top of page
Search

ISMS implementation & SME security guidance

  • Gary Hinson
  • 1 hour ago
  • 4 min read

ree

ISO/IEC JTC 1/SC 27/WG 1 has two interesting new projects on the cards ...


ISMS implementation

First comes a proposal to develop ISMS implementation guidance, essentially rejuvenating the original ISO/IEC 27003.


When the standard's 2010 first edition was revised in 2017, the committee decided to reduce the implementation guidance, instead focusing on explaining the Information Security Management System requirements in ISO/IEC 27001.


At the time (and subsequently, to be honest - it remains of concern today), it was evident that some conformity assessors (certification auditors) were misinterpreting the actual ISMS requirements and inventing others - in particular, mistakenly insisting that various security controls from Annex A were expected, required or even demanded by the standard [not so!].


This created confusion in the market, skewing well-meaning but misguided ISMS guidance towards an inappropriate focus on the security controls rather than risk and security management practices - emphasising the 'IS' over the 'MS' elements of 'ISMS'. On top of that, some commercial suppliers were keen to state or imply in their marketing that:

  1. 27001 implementation is all about the security controls.

  2. There are about 100 controls in Annex A.

  3. The controls mention documentation and other requirements.

  4. Certification auditors therefore expect or demand clients to have implemented the ~100 controls by default and will refuse to certify organisations that fail to offer the docs and other supporting evidence mentioned in Annex A.

  5. This is all very complicated and onerous. ~100 controls = loads of tech!

  6. The suppliers have easy answers in the form of their ISMS toolkits, support systems and services. Simply purchase and get certified.


The current 2017 edition and forthcoming revision of 27003 both focus on the requirements from 27001. For each main body 27001 clause (not Annex A!), 27003 provides:

  • A succinct restatement of the formal requirement that must be satisfied by every certifiable ISMS;

  • An explanation of the requirement - expanding on the formalities with a few paragraphs of additional description and context;

  • Guidance - roughly half to one page on the things that should or indeed could be done (optional but generally considered good practice in this area); and

  • Other info - dangly bits on the bottom.


Elaborating on the succinct SC 27 proposal, the new standard might usefully offer guidance on:

  1. Gaining senior management's understanding, engagement and support, both for the ISMS implementation project and for the long-term operation and maintenance of the ISMS. This would involve clarifying management's expectations for the ISMS including its governance e.g. the business case laying out clear business objectives and key parameters for the ISMS such as reporting lines, resourcing, timescales, metrics, priorities and assurance/oversight (including certification by the way: it is discretionary).

  2. The ISMS implementation project i.e. project governance, project plan, project team etc. This is just a relatively short phase in the anticipated ISMS lifecycle.

  3. The ISMS itself: practical ways to satisfy the formal requirements of ISO/IEC 27001 - presumably a more pragmatic or extensive version of the guidance in 27003?


Although there is an opportunity to extend the guidance into the main operational phase of the ISMS lifecycle, the proposal only covers those three points above, and not in as much detail. It emphasises ISMS implementation. I have reinterpreted and expanded on the propsal's wording, and anyway it is just a proposal at this point: SC27 will be invited to comment and revise it before the standard's development gets the go-ahead (if indeed it does).



ISMS guidance for SMEs

Quoting directly from the proposal to SC27:

A large part of the global economy relies on Small and Medium Enterprises (SMEs). As information and communication technologies gain momentum in organizations, SMEs are also victims of cyberattacks and possible new regulations, generating a need for protection and methods. A guidance is needed that is based on the good practices and security controls of the ISO/IEC 27002 standard but adapted to the context of SMEs. Such context is made of a small organization, no dedicated staff on cybersecurity, a quest of simplicity to handle evidence. The goal is therefore to make the proposed document accessible to non-experts, easy to to read and to understand to implement in an SME context the measures it proposes. Likewise, it takes into consideration the financial size and/or limited human resources of most small and medium organizations.

So, the proposal is to support and encourage SMEs to protect themselves by adopting (appropriate) good practice infosec controls from 27002, offering straightforward advice. The proposal also notes other sources of security guidance:


I'm disappointed that the ISO27k Forum's Adaptive SME security guideline from the ISO27k Toolkit didn't merit a mention (including the resources used in its preparation - see the comparison table) but, hey, if you agree, we can address that through our national standards bodies.


Bottom line: I'm excited at the potential of both proposals, if a little pessimistic about the scope and quality of the standards and the time they will take, if approved.

 
 
 

​

© 2025 IsecT Limited 

 

  • Link
  • LinkedIn
bottom of page