The controls themselves are not hard to understand. Writing policies describing these controls is also not that hard. But: changing the way an organization is working, in terms of habits, documentation, information management, how we collaborate - that can be really, really hard. So even if the requirements in ISO 27001 and the controls guidance in ISO 27002 look straight forward from a technical point of view, it is not easy to change the way of working for a whole organization! It requires leadership, it requires resources, and enough competent people with internal social capital to help support and drive the change. This is why an ISO 27001 journey is usually not just smooth sailing.
Blue Team
Blue Teamers are the first (and sometimes last) line of defense in the ongoing cyber war. This place is to chat out detection strategies, complain about SIEMs, compare SOAR playbooks, or post mean memes about the Red Team.
No specific hurdles, other than to keep applying attention to detail and using the ample guidance in the ISO PDFs.
From what I can see, especially after the 2022 update, there's no hidden magic or complexity.
TL;DR: Yes, ISO 2700{1,2} are a low barrier of entry but a common set of controls that should be able to be applied anywhere.
The biggest hurdle to deploying any framework is updating the cycle of controls and keeping them aligned both with management and with the parties implementing them. There is as much non-infosec work as there is actual implementation of the controls.
- Policy Statement: Management guideline / statement to be followed
- Process: The flow to follow in order to meet that policy statement
- Procedure: The steps to follow in order to enable the process
- Standard: The measurement of the compliance with the policy statement
Each one of the (Annex A) 14 domains has specific controls within the ISMS (27001) that each need the above implementation steps in a big ol' spreadsheet. Then the technical controls within ISO 27002 need to be applied, documented, and supporting evidence gathered as well.
For implementing ISO 27002 I'd highly recommend looking at Common Criteria or the CIS controls that map 27002 to CIS.
Looks good! I'll check it out!
Yea ISO27000 stuff is basic but its still a long list to all check off. I was also initially suprised how high level it all is.
Personally, the toughest thing for me was justifying changes to the organisation and making sure any suggested changes are realistic for the maturity you're dealing with. This may mean some recommendations aren't best practice, but you can start moving the organisation in that direction, or even lay out a roadmap to make big changes more manageable and gradual.
As much as I would love to make hard and fast changes, this just isn't feasible in most organisations (especially government).