- The viral Air Purifier Table is my smart home's MVP (and it's on sale for $179)
- Grab the Galaxy S25 Edge for $170 off and get a free Amazon gift card - but act fast
- How I learned to stop worrying and love my health tracker
- I found a free iPhone 16 deal that doesn't require a trade-in (and applies to Pro models, too)
- This 77-piece Milwaukee wrench set is still $200 off at The Home Depot
Author of the Month: Bridget Kenyon – IT Governance Blog
ISO 27001 Controls – A guide to implementing and auditing
Bridget Kenyon is the CISO (chief information security officer) for SSCL. She’s also been on the ISO editing team for ISMS (information security management system) standards since 2006, and has served as lead editor for ISO/IEC 27001:2022 and ISO/IEC 27014:2020.
Bridget is also a member of the UK Advisory Council for (ISC)2, and a Fellow of the Chartered Institute of Information Security.
She’s also been a PCI DSS QSA (Payment Card Industry Data Security Standard Qualified Security Assessor), been head of information security for UCL, and held operational and consultancy roles in both industry and academia.
Bridget will always have a foot in both the technical and strategy camps. She enjoys helping people find solutions to thorny problems, and strongly believes that cyber and information security are fundamental to resilient business operations, not ‘nice to haves’.
Following the success of the first edition, Bridget updated ISO 27001 Controls – A guide to implementing and auditing to reflect the 2022 updates to ISO 27001 and ISO 27002, making her our author of the month for June!
We sat down for a chat.
What inspired you to write ISO 27001 Controls?
Actually, I inherited the book. Years ago, a colleague realised that, although guidance [ISO 27003] existed for the main clauses in ISO 27001 [Clauses 4–10], the controls in Annex A lacked equivalent guidance.
Sure, you could go to ISO 27002 for implementation guidance, but it wasn’t practical. These types of standards need to be international – but the more generic something gets, the less useful it becomes.
My colleague wanted to come at it from the UK perspective. But he also wanted to go beyond simply helping people implement the control:
- When they test the control internally, how can they [internally] audit that control?
- How should they expect an [external] auditor to audit that control?
- For auditors, if they follow the auditing guidance and discover a problem with a control, and the auditee goes ‘OK, well, what should I have done?’, the auditor can offer implementation guidance.
That’s how the book came about – to address all the above. In fact, it was part of a pair:
- An advice and guidance book.
- A workbook, with sections for the user to fill in for each control.
My colleague had been working with a co-author on both books, but she wasn’t able to continue, so he approached me to assist.
We agreed we’d each take one of the books, with mine being the advice and guidance book. We each updated our book for the 2013 edition of ISO/IEC 27001, and both got our book published.
Then, the BSI [British Standards Institution, which published the original books] stopped publishing physical documents, and gave me the copyright to the advice and guidance book.
I approached ITGP and asked if they’d be interested in publishing an updated version of the book. That ultimately became the first edition of ISO 27001 Controls, though you could also think of it as the third edition to the book that started all those years ago.
What changes did you make from the last edition to this version?
I’ve updated it to match the 2022 version of ISO 27001, which has substantial differences to the previous edition, particularly in the Annex A controls.
The Annex A controls have been completely rewritten and tidied, bringing the number down from 114 to 93.
But even though there are fewer controls, you haven’t lost any of the things you need to do. Rather than having five keys in five drawers, you’ve now got all five keys in one drawer. But that doesn’t reduce the number of keys you’ve got.
I reviewed every single clause and rewrote the book to match the new controls. With all the new and merged controls, I had to add some entirely new clauses, and combine advice in others. So, in essence, this was a complete rewrite.
Do you consider the changes to the Annex A controls a good thing?
Yes. Every time we revise a standard – especially ISO 27002 – it’s an incremental improvement.
ISO 27002:2022 is the second edition I helped edit. I believe the 2022 Standard introduced two key improvements:
- Consolidating some duplicate items.
- Adding attributes to the controls, which feel a bit like hashtags.
The attributes are meant to address issues like how to ‘slice’ the controls if you added them all to a database. What would your tables contain? What would your headings be?
The attributes, intended for electronic use, help ‘batch’ the controls by their purpose. For example:
- Is the control intended to prevent something from happening?
- Is the control intended to detect something happening?
- Is it intended to respond to something happening?
Once you’ve batched them, you can easily answer questions like these. You can also easily match them up against other frameworks, like the NIST CSF [Cybersecurity Framework].
You can do many different things with the attributes. This ‘metadata’ helps you understand what the control is intended to achieve and how it interrelates with the other controls. I’ve included examples in the latest edition of my book of how you might use the attributes [in Chapter 4].
And that’s another thing I changed in this edition of the book. I added that new chapter, partly because it adds value, and partly to make sure the chapter numbers line up with the control numbers. In the first edition, the numbers didn’t align, which is messier to read and cross-reference.
Do you feel that ISO 27002:2022 takes a more holistic approach?
No, not in any way, shape or form.
ISO 27002 is a random assortment of security measures that may or may not be relevant to you. I had a colleague who used to refer to ISO 27002 as a ‘supermarket’. Would you buy everything, assuming money was no object? Of course not.
