Implementing ISO 27001:2022 for Startups and SMEs, From Entertainment to Airlines

nnHannah Suarez, SSCP, takes us through the experience of implementing thensubstantially revised ISO 27001:2022 and upgrading from the 2013 versionnof the framework.nn

n

nIt’s been more than a year since the ISO 27001:2022 standards were released,nreplacing the 2013 version and including new and updated texts related tonCloud Security, Digital Trust and Cybersecurity Leadership. For startups andnSMEs, these updates pose challenges around retrofitting their existingnworkforce to tackle the new standards – be it upgrading or implementing annISMS (Information Security Management System). For organizations beholden tonregulatory rules, the focus on third party and supply chain assessments willnenable them to focus on securing business growth via the ISO 27001ncertification process.n

n

nI’m writing this article fresh from finishing an ISO 27001:2022nimplementation for a startup. I implemented their ISMS according to thenprevious standard, and now I want to share with the ISC2 community what it’snlike to upgrade.n

n

nNon-Negotiable Clauses for Cybersecurity Leadershipn

n

nWhile I can modify or customize the scope accordingly – following risknmanagement analysis or strategic objectives – Clauses 4-10 arennon-negotiable and mandatory, and are required for a company to be ISO 27001ncompliant:

n

n
• Clause 4: Context of the Organization
n
• Clause 5: Leadership
n
• Clause 6: Planning
n
• Clause 7: Support
n
• Clause 8: Operation
n
• Clause 9: Performance Evaluation
n
• Clause 10: Improvement
n

n

nI have observed that startups tend not to prioritize these clauses, insteadnmaking a beeline towards accepting all controls and guidelines – withoutnrisk assessment. This is problematic because, in the end, failing thesenclauses can be the end-game for successful implementation. Let’s look at hownthese clauses are relevant for startups and SMEs.n

n

nCybersecurity Leadership and ISO 27001:2022n

n

nExecutive Management Responsibilitiesn

n

nBefore I agree to implementing and adopting the ISO 27001 standards, Incheck: “How involved is executive management?”n

n

nWhen I’ve seen a lack of buy-in and support from executive management, I’venseen it result in unhappiness throughout the entire implementation process.nI’ve seen executives inherit an ISMS without the motivation to maintain it,nlet alone upgrade to the 2022 version. Fortunately, this requirement isnnon-trivial and it forces the ISO 27001 Lead to address the problem in thenvery first instance. A failure of executive management to buy in, or tonrecognize its responsibilities, signals a potential root cause for failurento meet information security objectives overall.n

n

nClause 4.4 requires planning for existing organizational processes and hownit interacts with the ISMS. This is further strengthened by clause 8.1 whichnare the criteria for implementing these processes. When I work with startupsnwhere the CMM (Capability Maturity Model) is in its infancy, I expect majornadjustments to processes, or even to document processes for the first time.nI know that this work is a culture change for the organization – whichnrequires explicit support from executive management.n

n

nInformation Security Objectives Are Misalignedn

n

nThe next problem I address is any misalignment between information securitynobjectives and the overall strategic business objectives. In some ways, I’mneducating executive management, so they understand the role andnresponsibilities of the CISO (or equivalent) and how it relates to thenoverall strategic and business objectives. In the ISO 27001:2022 standards,ninformation security objectives are one of the main clauses.n

n

nOther reasons for misalignment that I’ve observed, and had to correct,ninclude:

n

n
• Management and other interested parties are uncertain or ill-informedn of their roles in the ISMS. To address this, I communicate the roles as pern the new clause 5.3 of the 2022 standard
n
• A lack of support from all personnel and a lack of participation fromn interested parties. I’m supported in addressing this by clause 4.2.c, whichn states that interested party requirements must be addressed through then ISMS; and I’m further empowered via clause 9.3.2.c, under which the input ofn interested parties must also be part of the Management Review
n
• A lack of communication of the IS (Information Security) objectivesn and those of the ISMS. In startups, I actually find it easier to communicaten because of the flat hierarchy
n

n

nInformation Security is Treated Only Within the IT Domainn

n

nThis is an issue that I’ve seen regularly. In fact, I’ve had to changenactual titles to reflect the reality that information security doesnnot equal IT security – a common misperception that I’ve noticednparticularly in startups and SMEs. Information comes in many forms, bothnintangible and tangible: written words, code, images, intellectual property,nphysical property, conversations and more. Restricting the ISMS to IT andntech only will render it unsuccessful.n

