISO 27001 and analyzing whether the requirement is already implemented in your organization or not. You may also want to determine if your plans for a future implementation meet the specific requirements of ISO 27001. Since the Gap is mandatory in ISO 27001 when building your Statement of Applicability (clause 6.1.3), but only Annex A (ISO 27002), the security controls, is required to determine their applicability and implementation status.

A properly done Gap analysis in the early stages of the process can be considered a Readiness Assessment that will determine how much work will be required to meet the ISO 27001 requirements. The Gap may also help to determine the resources and stakeholders involved/responsible for the implementation work, monitoring and reviewing of the necessary controls. Another important reminder is that the Gap needs to accompany the Risk Assessment, since the mitigation of the identified risks is executed through control implementation. Performing the Gap prior to the Risk Assessment could be a very good exercise for anyone unfamiliar with the ISO 27001 Standard and controls, but if you’re more knowledgeable about the Standard, then perhaps the Gap can be performed after your risk assessment. Another positive benefit of performing the Gap Analysis on the controls in the early stages of the process is identifying the numerous required documents and records (20 mandatory plus 18 commonly used) that need to be updated or created throughout the process. The documents are the policies, procedures, records and reports that validate the work in strategy.

We are the creators of Risk Management Studio, an intelligent application for risk management and business continuity, and our framework establishes that the Gap Analysis, Risk Assessment, Control Assessment, and Risk Treatment all be interconnected. We believe this streamlines your risk management strategy and eliminates excess steps and tasks, as well as combining your efforts for higher efficiencies. You can perform your Gap analysis on the Standards you’ve deployed in RM Studio and then further analyze the implemented controls in the Control Maturity and Effectiveness Assessment.

Why would you want to analyze how mature and effective your implemented controls are when the ISO 27001 only requires that the Gap analysis of the controls be performed in order to create the SoA?

Control Maturity and Effectiveness

Because simply deeming a control as implemented in your organization only looks good on a piece of paper or screen. The need to take your strategy to a higher level has never been more apparent in business today. Everyday there is news of a major hack or security breach and it’s not just the big companies that make the headlines, as more and more SMEs are targeted daily.

The ISO 27001 Standard does actually require continual improvement year over year (clause 10.2). Implementing controls is only the beginning of the process and every organization must continuously make adjustments over time to maintain or improve the implemented controls in order to successfully achieve a risk management strategy that exists to impact the survival of the entity.

A maturity model is the best way to audit and evaluate the implemented controls. Maturity models are a part of many common control frameworks (COBIT, COSO, etc.) and represented through levels. In RM Studio we represent the maturity levels as: Initial, Repeatable, Defined, Managed and Optimized. The levels are primarily establishing desired knowledge and competence of staff, effective processes and procedures, and monitoring and measuring of compliance. Moving up the levels is done over periods of time and the higher levels requiring the most amounts of time and resources invested to achieve. A clear understanding of maturity modeling of implemented controls provides accurate data to the decision makers for potentially improving business processes, as well as resource investments desired to attain the highest levels of control implementation maturity or simply, effective enterprise risk management.

Another aspect of the Control Assessment is the determination of the effectiveness of each implemented control. Even though you may be attaining the desired levels of maturity in your implementation, you may be missing the effectiveness of your efforts. Analyzing the effectiveness of each implemented control similar to the maturity in terms of levels provides a better understanding of why you are implementing a control. When reviewing the effectiveness of controls, you may determine that the cost of implementing a control or the resulting loss if not implemented can be greater than the value of the asset the control is protecting.

Residual Risk

A key aspect to the Integrated Risk Management Framework built into RM Studio is the combining of the Gap Analysis and Control Assessment with the Risk Assessment to formulate the Risk Treatment. We use a risk scoring technique to determine the highest risks threatening the organization and the Control Assessment levels are applied to the risks for determining the Residual Risk. This strategy eliminates the reduction of all residual risk to minimal levels by simply deeming the corresponding controls as implemented and therefor mitigating all risk.

We know that you can never eliminate risk, but you can do everything in your power to mitigate as many possibilities of risk. Measuring said risk is vital to the organization’s decision makers and brand builders. If the leadership is making decisions based on faulty data received by you, then that can have a drastic effect on the organization and more succinctly, you.