Organizations are quite familiar with the devastating consequences of cyber threats. CISOs and top management of these firms are tasked with protecting their clients’ business from increasingly sophisticated attacks, while at the same time enabling growth and innovation with new value-added cloud services. There are difficulties, as well as opportunities, when looking at how to approach developing solid information security controls.
We are all doing our best with human and capital resource constraints. Any effort we take to strengthen information security controls is a form of Cybersecurity Improvement.
In this article, we'll reveal a strategic and tested, step-by-step approach to Cybersecurity Improvement, designed specifically to address the unique challenges faced by organizations. Discover how adopting this proven methodology will not only fortify your organization's defenses but also provide a competitive edge in the ever-evolving cyber threat environment.
First, what exactly is an ISMS? It is an organization’s "management playbook” for information security. By focusing on an organization’s people, processes, technology, and physical infrastructure, an ISMS brings a robust, management framework. Furthermore, it is leadership’s tool for risk mitigation, security preparedness, and continual operational improvement.
So, with that in mind, let's dive a little deeper into our step-by-step Cybersecurity Improvement Process
Cybersecurity Improvement Step 1: Initiate - Initiate the ISMS Project, Determine your Scope and Get Management Buy-In
This step is all about understanding the context of your organization and determining the initial scope of your Information Security Management System.
Determining the scope is entirely up to you at this point. Are you going to want an auditor to look only at internal, non-customer-facing processes, such as engineering and marketing? Or, do you want to include all processes, including those interacting with your client, such as field services and sales? It’s entirely up to you and your interested parties/stakeholders how you want to proceed.
For more information on defining your ISMS Scope, check out our article here: ISMS Scope Confusion in ISO 27001: Don’t Get Lost - Information Security Management Systems Scope (arora-solutions.com)
Possibly the most important task of all at this step is to get management buy-in for this project. They should understand why this kind of project is invaluable to the organization and what it could mean for potential future business prospects and impacts on client/customer interactions.
Many times, projects like these fail to start because the initial investment is perceived as high, and the short-term payoff is low. In the long-term, however, good cybersecurity is cheaper than a breach. The cost of non-compliance and poor security can also be more detrimental to client trust.
Cybersecurity Improvement Step 2: Select - Select the appropriate Security and Compliance Framework(s)
Now, when selecting a framework the organization’s context, legal, regulatory and contractual requirements should be considered. Also, marketing and differentiating factors, needs of stakeholders, and company goals may drive the decision to choose a different security or privacy framework.
Frameworks like HITRUST, SOC2, NIST Cybersecurity Framework, CMMC (NIST SP 800-171), NIST SP 800-53, ISO 27701, etc. are evolving and becoming more commonplace. However, given most of these frameworks are based on ISO 27001, this guide will focus more on aligning your team’s security to that framework. We feel that ISO 27001 is the most recognized internationally, offers the most independence and flexibility, and is the best balance of cost and effort.
ISO 27001 is also a great starting point it scales with your organization’s growth and ever-changing requirements.
When adding on additional frameworks, security controls cross-mapping is much easier these days through compliance automation. See Cybersecurity Improvement Bonus Step 9: Automate below for a sneak peek.
Cybersecurity Improvement Step 3: Risk Access (your risks and security controls) - Risk Assess your organization's security risks and controls
The risk assessment is completed internally within your organization prior to internal or external audits. There is no cookie-cutter method on how to approach this step, but we recommend using the framework established in ISO 27005, initially, and the MITRE ATT&CK® Framework when the ISMS is more functional.
As required by ISO 27001 Clause 6.1.3, you will need to draft the Statement of Applicability (SoA) document, which states the Annex A controls your organization determines to be necessary for mitigating security risks. It also states which controls are to be excluded. Finally, justification as to why the control is or is not included needs to be clearly addressed in the SoA.
At a more granular security control level, there are two ways a risk assessment can be executed: Event-based, or Asset-based. Event-based looks at specific scenarios that could occur and assesses the risk of these possible threats as shown in the MITRE ATT&CK® Framework. Asset-based risk assessment looks at an individual list of assets and determines the associated risks.
While a viable option, we wouldn’t recommend doing an event-based assessment simply because that requires a large amount of industry-wide knowledge to complete and is a major investment from a monetary and capacity standpoint. It's more timely and cost-effective to start small using asset-based risk assessment and reference ISO 27001 and ISO 27005.
Cybersecurity Improvement Step 4: Implement (your controls) - Implement the selected framework and associated security controls
From the previous step, now you can go ahead and implement your controls in accordance with ISO 27001 Annex A using the implementation guidance in ISO/IEC 27002:2022(en), Information security, cybersecurity and privacy protection — Information security controls. It’s also vital to revisit the scope to make sure whatever you are implementing is correctly aligned with the organizational priorities.
