The role of CISO in the implementation of ISO 27001

by Anastasios Arampatzis

 

The evolution of the digital world and the dependence of businesses on the network and information technology, led the industry back in 2005 to pack all their information security management best practices in a concise standard, dubbed as ISO 27001. Since then, the Standard has been updated once in 2013 to the current version.

Today, new risks have emerged. High tech cyber-attacks make holes in the network security ecosystem and penetrate the information security grid we all heavily depend on. The ISO 27001:2013 is about to be updated, and together the companies’ mentality about the need for a CISO, or vCISO service.

The ISO 27001 in brief

“ISO 27001 is the leading international Standard focused on information security that was developed to help organizations, of any size or any industry, to protect their information systematically and cost-effectively, through the adoption of an Information Security Management System”, states Advisera.

ISO 27001 is an international Standard, developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Being part of the 27000 family, a series of Standards created to harden the information security of organizations and companies, the 27001 Standard provides a framework to help any business protect the confidentiality, integrity, and availability of their sensitive and valuable information through the adoption of an Information Security Management System (ISMS).

An ISMS is a set of rules documented in the form of policies, procedures, and established processes. Since it protects information, it mainly deals with risk identification, definition and implementation of controls, and continuous measurement and improvement. The Standard defines the minimum policy documents that are required and must be in place. It is split into two sections: the first consists of 11 clauses; the second, named Annex A, provides 114 control objectives and controls.

What is new in ISO 27002:2022?

ISO 27002 is the guide for the implementation of the controls described in the Annex A to the ISO 27001 Standard. The new version, released in February 2022, has undertaken important changes, which provide a glimpse into what we should expect from the updated ISO 27001:2022, which is expected to be published somewhere within 2022.

Considering the changes in ISO 27002, we can safely say that the main body of the Standard will remain unchanged, but the security controls listed in Annex A will be updated. The number of controls will be decreased from 114 to 93, attributed to ease their categorization, and placed in only 4 sections, instead of 14 currently. These new sections are:

• People (8 controls)
• Organizational (37 controls)
• Technological (34 controls)
• Physical (14 controls)

None of the old controls will be deleted; instead many of them will be merged. 11 new controls will be introduced, namely:

• Threat intelligence
• Information security for use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding

Until the publication of the new 27001, the Statement of Applicability (SoA) of a company will still refer to the current Annex A of ISO 27001:2013. The controls in ISO 27002:2022 will be an alternative set, which will have to be compared to the existing Annex A.

Finally, a two year transition period for certified organizations to revise their management system to conform to the new version of a Standard is expected.

The role of CISO in driving compliance with ISO 27001

One of the clauses of the Standard, Clause 5.3, is about top management ensuring the clarity of the roles accountable for the ISMS of the business, independent of their size and industry. This clause gives the required room and framework of action for the CISO, a role which is responsible to establish the right security practices and enable a framework for risk-free and scalable business operations.

Although the Standard itself does not mandate the existence of a CISO; it requires, however, the coordination and the management of the business’ information security activities. ISO 27001 focuses on the key parts of the ISMS; responsibility and accountability. To meet these requirements, a company has to address certain roles, ensure that these roles have been clearly appointed and documented and no dark areas are left behind. The requirement is of high level, and thus quite easy to document.

Since small businesses don’t have a CISO, they can delegate specific roles to individuals, who will sum up to make the ISMS. Even for small businesses it is essential to make sure who is accountable for what.

The establishment of a dedicated CISO position facilitates the implementation of the Standard and emerges a delicate information security scent for the customers. For that reason, even smaller companies who can’t afford the payroll of a CISO, tend to outsource their information security efforts to virtual CISO (vCISO) service providers.

The benefits of a vCISO

Having an in house CISO position is pricy, especially for the small-sized organizations. Taking that into consideration as well as factors such as efficacy and performance, it is easy to realize that virtual CISOs offered as a service become very handy. vCISO incorporates the normal CISO responsibilities, but this is done in a subscription-based format.

There are quite a few benefits of partnering with a managed services provider and getting a vCISO subscription. These are briefly:

• Ability to provide insights from the industry and relevant comparisons
• Expertise, as vCISOs deal with numerous businesses and situations
• Experience in diverse ways of workflows, persons, and setups
• Reduced salary cost
• Holistic view capability to put situations into the industry context
• Ability for external validation that allows a company to see the big picture

How we can help you

ADACOM, can help you with the implementation of the ISO 27001 Standard. No matter the size and area of industry, our expert team provides a wide range of consulting and vCISO services, assuring that you are always ISO 27001 compliant and have someone accountable for your ISMS. Do not hesitate to contact us for any question you may have.