ISO 27001: Auditing “Themes” in the 2022 Revision

The CSA Security Update podcast is hosted by John DiMaria, Director of Operations Excellence at CSA. The podcast explores the CSA STAR program, cloud security best practices, and associated technologies. In this blog series, we edit key podcast episodes into shorter Q&As.

Today’s post features David Forman, Founder of Mastermind Assurance. David and John delve into “auditing themes," as introduced in the ISO/IEC 27001:2022 revision. This reorganization of domains marks a significant shift in how we think about and implement information security management. Understand the rationale behind this change and how it helps ensure a robust and comprehensive security audit.

Listen to the full podcast episode here.

John DiMaria: Hello everyone and welcome to another episode of the CSA Security Update. Today I have on David Foreman. He's a seasoned cybersecurity expert with over a couple decades of experience. He's successfully enhanced the security posture of numerous organizations, and now he is a certifying body as well. David, welcome to the show. Maybe start by giving us a little background about yourself and Mastermind Assurance.

David Forman: Yeah, sure. Almost my entire career, I've been working with ISO standards. I started my career at Ernst and Young and did a lot of work for EY CertifyPoint, their accredited certification body arm. After EY, I moved over to Coalfire, and I ran what was known as the Global Assurance Practice there. And then more recently, I launched Mastermind Assurance, also a certification body. So I guess this is certification body number three.

ISO Auditing Themes

JD: Let's talk about the 27001:2022 revision. What was the motivation for the shift from domain-based auditing to theme-based auditing?

DF: So I used to be part of what's known as the US Technical Advisor Group, US TAG. It’s more or less the ISO member for the United States. I remember as far back as 2019, we were getting feedback from accreditation bodies and certification bodies. They were saying the ISO 27001:2013 revision was good, was comprehensive, but from the standpoint of how it was organized, they were saying it didn't flow.

Essentially, when you got into risk-based conversations, audit trails, etc., you found yourself interrupting the conversation pretty often if you went in order. I think that's where this originated from, just the fact of making these audits more of a conversation, more of a natural walkthrough. Obviously there was also some tailoring with the 27001:2013 to 2022 revision in terms of making it more applicable to current hosting and architectures.

Overall, I think the reorganization 1) allows for more flexibility by an auditor on how to actually approach the audit program for a given annual audit, but also 2) allows for you to follow those risk-based controls themes, however you want to view it more naturally, without breaking the standard.

JD: How do the key themes introduced in the 2022 version differ from the previous domain structure?

DF: So in the 2013 revision, there were 14 domains. Those include human resources, cryptography, supply relationships, general compliance, legal, those kinds of topics. And now in the new revision, they've been reorganized into four categories, or what we're calling “themes.” So those are very broad topics, but they have way more controls for any given family than you would've seen previously.

Applying ISO Audits to CSA STAR

JD: I'm looking at STAR certification and there may be some practical benefits of auditing by themes compared to the traditional domain approach. What would be the changes, if any, in terms of aligning those security practices with organizational goals?

DF: One of the first requests we got when 27001:2022 came out was obviously mapping to CSA’s CCM. I remember roughly 135 controls from the CCM were mappable to 27001:2022. And then there were roughly 50 odd controls that had a partial gap, and only two controls that had a full gap. So long story short, the CCM maps very well with 27001:2022. And I think that's getting at the crux of what you're talking about here.

The CCM, to a lot of first time readers, is a scary document. It's 197 controls. And I'll tell you, if you come from my background or you look at these other more rigid frameworks, it starts taking on a NIST 853 or even a HITRUST CSF flavor. And you think, “oh my gosh, there aren’t just requirements for each of these domains, but there are specific attributes within each requirement as well.” So it creates sub-requirements.

Both the CCM and 27001 share the same very closely-knit parent relationship in terms of how you are supposed to apply the controls, based on who you are as an organization and the scope of the management system. I think a lot of implementers over-rotate sometimes on what the true intent of some of these control requirements talk about. Ultimately I think it creates a more intimidating experience than is needed.