We define Implementation of an ISMS in five layers:
High-level Policies and Plan: This layer includes essential documents which drive the Information Security Management System
ISMS Plan: This internal document includes reference to ISO 27001 Clauses 4-10. It can include the ISMS Scope as well as information on how each clause will be addressed by the organization. It defines how you will plan, implement, operate, monitor and continually improve the ISMS.
ISMS Scope: Sometimes, this document is included in the ISMS Plan, and it includes the scope, locations, people, infrastructure, systems, interfaces and dependent processes.
Information Security Policy: Developed for a wider audience, including employees, stakeholders, suppliers and third parties. This policy establishes high level policy, principles, and objectives for information security within the organization.
Topic-specific Policies and Procedures: As defined in ISO 27002, topic-specific policies and procedures are “intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management”.
Examples: Acceptable Use, Access Control, Asset Management, Backup, Incident Response, Management of Technical Vulnerabilities, Secure Development, Cryptography and Key Management, Information Classification and Handling, Networking Security, etc.
Documented Evidence Creation: “Artifacts”, or evidence, are required to audit the ISMS. Generating evidence can be in any form, as long as it is traceable, controlled, and reproducible. It should follow the Monitoring Schedule below.
Examples: Risk assessments, Risk treatment plans, Management Review, audit reports, access reviews, tickets, business continuity tests, forms, logs, other reports, meeting minutes, presentations, training records, are all forms of evidence.
Monitoring Framework: A combined set of processes to ensure all evidence is available, metrics are being reported, and processes are being reviewed on a periodic basis
Monitoring Metrics: These are forms of evidence which can be tracked over time to produce comparable and reproducible results in the form of KPIs (Key Performance Indicators). Metrics are required in Clause 9 Performance Evaluation
Examples: Number of security incidents, percentage of individuals with security awareness trainings completed, total on time rate, % SLA controls met, average backup restore time, etc.
Monitoring Schedule: The schedule would include the item to monitor, description, frequency of monitoring, and evidence location.
Functional Processes and Security Controls: Includes Organizational (Governance), Technological, People and Physical Controls. These are defined in Annex A of ISO 27001 and guidance provided in ISO 27002. They include all other required aspects for the organization considered in-scope and applicable in the Statement of Applicability for the organization.
There’s no need to fret if everything isn’t fully compliant at this point. Step 5 helps address gaps in implementation prior to external auditing, or Certification.
Cybersecurity Improvement Step 5: Readiness Assess / Internal Audit - Readiness Assess your security controls to ensure compliance
Once you feel like your internal controls are in a good spot, now it’s time to have someone “check your work” with an internal readiness assessment, also known as an internal audit. However, don’t be scared of the word “audit”.
This step is intended to add value and bring you closer to compliance with ISO 27001.
In order to know where we are going, we need to figure out where we are at. The purpose of this is to make sure that your organization meets the minimum acceptable requirements specified in ISO 27001. There will be room for continual improvement, and you can’t fail here.
Under frameworks like ISO 27001 and HITRUST, this internal audit is required on an annual basis. Either an external organization, like ARORA Solutions, or an internal department with complete independence from security processes is allowed to conduct this readiness assessment or internal audit.
With this step, there can be some confusion internally about why it is necessary. First, it is a requirement under ISO 27001 Clause 9.2.2 Internal Audit Program. Second, you could think of a readiness assessment as a “dry run” prior to the Stage 1 and Stage 2 Certification audits.
The readiness assessment goes through a similar process that an external auditor would; but rather than conducting a simple “are they compliant or not” approach, the readiness assessment takes it a step further: Gaps are identified and detailed implementation recommendations help you close the gaps. Once all major gaps are remediated, an organization is ready for Cybersecurity Improvement Step 6: Certify.
It is our recommendation that organizations risk assess these findings, especially if there is a huge cost to making security control improvements. You don’t need to do everything to achieve compliance!
You should include major issues in the Risk Register, even if you don’t remediate them. If you have a risk treatment plan associated with the risk, it should help appease the external auditor. You can even accept the risk (with adequate justification) and still be compliant without fully treating it.
From a cost perspective, Internal Audits, which provide informative and value-added results for Management, run in the range of $10,000 (small enterprise) to $20,000 (medium to large enterprise). This is often an unexpected cost of ISO 27001 Certification, but it is essential for success. Annually, there would be a reduction in cost, as the internal auditor understands the organization’s processes.
Disclaimer: Costs depend on the organization’s size and complexity.
Cybersecurity Improvement Step 6: Certify - Certify Your ISMS with an external auditing body
Now that the “dry run” has happened and the readiness assessment has determined your organization’s full security posture, it’s time for Certification. Under ISO 27001, at this step, a Certification body will come in and perform their own assessment of the organization to see if it matches up to the framework.
