Common Challenges in ISO 27001 Implementation

Scoping the ISMS

Introduction

For most organizations, adoption of ISO 27001, the standard for implementing an Information Security Management System (Hereafter referred to as the ISMS), is intrinsically informed by the need to standardize, comply with regulation, achieve a competitive advantage, etc. Other times, it is informed by requirements from clients who demand to see evidence of a secure or controlled environment prior to engaging. Either way, implementation of this standard is immensely beneficial to the implementing organization.

As a consulting firm that supports our partners achieve this and other certifications (around data privacy, enterprise risk and business continuity), we have found that there are decisions that organizations struggle to make that influence the success of the management system implemented. One such challenge is scoping the ISMS.

What is ISMS Scoping?

Scoping is a requirement of ISO 27001:2013, clause 4.3: Determining the Scope of the Management System. In scoping the ISMS, an organization determines the boundaries and applicability of the management system from a perspective of physical locations / sites, systems, people, processes, and information assets. To achieve this, an organization must determine its operating context by determining external and internal issues relevant to their operations as well as all interested parties and their needs and expectations. What this does is set the stage for what matters to the organization from a strategic perspective.

When assessing the organization’s context to determine the scope, a common approach is to start from the products that present a competitive edge to the organization. For a Bank, this might be its mobile money wallet, internet banking platform or an effective core banking system. For a manufacturing firm, this could be the Enterprise Resource Planning system that manages all operations in the chain. The identification of such a system is a sure way to inform the management system’s scope.

Another approach might be to identify a service that is of strategic focus for the organization. This could be the credit management services for a financial institution, lab services for a medical research firm or Software as a Service for an eCommerce business.

Whichever way scoping is approached from, it is imperative that the organization effectively determines the interdependencies with other stakeholders. This sheds light into the ease of achieving standardization on such a scope.

Challenges in ISMS Scoping and recommendations for getting past them

From my experience, the initial ISMS scope chosen impacts the organization’s culture either for the better or worse. A poorly scoped ISMS frustrates the implementing team, causes confusion in the stakeholders involved, and leaves staff fatigued from the endless back and forth in control reviews, risk assessments and decision making. Most common challenges to effective ISMS scoping include:

1. Size of the scope:

For most organizations, certifying all processes and systems seems like an obvious big win. However, a big scope presents a risk since there could be significant breakdown of controls in some areas or there could be inadequate standardization of processes in the organization. Where a big scope for certification is selected, there are many stakeholders and therefore many interdependencies which must be addressed as part of the implementation of the management system. The interfaces include suppliers, customers, media etc. It is also important to mention that other departments that are not within the scope of the ISMS should be treated as dependencies “external” to the scope but internal to the organization.

In this case, we recommend that continual improvement becomes the focus. Stating small from a scoping perspective and growing the scope on subsequent surveillance audits allows the organization’s processes to mature with the management system and for information security to be ingrained as part of the culture.

On the flip side, a narrow scope poses a challenge due to lack of interfaces with the outside world. Case in point, if the scope is focused on one department with its own processes, information flow and systems and with few interdependencies with the rest of the organization, its auditability would be non-sensical.

A narrow scope introduces unnecessary overhead, and hence inefficient utilization of organizational resources.

2. Information Systems prioritized in the scope

When settling on a scope, it is important to choose a system that has strategic significance to the organization. This could be represented by the service with most customer base or the biggest revenue earner. Therefore, it is critical to think through this to avoid situations where we settle on an information system that becomes obsolete soon.

Another critical thing to consider is the underlying infrastructure upon which the system selected is hosted. A major breakdown is security configurations on the system or the infrastructure it sits on could lead to a major non-conformity and unsuccessful certification process. A good example would be to have a Human Resource system hosted on an open-source cloud as a service. In such a case, you cannot guarantee the controls implemented on this system, critical as it is.

3. Significant reliance on third parties

Where there is significant reliance on third parties such as is the case with the Human Resource system above, there are unprecedented challenges in auditability of the scope. In such a SaaS model, controls such as patch management, backup and restoration, encryption, incident management and ensuring uptime and availability are the vendor’s responsibility. The certification audit would, therefore, introduce aspects of auditing the third-party vendor since evidence of the effectiveness of these controls must be assessed.

Other things to consider of course include the resources available for the implementation project as well as time constraints.

Conclusion

Settling on a scope for certification is critical as it sets the morale for subsequent scope expansions, sets the right tone and culture, and ensures effective utilization of resources. I must mention that all ISO standards are keen on continual improvement and not perfection. Therefore, you shouldn’t shy away from starting small as you can increase the scope of certification in subsequent surveillance and recertification audits.

Similarly, a huge scope is manageable with the right resources, time, and support from management. At the core of it all, ensure that the scope chosen speaks to what the organization holds critical to its operations, be it from a brand, competitive advantage, effectiveness, or market leadership perspective.

From our experience, we have found that an effective way of getting stakeholders’ buy in to the scope is to organize workshops where all relevant stakeholders are involved in the discussions. Often, these stakeholders understand what’s of strategic significance and are best placed to inform on a probable scope that can be refined by the ISMS implementation team. This allows all stakeholders to be aligned from the commencement and therefore ensure minimal resistance at scope approval by management.

Of utmost importance is getting management’s buy in to the scope and its applicability. This opens the door for support of resources required to implement an effective management system.

Once the scope is approved, it should be communicated adequately to all involved stakeholders. Providing a justification for the chosen scope also helps to pull in the stakeholders that were maybe not involved in the initial discussions.