JD: Jim Reavis, our CEO at CSA, actually wrote a blog recently about that, in terms of how people need a better understanding of the CCM versus some of these other standards. The reality is, once you've mapped controls to your 27001 statement applicability, you find that you're actually embellishing upon your controls if needed, not adding new controls.

Audit Strategies & Tips

JD: There might be some challenges organizations face when they're adopting the theme-based auditing model. What strategies could be employed to overcome these challenges during the transition?

DF: So if you are in a surveillance right now for your existing 27001:2013 certificate, you have until October 31, 2025 to transition to 27001:2022. But if you're going through initial certification or recertification, that deadline has since passed.

To your question though, I'll make a bold statement here. If you have an auditor that is going control by control, they're likely approaching the audit program incorrectly. It's definitely not following the flavor of a risk-based audit program.

If I look at an audit plan and I see Customer One has 10 activities that make up the audit plan for a given Stage 2 audit, those 10 activities should not look the same as the ones for Customer Two. Behind Stage 1 audits is a kind of “developing of your audit universe,” your own program specific to the risk, the technologies employed, the people, the age of the organization, the type of data it runs into, the type of customers it works with, the industries it works within.

I find a lot of fault when I see these audit plans that just say, “All right, we're going to look at audit and assurance. We're going to look at governance, risk management, and compliance.” Just literally restating the domains and not actually getting down to, “Okay, we want to first get a demo of your tool. And then we want to audit certain risks we see as a result of what your tool does plus the type of customers you work with.” That's actually a risk-based audit.

You should think about creating flow with your audit, covering these themes, using that as your guiding light in order to direct your interviews. But then from those interviews, you decide specific audit trails or areas you want to dive deeper into. That's good auditing.

AI & The Future of Auditing

JD: Let's take out your crystal ball here for a second. What do you think the future holds for certifications? Is AI going to start playing a bigger role in carrying out these audits?

DF: The short answer is absolutely yes, and we're all in denial if we think otherwise. When I think about AI, the idea of automation comes up first. And I'll be honest - compliance automation - we've seen a rise of that since about 2019. Most auditors try to either fully adopt or fully hate the rise of this new sector.

But in all reality, where I think they're really good is awareness. Whenever somebody is talking about compliance, that's good for the industry as a whole. And I think SOC 2 reporting, ISO 27001 specifically, has come into the household, so to speak. And whenever it comes into the household to people outside of our industry or non-technical personnel, eventually it finds its way into the boardroom. So I think there's good there.

But getting into the AI component of it, I do think you're going to see automated reviews of electronic evidence. If you look across the space right now, there's variability across certification bodies in terms of whether or not they collect offline evidence. There are pros and cons of doing it from a business perspective. There's not a hard requirement in any of the normative standards for certification bodies to actually collect evidence beyond some specific work products.

JD: So I guess the question is, should people be concerned about the fact that as we get better and use AI, as we are able to do more intense testing and things, should there be a concern that, now all of a sudden what I was compliant with yesterday, now I'm not compliant. Is it just because you have the ability to test it now?

DF: What you're getting at is basically, is technology going to create more findings on my audit report and more work in order to keep the same conformity status that I've maintained for prior years? And I'll say ultimately, that won't be driven by the auditor or the audit technology. It'll be driven by the rest of the market.

One of the biggest critiques you get from 27001 is just the level of specificity. It is a risk-based framework, but it just says, for example, do you have secure authentication mechanisms? Well, what does that mean? Is a user ID and password where the password is eight characters in length acceptable? That comes down to the auditor, understanding the risk of the environment, talking with the auditees, and understanding exactly what the system is.

JD: I really appreciate you taking the time to do this and sharing your expertise. If people want to get a hold of you, what's the best way to do that?

DF: Yeah, you can visit us on the web, ping us, and find us on LinkedIn. You can also find me personally, David Forman. I'd love to connect and hear your feedback on this episode.

JD: And you can always go to CSA’s website for more information on this, STAR CCM, and everything we've talked about. If you have any problems connecting with David, you can always ping us at [email protected] and we'll get you hooked up with David and his team.