n

nThe Improper Application of the Standardsn

n

nMany startups and SMEs may be already considering or have already adopted anCompliance-as-a-Service SaaS solution. The problem is that they blindlynfollow the templates, where the ISO 27001 standards are applied in fullnscope. When the Statement of Applicability is done without risk assessmentnto determine the final scope, they face the problem of implementing controlsnin a way that is proper to the organization.n

n

nFor example, I’ve worked with a remote-only startup with no requirements forna physical office. I had to spend months communicating that this startup hadnno physical office requirement. There was some push-back, but I was laternapproved to conduct the audit remotely.n

n

nThis is when I need to escalate with executive management any risks. First,nI train them in risk assessment and risk management. Second, I work closelynwith executive management on using their current organizational culture tonbuild a security culture that improves domains such as Cloud Security andnDigital Trust.n

n

nConsequences For Lack of Cybersecurity Leadershipn

n

nFailure to meet the mandatory clauses signal a lack of cybersecuritynleadership within any startup or SME. However, CISOs (or their equivalent)nin startups and SMEs do not necessarily face the same regulatorynconsequences that apply to larger companies – for example, the SECnregulation on the reporting to shareholder of cybersecurity breaches withnmaterial impact. Clearly, though, this does not mean the consequences of annincident or a breach for an SME or startup will be inconsequential.n

n

nOne of the common issues I run into working in startups and SMEs is the lacknof resources and the potential reliance on few major partners. Thenconsequences that I highlight as part of risk management is that there arenunacceptable threats to the business in form of losing a major partner orntwo, or in being decimated by the financial impact of post-incident ornpost-breach contractual and regulatory requirements.n

n

nCloud Security and ISO 27001:2022n

n

nThe latest standards introduced new controls relating to cloud security.nDigital transformation now relies on cloud computing which offers greatnflexibility through factors like variable pricing and the ability to scalenwhere necessary.n

n

nFor startups and SMEs, I see the following in the 2022 standards asnrelevant:

n

n
• A.5.21 – Managing information security in the information andn communication technology (ICT) supply-chain
n
• A.5.23 – Information security for use of cloud services
n

n

nThere is neither enough space nor the time to explore cloud security inndepth here. In fact, possibly this one new clause (A.5.23) can easilynencompass more controls related to cloud security. Don’t fool yourself withnthis one addition though: take a complete risk-based approach when it comesnto implementing assessing IS in cloud services. Depending on the use case,nI have also made the decision to conduct a DPIA (Data Protection ImpactnAssessment) or some sort of cloud data protection assessment in relation tonthe cloud service.n

n

nDigital Trust and ISO 27001:2022n

n

nThe definition of what is “Digital trust” differs. For this purpose, Inplaced the definition within the area of personal data protection, whichnties in with the need to develop trust and accountability for new companies.nFrom the perspective of both a customer and a business partner, exchangingnpersonal data – in the knowledge that a company can be trusted in terms ofnhandling personal data – is good for business.n

n

nThe following new controls relate to the treatment of personal sensitivendata:

n

n
• A.5.34 – Privacy and protection of personal identifiable informationn (PII)
n
• A.8.11 – Data masking
n
• A.8.12 – Data leakage prevention
n

n

nThe addition of these new controls reflect the current state of requirementsnto protect personal data. This aligns with the growing trend and reliance ofncloud services and (various “as-a-service”) platforms that now interfacenwith personal data. It’s also reflective of what I detect is part of thenmain core for the operational requirements of startups and SMEs.n

n

nOf course, there is a percentage that are running on-premise. But the optionnto simply spin up an instance, on the cloud; to use scale up or downndepending on use cases; or to take advantage of “traditional” SaaS offeringsn(from customer information management to cloud service providers fornbusiness data) will continue to be a positive for many startups and SMEs.n

n

nConclusionn

n

nThis article is no more than an introduction to the comprehensive ISOn27001:2022 standards, based on my experiences. CISOs and other leaders withninformation security responsibilities of startups and SME can either meetnthe standards, or align with them. The trend of moving data from on-premisento the cloud is accelerating, and the new controls related to Cloud Securitynand Digital Trust help the standards align with current realities fornstartups and SMEs.

n

 

n

nHannah Suarez, SSCP, has almost a decade experience in IT and information security with ancurrent focus on cloud security, ISO 27001 and third-party security innthe telecommunications, software, marketing and airline industry. Hannahnhas also held technical roles, with responsibility for analyzing andnimplementing security standards.nn

]]>