Equally, you wouldn’t look at ISO 27002 and implement all its controls. The Standard simply provides a selection of security measures that may come in handy. It’s not telling you to implement them all.
You may also need to look outside the Standard to find security measures not covered in ISO 27002 but that are appropriate to your environment.
The point of ISO 27001 certification* is being able to demonstrate that you’re suitably secure. That a trusted third party has come to that conclusion.
[*Organisations can only certify against ISO 27001, not ISO 27002.]
Many view the Annex A controls as a checklist. Does this misconception stem from the fact that the SoA [Statement of Applicability] must map the organisation’s controls against those in Annex A?
Basically, yeah. The SoA used to be unique to ISO 27001. Now, one of the AI [artificial intelligence] standards uses it too.
The SoA was created [for BS 7799-2:2002, the predecessor to ISO 27001:2005] because information security was a relatively new topic then. If we simply told organisations to document the security controls they intend to apply, they could easily miss an entire category, completely by accident.
You might miss, for example, access control to the building. Physically walking into a building is a way you can steal information, which people tend to forget when focusing on information security.
So, we created the SoA to make sure people didn’t accidentally miss entire categories of security measures. Not every category applies to every organisation, but you might not have thought about things you do need. The SoA was designed to address that.
But when people saw the SoA, they immediately thought it was a checklist, which it never was. We’ve since wrestled, trying various techniques, to dial people back from this ‘completist’ approach.
Why is the ‘checklist’ approach problematic?
Again, you don’t buy everything in the supermarket. You also mustn’t blindly apply the entire ISO 27002 control set.
I’ve seen this happen. An organisation asked me for help because they were having trouble with their ISO 27001 project, struggling to gain any traction.
They showed me a spreadsheet with every single Annex A control. I asked them how they picked their controls. They responded: ‘We picked the controls we were supposed to, according to Annex A.’
So, I said: ‘OK, what are your implementation problems?’ They replied: ‘We just can’t get the budget, and no one will take us seriously.’
Well, that’s because that spreadsheet lacked any relationship with the business. The organisation was treating it as an alien thing; not something to embed in its operations. It was a box-ticking exercise.
Earlier, you said you tried “various techniques” to get people out of this faulty mindset. What did those include?
We’ve reworded the part in ISO 27001 that references the SoA [Clause 6.1.3.d] several times. The problem is that we can’t use many of the phrases we’d like to have used, because ISO 27001 is a normative standard.
In other words, it’s a standard in which every single statement must include the word ‘shall’. It can’t contain guidance – the Standard must be a set of criteria against which you can audit.
We’re trying to find the best way to phrase the requirement, which is to look at each Annex A control and consider whether it’s relevant. If so, but it’s currently missing from your control set, you need to go back to your risk assessment and work out:
- To which risk[s] it pertains; and
- Why you missed it first time.
You then add it into the risk assessment as appropriate and continue as normal.
You may also need to review the requirements of interested parties, and see if those account for that control.
Coming back to your book, what is its top take-away?
It doesn’t really have a “top take-away” as such. This is a reference guide – it’s not something you read from cover to cover for some life-changing revelation. Although, if you read the book and do have one, please let me know – I’d be fascinated to hear all about it!
The book is intended to help people who have a question like: ‘What do I do about authentication information?’
It provides a nice little introduction for each control – a bit of background that answers the question: ‘Why bother with this control in the first place?’
I then cover some best practices – or perhaps I should say good practices – on how to implement the control, along with some caveats and warnings and, where appropriate, some interesting anecdotes.
Those are based around my experiences – occasions where I’ve watched something go horribly sideways, and were, in hindsight, funny enough to be worth including.
The auditing guidance follows straight after the implementation guidance for each control, describing what auditors should do. We’ve tried to be creative in working out how you can test a control – this can really be challenging at times.
It can be difficult to determine whether a control is effective, and not all auditing guidance is suitable for including in an international standard. Sometimes, you need to share a story that puts people off doing something. That’s another thing the book does.
What do you like the most about the book?
It’s all the anecdotes that bring the book to life. It helps things stick in people’s heads.
I’ve included many personal experiences, or experiences from someone I know – appropriately redacted, of course – that highlight the practical realities of these controls. All the ‘dos and don’ts’ based on first- or second-hand experience.
And finally, do you have any advice for aspiring authors?
Make sure you budget enough time to go through everything at least three times. For technical books like this one, you need to be quite rigorous and structured.
In fact, given the size of my manuscript, I guarantee it still contains at least one error – a typo, if nothing else. So, if anyone finds it, please let me know, and I’ll correct it.
But you want to publish with as few errors as possible, obviously. So, take the time to review everything, and leave at least a week between reviews. That helps you look at things with fresh eyes.
Third-party review is also vital. Send your copy to someone else – preferably to at least two reviewers. It’s often easier for someone else to review your work than it is for you to review your own.
All our books are available in physical, eBook and ePub formats.
Find out more about Bridget’s book here. We’re also offering a 15% discount throughout June! Just use ‘Kenyon15’ at the checkout.
