Michael Precious, Manager and Certified ISO 27001:2022 Lead Auditor

Are you confused by the 22,000+ variations of the letters and numbers of the International Organisation for Standardisation (ISO) Standards? Let’s break this down for you!

Putting the Information Security (IS) in ISO

At AssuranceLab, we currently focus on the following information security-related ISO Standards:

• ISO 27001: Information Security Management System
• ISO 27017: Information Security Controls based on ISO 27001 for Cloud Services
• ISO 27018: Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds acting as PII Processors
• ISO 27701: Privacy Information Management System (PIMS)
• ISO 42001: AI Management System

Why an ISO Suburb?

Traditionally, ISO standards are hard to digest. We have found the best way to break them down is to consider each standard as its own house that you can extend, subdivide or build next to!

Some of the standards listed above, are stand-alone homes while others are extensions of existing homes.

Let’s take a look around each house!

ISO 27001

General overview:

• Considered one of the most recognised Information Security Standards globally.
• Consists of criteria (main requirements) and a list of common information security controls (annex A) that exist to guide your organisation in implementing an Information Security Management System (ISMS) and mitigate common information security risks.

Compliance:

• Implement all of the main requirements
• Determine which of the Annex A controls are required for your organisation based on your identified risks
• Don’t set it and forget it, rinse and repeat! Your ISMS is now a living breathing household, you worked hard to build and maintain it so make sure you reap the benefits!

What if my house has an existing framework (e.g. SOC 2), can I still build an ISMS?

• You sure can, AND you can use some of the existing framework!
• The ISO 27001 criteria is more rigid than you may have experienced with SOC 2, however with a little refurbishment it will all work beautifully!
• The Annex A controls and typical SOC 2 controls are like Scandinavian design and minimalism, a match made in heaven!

Does my house need ISO 27017 & ISO 27018? What happens if I add them?

General Overview:

• An additional set of Annex A controls pertaining to cloud service providers and/or cloud service providers who hold PII.
• Add the applicable ISO 27017 controls to your existing ISO 27001 Annex A controls and you’re done – just like that your ISO 27001 House has a granny flat!
• Add the applicable ISO 27018 controls to your existing ISO 27001 Annex A controls and you’re done – just like that your ISO 27001 House has a Granny flat!

ISO 27701: Privacy information Management System

General overview:

• While it is an extension of ISO 27001, ISO 27701 does have its own set of criteria to guide an organisation in building and maintaining a Privacy Information Management System (PIMS).

Compliance:

• Implement all of the main requirements
• Determine which of the Annex A controls are required for your organisation based on your identified risks
• Don’t set it and forget it, rinse and repeat! Your PIMS is now a living breathing household, you worked hard to build and maintain it so make sure you reap the benefits!

Does my PIMS have to be a standalone home or can it be part of my ISMS?

• Consider it a duplex, there will be some adjoining walls (both sets of criteria have the same structure and flow, however one is focused on Information Security and one is focused on Privacy information – ensuring your processes cover both clearly is vital. The last thing you want to do is combine them and then one falls down the wayside as a result)

PIMS, GDPR, HIPAA…A lot of letters, can any of them be mashed together?

• In essence, privacy controls are privacy controls. If you were to do a multi-standard audit with AssuranceLab you would find that across the SOC 2 Privacy Trust Service Criteria, HIPAA, GDPR, CCPA and ISO 27701, there will be plenty of overlap in controls and the expectations within policies, procedures and activities.

ISO 42001: AI Management System

General overview:

• The new kid on the block. The architects looked at your brick houses or your concrete houses and decided to bring along a 3D printer and just print out a brand new AI-generated house
• Criteria and controls designed to create a management system for the use of AI systems.

Compliance:

• Implement all of the main requirements
• Determine which of the Annex A controls are required for your organisation based on your identified risks
• Don’t set it and forget it, rinse and repeat! Your AI management system is now a living breathing household, you worked hard to build and maintain it so make sure you reap the benefits!

Does my AI Management System have to be a standalone home or can it be part of my ISMS?

• Consider it a duplex, there will be some adjoining walls (both sets of criteria have the same structure and flow, however, one is focused on Information Security and one is focused on the use of AI – ensuring your processes cover both is vital. The last thing you want to do is combine them and then one falls down the wayside as a result)

So….how do these audits actually work?

Like any new build getting started can often be confusing. That is why we are here to help navigate your journey. If you’re ready to start building your ISO dream home, get in contact with us today.

Disclaimer: AssuranceLab performs the role of an independent auditor across hundreds of client environments. We do not perform technical roles or assessments and this content is not intended to be comprehensive on those technical or detailed aspects of cybersecurity. You should perform further research and seek professional advice as appropriate before acting on any of the information contained here.