COVID complicates ISO 27001 audits, creating risk for some UK companies

ISO management system certifications earned by UK companies could be at risk of lapsing due to certification bodies auditors not being able to conduct in-person re-certification audits during the coronavirus pandemic, according to InfoSaaS.

The ISO 27001 standard aims to help organisations create a management system to control information security risks. With around 114 controls in 14 groups and 35 control categories, achieving certification can be a significant undertaking, taking many months and thousands of pounds to implement. Furthermore, the loss of ISO certification could put companies in breach of contract with partners.

ISO certifications also require regular audits to ensure continual adherence to their requirements. These are often done through in-person audits and assessments, but the COVID-19 pandemic has meant many missed audits. Under normal conditions, UKAS guidelines allow a maximum six months overrun for recertification audits and that if recertification assessments cannot be performed in that time the certificate should be suspended.

COVID makes ISO audits more difficult

InfoSaaS predicts an average of 2,500 UK certifications per month could be at risk of lapsing due to the break in audit activities, potentially leaving companies and their clients at risk. “ISO standards are living certifications,” says Peter Rossi, co-founder of InfoSaaS, “you have to be re-audited to prove that you’re still adhering to it and that’s typically a very face-to-face process. Now people are coming back to work but delivering these audits face to face is still proving challenging, so they’re having to look at ways of moving to remote audits.”

Remote audits are possible if the certification body is willing to perform them. Meetings will need to be done via video tools and documents shared over email or a file-sharing service for inspection. The UKAS FAQs page on remote ISO assessment says that parts of audits and assessment that would normally require in-person observation will either need to be done via online communication channels, sending pre-recorded video to the auditor, or have to be viewed in person at a later date.

A spokesperson for UKAS says that the UKAS Policy on Accreditation and Conformity Assessment During the COVID-19 Outbreak (TPS 73) published in April 2020 states that given the unprecedented nature of the coronavirus outbreak, it is anticipated that six months may not provide sufficient opportunities for certification bodies to conclude recertification audits.

UKAS policy for this outbreak, according to the spokesperson, is that the decision on recertification must be made within three months of the lifting of restrictions (e.g., travel) that prevent on-site audits from taking place. The certificate should be withdrawn if this timeframe exceeds 12 months and a new initial audit will be required.

Rossi acknowledges that remote audits are happening but warns that auditors might be less likely to pick up on potential issues. “You’ve got the risk of auditors not being able to come in and do proper face-to-face audience where they could potentially catch companies out.”

Jon Hull, managing director of JR Consultants, says that his company has completed all remote re-certification on ISO 27001 for customers who wished to go ahead with their assessment, and that the majority of all companies have been able to maintain their certification by either changing their audit date but still falling within the six months allowed by UKAS. “We have found that there are little or no complications for staff working remotely to complete an assessment remotely. There is no reason for any company not to be able to gain their accreditation.”

Scott Nicholson, director at Bridewell Consulting, adds that there is less personal interaction and relationship building during remote audits, which allows the auditor to observe the behavioral and cultural side of the business. “The only real deficit in the process is the physical security aspect and being able to visually demonstrate a secure culture,” he says. “To mitigate this, organisations should focus on the policies, processes and training and awareness they produce.”

“Organisations need to place a large emphasis on planning the audit when being delivered remotely. Traditionally, the auditor may decide who they speak with and drive the audit, but in a remote context it is important that organisations understand the areas being assessed, the individual within their company that covers the audit area and that they are all made available for the assessment.”

UK certification body BSI tells CSO that although it has been unable to complete some initial assessments, 30% of its certificates were successfully renewed during the pandemic, with 4% of current of its ISO 27001 certificates being issued for the first time during the pandemic.

The certification body also says it has worked closely with clients whose audits were impacted by the pandemic, and in a very small number of cases has extended the validity of the client’s certificate without conducting audit activity. Such decisions were made on a case-by-case basis where sites were closed with no staff present or staff were furloughed, and the past performance of the client provided enough confidence to auditors that the risk of non-compliance was considered low.

COVID might hurt compliance efforts

For companies that do engage in remote audits, there is a risk that some of the changes brought around to ensure the business continued to operate remotely during lockdown could impact compliance efforts.

“You’ve had this lockdown period where CIOs, CISOs, and compliance management teams who have normally been looking after the audits for these businesses were potentially furloughed or not working effectively,” says Rossi. “All the usual activities or the routine activities that would have been being handled, such as backup reporting and log reporting and security incident reporting and risk assessments, may not have been being carried out on a daily basis.”

Rossi adds that the transition to remote work would have created a lot of work for the internal compliance teams, especially around assessing remote collaboration tools, identifying potential shadow IT, and remote device management. “CISOs need to start looking at it now. Understand what tools are in place, who’s using them, who’s responsible for them, get them risk assessed.”

CISOs and their companies should also reassure clients where data security and certification such as ISO 27001 are an important part of the agreement that they are continuing to take security seriously, Rossi advises.

JR Consultants’ Hull says with regards to ISO27001 certification, remote working has highlighted the need for:

• Revised policies and procedures that minimize security risks for remote work
• Greater availability of remote working equipment for all support staff
• Migration from paper-based processes, secure remote access to documents, and the adoption of electronic signatures and secure document scanning apps

ISO certificates lapses could be costly and risky

Aside from the time and cost of achieving ISO 270001 recertification after a lapse, failing to maintain the same standards potentially leaves companies vulnerabile if risks around new tools and processes are not properly assessed and controlled. “One of the main risks to losing ISO27001 certification is no longer being compliant with contractual requirements,” says Bridewell’s Nicholson. “Many of our clients have contractual obligations to be ISO27001 certified, as this provides assurance that there is a security management system in place that is independently assessed against an international framework. Losing ISO27001 certification could result in a breach of contract and attract negative attention from clients.”

There might also be additional risks to third parties and competitive advantage if agreements and business deals involve ISO certification as a prerequisite of doing business. “Contracts that are in place between buyer and supplier could require those certifications to be up to date, which could cause potential problems,” adds Rossi. “The risk then actually goes to the client and you have the risk that your data may not be as securely held as you might have hoped.”

While Rossi thinks certification bodies will be lenient on businesses with regard to timing, it is still up to the organisations to ensure they have caught up with their ISO obligations to avoid unwanted surprises during future audits, remote or otherwise. “Ultimately if they couldn’t get an auditor available to do the audit and the company didn’t have the people available, then this is a problem out of their control and they shouldn’t be punished for it,” he says. “Conversely, the company itself still needs to do all the things that it needs to do to maintain that certification, and if things have changed there’s a lot of work that they’re going to need to do to wrap their head around it.”