It is best to select a Certification body with a major accreditation like UKAS or ANAB who have ISO 27001 within their Scope of Accreditation and who your Internal Auditor is familiar with. Having communication and familiarity with the Certification body can increase chances of success and improve your comfort in the process.
Furthermore, ISO requires an independent accredited conformity assessment body to make the final judgement on Certification. This body cannot offer consultation or advisory support, such as implementation or internal readiness assessments. Any consultants need to be a completely separate organization from the Certification Body and would not be conducting the Certification audit.
On the flip side, some frameworks operate a little differently. Unlike ISO 27001, SOC2 can have the same organization that is doing the consultation also provide the attestation report under AICPA. ISO does not work like this and requires complete independence and impartiality, as specified in ISO/IEC 17021-1:2015 - Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements.
Tip: Make sure your Certification body is not also doing either consultation or internal auditing for you, as this can be a conflict of interest under ISO 17021.
STAGE 1: At Stage 1, the Certification body will assess if governance, policies, procedures and processes are in place. Here, they will assess the “existence” of basic controls required in ISO 27001. A Stage 1 audit report is a simple recommendation by the auditor to move on to Stage 2.
The time requirement here is short (1-2 days audit) and shouldn’t take more than a few weeks to ascertain a decision.
STAGE 2: At Stage 2, the Certification body will go even deeper to assess the “effectiveness” of the controls, as well as do a deeper dive into the Annex A security controls.
The time requirement here is dependent upon ISO 27006. This standard includes a table which specifies the number of auditor days that should be dedicated to Stage 1 and Stage 2 audits, for both Surveillance (annual) and Initial (first-time) audits. More information can be found here: ISO/IEC 27006:2015 - Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems.
At the conclusion of Stage 2, the Certification body will reach a “Certification Decision” based upon the Stage 2 audit report. The decision will be whether to Certify or not.
If the company is Certified, the subsequent two years will require a Surveillance audit. At the third year, recertification will be required, similar to the initial Stage 1 and Stage 2 audit process.
From a cost perspective, ISO 27001 Certification can be anywhere from $15,000 (small enterprise, startup) to $25,000+ USD (medium to large). On an annual basis, there would be a 25% to 30% reduction for the Surveillance audit and Certification fees.
Disclaimer: Costs depend on the organization’s number of locations and full time employee count, as well as the Certification body’s standard fees.
Cybersecurity Improvement Step 7: Monitor and Maintain - Monitor and Maintain your information security processes and control
Must feel pretty good to finally get certified, right?
Now, your ISMS is running effectively. Once you know all the technologies, processes, and people are in their proper place and functioning as they should, like a well-oiled machine, steps must be taken to make sure consistent evidence is available and continually produced. Within this step, we are ensuring that the Monitoring Framework, detailed in Cybersecurity Improvement Step 4: Implement, is being utilized and that it is producing the appropriate and auditable evidence.
The importance of this step is to be able to manage what you measure to remain in compliance with ISO 27001.
Keep up the good work by monitoring, maintaining and continually assessing the health of the ISMS.
Cybersecurity Improvement Step 8: Continual Improvement - Continually Improve the ISMS over time
We love to be optimistic about achieving Certification. However, we know that processes are hard to maintain consistently, and we do have process breakdowns. If your processes, policies, and people aren’t evolving with the cybersecurity threat landscape, it is likely that you are subject to security vulnerabilities and weaknesses.
Just because your organization was considered compliant today doesn’t mean it will stay that way tomorrow. People leave and the nature of our work changes.
The Continual Improvement step ensures that any issues brought by any employees, suppliers, users, engineers, managers, and security professionals are appropriately addressed. We find that most organizations do not have a way to Continually Improve.
The steps here include establishing a Non-conformity and Corrective Action Process within your Information Security Policies or ISMS Plan. This approach will have evidence of issue identification, root cause analysis, corrective action, preventative action, timeline for completion, responsibility, and learnings from the finding. Audit findings are usually managed within this process, as well as through Risk Assessment.
Bonus Step 9: Automate - Automate compliance with an industry-proven compliance automation platform
As ARORA evaluates more companies in numerous sectors, we are finding that managing an ISMS is exceedingly difficult on a day-to-day basis. We believe automation is the answer…
More and more MSP’s and tech companies not only encourage but rely on automation more and more every day. Automating regular tasks not only frees up your team to focus on what is really important, but it drives efficiency across the organization. When we talk about automation in the compliance space, we’re talking about Compliance Automation Platforms as we describe it in our article here.
We highly recommend utilizing a Compliance Automation Platform in conjunction with your existing GRC processes. This can be integrated into the Cybersecurity Improvement process defined in our 9 Steps process above.
We wish you good luck on your compliance journey! Let us know how we may support by contacting ARORA Solutions here. Our team of experts focus on readiness, internal audit and implementation to ISO 27001, HITRUST and other information security, AI and privacy standards.