Senior Management ends up delegating the project to the Information Technology (IT) area when in reality it should be a transversal project for the entire organization. The selection of the controls is a step, it is only a clause of the standard. ISO27001:2013.
I have been asked on several occasions if it is possible to apply the standard only in the area of Information Technology and the answer is that the standard was not written thinking only of the IT area.
The standard exists to teach us to Implement a Management System that will incorporate the necessary mechanisms to mitigate the risks associated with the confidentiality, integrity and availability of the organization's information.
Information that flows within the organization's own processes, including the value processes that are the ones that interact with customers and some interested parties and the support processes that by their nature allow the value processes to fulfill their purpose within the organization. organization. We can shield the IT area, but we neglect the processes that really interact with the client, which is where the information is really captured. The IT area within an organization is the equivalent of the nervous system of the human body, it is an area of vital importance, a lot of information flows through it.
Let us not forget that the information can be represented in different media, one of them is the electronic medium, the information can be in written media, it can be in corporate videos within the intranet, on paper, in the minds of the collaborators, etc. .
At a very macro level, to implement an Information Security Management System, I suggest having the following concepts clear: (one step does not necessarily include the other, it is just an idea to understand it in a simple way).
· Establish the Information Security Management System
· Manage Information Security Risks (Identification, assessment, treatment)
· Select Information Security Controls.
Although in the end several information security controls are implemented, it is useless to only implement them if we do not take into account that what the ISO27001 standard seeks is to create an Information Security Management System with a focus on processes that best fits the organization.
The standard has an Annex in which we find 114 controls that can be selected at the time of Risk Management.
An ISMS must be planned, implemented, measured/verified and constantly improved, regardless of the process approach selected.
To do this, policies must be implemented that are deployed in the organization through procedures and their respective records at different stages. Useful documented information must be left to validate compliance with each stage.
For example, it is a good practice to carry out internal ISMS audits (Clause 9.1 ISO 27001:2013) where the different findings and action plans generated are documented as records. If we go to the controls in Annex A, we will not find any control related to Internal Audits. You know why? Because doing Internal Audits is part of the Management System, not simply part of the Information Security controls, we could think that said procedure is a macro control of the ISMS.
An extremely important step when implementing an ISMS is the analysis of information security risks and it is a good practice to leave a documented procedure where it is clearly indicated how it is done, so that said procedure can be reused as many times as necessary.
In a very simple way of explaining so that it is understood, at a macro level and without going into technicalities or details, the steps are as follows: (it is not an implementation guide, nor is it a translation of the steps of the standard, for detailed reference please read ISO/IEC 27001:2013 and ISO/IEC 27005:2018 and where appropriate reference is made to the clause of the standard so that you can understand more in detail)
 As part of the process, risk criteria must first be created where part of what will be indicated will be the general levels of risk accepted by the organization, normally a numerical scale related to High, Medium, Low is defined. (ISO/IEC 27001:2013 6.1.2)
 Then, the risk assets with sensitive information must be inventoried, the risk levels to which said assets are exposed must be evaluated/calculated (one by one or grouped in similar groups), information security controls must be taken into account current that the organization has. The result is compared against the criteria given in  and if they are on the scale of acceptable risks, a way must be found to reduce said risk, continuing in the next step.
 To reduce the current level of risk, options for risk treatment must be selected (here the controls of Annex A and additional controls from other sources that the organization considers appropriate) (ISO/IEC 27001:2013 6.1.3)
 After selecting these risk treatment options we must recalculate the level of risk and compare against the parameters defined in  and the previous results of , if the level of risk is still above the acceptable parameters, they can be selected. /create more controls by returning to  and the process is repeated until the risk levels accepted by the organization are reached. Normally, risk 0 is not reached, there will always be a certain level of risk exposed, which is called residual risk.
 Based on Annex A, with all the controls selected in , the excluded ones and the new ones, if any, a report called Statement of Applicability (SOA) must be created where the reason is justified for each control. whether it is implemented or not. (ISO/IEC27001:2013 6.1.3.d)
 A plan must be generated to implement those indicated in the SOA, which we will call the Information Security Risk Treatment Plan, said plan will include the necessary budget for the implementation, the execution of said plan must be monitored. (ISO/IEC27001:2013 6.1.3.e)
 SApproval for the Implementation of the Risk Treatment Plan and acceptance of the residual risks related to Information Security must be obtained from the owners of the risks. (ISO/IEC 27001:2013 6.1.3.f)
Throughout my experience on the family of ISO 27000 standards in different Latin American countries, and after implementing Information Security Management Systems (ISMS) in different sectors, I have been able to observe that a typical mistake when talking about security of information is to think that it is solved with more hardware or with more software.
If you start here you will be making the typical mistake that I have seen on many occasions, where they start with the controls. The selection of controls is only one step that is part of the Information Security Risk Management, I suggest you start with the Information Security Management System.
Por: Elder A. Guerra V.
CEO ES Consulting
INLAC Registered Expert ISO/IEC JTC 1/SC27/WG1Information security, cybersecurity and privacy protection