Recently, I found myself in an ISO 27001 audit, championing our work and advocating for my client, when the auditor raised a concern about supplier management. They flagged a non-conformity around preferred suppliers, which struck me as entirely irrelevant. My immediate thought was that the auditor had accidentally veered into ISO 9001 territory (Quality Management).
While ISO 27001 does require supplier oversight, evaluation, and review, the expectations are not identical to those of ISO 9001. I decided to push back and asked the auditor to point out exactly where in the 27001 standard this was a mandatory requirement.
While I strive not to antagonise auditors—as they are simply doing their job—it’s worth noting that not all auditors are equally experienced in ISO 27001. Some may jump between different standards and confuse the requirements. Others might lack a deep understanding of technical cybersecurity aspects. This can lead to situations where they apply incorrect or irrelevant requirements, which is why being well-versed in the standards is so crucial.
A Reddit Query Highlights the Same Issue
Just yesterday, I encountered a similar story on Reddit.
Someone reached out with questions about scope and mandatory requirements. Their auditor was being unreasonably critical about regulatory and contractual obligations that, according to the person, were not in scope. If something is explicitly out of scope, an auditor has no authority to demand compliance.
For example:
If I declare, “All my government contracts are in scope for 27001” and “All my B2B contracts are out of scope,” then that is final. The auditor cannot dictate otherwise.
This scope statement is often reflected on the certificate itself for clarity.
Auditors can challenge gaps within the defined scope, but they cannot arbitrarily extend it. It’s imperative to push back when necessary, but only with evidence—either from your Statement of Applicability, documented scope, or the standards themselves.
The Distinction Between ISO 27001 and ISO 27002
This brings me to a critical distinction: ISO 27001 and ISO 27002.
ISO 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It defines mandatory requirements that an organisation must meet to achieve certification.
ISO 27002, on the other hand, serves as a supplementary guide, offering advice and best practices for implementing the Annex A controls in ISO 27001. However, it’s important to remember that ISO 27002 is explicitly labelled as “ADVICE AND GUIDANCE.” It is not mandatory.
In fact, the introduction to ISO 27002 clearly states that its guidance might not suit all organisations and should be tailored to fit their specific needs. This flexibility ensures that organisations can adopt controls that align with their context and risks rather than blindly following a prescriptive checklist.
Why Mastery of the Standards Matters
Knowing the nuances of both ISO 27001 and ISO 27002 enables you to:
Push Back with Confidence - When auditors overreach or misinterpret requirements, you can rely on your in-depth understanding of the standards to present a clear, evidence-based argument.
Tailor Your ISMS Effectively - Understanding that ISO 27002 is guidance allows you to implement controls in a way that best fits your organisation’s context, rather than feeling forced into an unsuitable one-size-fits-all approach.
Set Clear Boundaries - A well-defined scope is your shield against scope creep during audits. Auditors cannot argue against a clearly documented and justified scope.
Ensure Compliance Without Overcommitment - By distinguishing between mandatory requirements and guidance, you avoid overburdening your organisation with unnecessary controls.
In conclusion, auditors aren’t infallible, and it’s your responsibility to know the standards inside and out. This knowledge not only ensures compliance but also empowers you to challenge misconceptions and maintain control over your ISMS implementation.
Comments