Providing assurance through ISO 27001 Certification

This analysis focused on the implementation of ISO 27001 combined with the recommendations of ISO 27002. The results clearly show that having obtained an ISO 27001 certificate does not outcome of the analysis conducted on the controls of ISO 27002. A detailed explanation is provided in Appendix A.

Summary of the analysis carried out on the controls of ISO 27002

Risks that can be mitigated

r.24 - Effects of subpoena laws;

r.25 - Licensing risks;

© Robert Farrugia SRN 070440991 61 5.1.1 Rationale

To better understand how the author obtained this negative conclusion one must go back to understand the dynamics and characteristics of how the ISO 27001 certification is achieved. As explained in section 3.3.1 – ‘ISO 27001/2’, an organisation is certified only against the management system that is defined within ISO 27001. ISO 27002 is just a code of practice. This means that even though an organisation is certified to ISO 27001 this does not mean that all recommendations within ISO 27002 have been implemented. However, for the purpose of this analysis the author took the decision to try and consider all the controls within ISO 27002.

ISO 27001 is a risk based approach and thus very flexible. This means that it is up to the CSPs management to decide what risk levels to accept or not and which controls to implement to reduce any unacceptable risks. This characteristic is aimed to allow the organisation to set the level of acceptable risk in line with its business objectives and risk appetite. However, this may also mean that if the CSPs management considers ISO 27001 certification only as marketing tool, then that CSP may target being complaint or even get certified without having adequately addressed its security requirements. This can result either because the CSPs management selects a high risk acceptance level or because a poor selection of controls is affected. An ISO 27001 certificate gives assurance that the organisation’s management system is managed as required by the standard. However, it does not certify that the organisation has adequately secured all its assets. When an organisation is certified, a document is made available for public scrutiny. This document describes the scope of the ISMS and also provides a high level description of the controls that have been implemented.

However, the information within may not be sufficient to understand whether all the relevant risks have been mitigated.

Annex A of ISO 27001 links this standard to the control objectives found in ISO 27002. As specified in the standard, the list is not an exhaustive one. The clauses and statements within the code of practice (ISO 27002) are very generic and sometimes described at a high level. When analysing each individual risk it was not always clear whether a risk was mitigated by implementing such controls.

The result may vary according to the interpretation of the controls. Listed below are some examples of such situations encountered during this analysis:

 When analysing the risk of a customer being dependent on one CSP (r.15) one can easily argue that this risk can be mitigated by the CSP through clauses found within ISO 27002. This can be done by considering such risk under clause 6.2 which states that customers’ security requirements should be considered. Another ISO 27002 domain which may mitigate this risk could be business continuity domain. On the other hand when one looks closer at these clauses one notices that they are too generic. In addition, when the customers look at the ISO 27001 badge they are not aware of whether such risks have been considered and whether adequate controls have been implemented.

 The risk described in r.18 relates to the customers’ inability to achieve compliance to international standards whilst being on the Cloud. Without any doubt ISO 27001 does not

© Robert Farrugia SRN 070440991 62 limit the organisation to what controls to implement as long as these achieve the desired level of security. Thus, together with ISO 27001 the organisation can design its policies, standards and procedures to be compliant with other standards such as PCI DSS. This will enable customers to achieve or retain their PCI DSS certification. Once such controls have been added to the CSPs management system then ISO 27002 implies compliance to such policies standards and procedures. However, being ISO 27001 certified does, not mean that the controls are designed to be in line with other standards such as that of PCI DSS. Thus, even though a CSP may have achieved ISO 27001 certification it does not mean that it has mitigated the risk for customers of not being able to achieve a specific international security certification.

 The risk described in r.24, which relates to the effects of subpoena laws requirements, also produces such a dilemma. The effects of subpoena laws requirements can be reduced by a dynamic IT infrastructure that is mirrored around different regions of the world. Therefore the confiscation of IT resources in one jurisdiction would not affect the operation of the entire Cloud. One can argue that such risk can be mitigated through the implementation of business continuity controls in ISO 27002. On the other hand, compliance with ISO 27002 does not mean that this infrastructure has been implemented since such requirement is not specifically addressed by this standard. Thus, once again, even though a CSP may have achieved ISO 27001 certification it does not mean that it has mitigated the risk of the effects of subpoena laws requirements.

In conclusion, what emerges from this analysis is that ISO 27001 / 27002 provides a good basis to create a secure cloud computing environment. This is true only if one assumes that the CSP’s management is committed to information security. Such commitment would mean that the risks directly related to the Cloud are included within the risk assessment. This would result in adequately choosing mitigating controls which may also include controls not specified within the ISO 27002.

However, the issue is to identify a mechanism that can provide assurance to the customers that the Cloud is adequately mitigating for all risks that have been identified. From the analysis, it is clear that the controls within ISO 27002 are not enough. In the case of the ISO 27001 certification one must look into the details of how the ISMS has been implemented. A customer has to understand the scope of the CSP’s management system, the risks included within the risk assessment and how such risks are being contained. Such information would aid the customer in understanding whether Cloud specific risks have been included. Unfortunately not all of this information is made public. Taking into consideration all the deficiencies mentioned within this section, the end result is that an ISO 27001 certificate does not mean that that Cloud has been adequately secured.

© Robert Farrugia SRN 070440991 63