The ISO 27001 standard[1] is a specification for managing an information security program in an organization. The International Organization for Standardization (ISO) developed and maintains this standard. Worldwide, ISO 27001 has become the most popular standard for managing information security programs, and many organizations have received a certification that their information security management system complies with the standard.
When companies obtain an ISO 27001 audit, they usually envision working with auditors to complete the project using operational, management, information security, and internal audit teams within the organization. What they may find surprising is that the ISO 27001 framework contains a number of legal topics, and the input of the legal team is vital as well. Some organizations may consult legal counsel about these topics, but I believe most organizations try to address these topics without legal help or use “off the shelf” documentation offered as samples from their auditors.
Writing documentation without the help of legal counsel creates risk for the organization. In the event of a security breach, for instance, government or plaintiff’s lawyers will ask for, and be entitled to examine, the “off the shelf” policies and procedures adopted by the company. If the policies and procedures were never implemented properly, these lawyers would point to the lack of adoption as evidence of knowing failure to implement security practices properly. If the policies and procedures are inconsistent with actual security practice, the inconsistency will make the company look lax in its security practices.