Module 4: Compliance & Integration

Integration with ISO 27001

15 min
+50 XP

Integration with ISO 27001

ISO 27019 extends ISO 27002, which is used within ISO 27001 ISMS frameworks. Energy companies can integrate OT security into their existing ISMS or build a separate but coordinated system.

Relationship Between Standards

ISO 27001: Management system framework (requirements standard)

  • Provides ISMS structure and requirements
  • Certification standard
  • Applies to any organization

ISO 27002: Information security controls (guidance standard)

  • Catalog of security controls
  • Implementation guidance
  • Referenced by ISO 27001 Annex A

ISO 27019: Energy sector guidance extending ISO 27002 for OT

  • Sector-specific control guidance
  • OT/ICS focus
  • NOT a standalone certification standard

ISO 27019 is NOT a certification standard - it provides sector-specific guidance for implementing ISO 27001 in energy utilities.

Integration Approaches

Single Integrated ISMS

One ISMS covering both IT and OT:

  • Advantages: Single management system, unified policies, one certification, less duplication
  • Challenges: Different operational requirements may compromise OT needs
  • Best For: Smaller organizations, companies with modern OT infrastructure

Separate but Coordinated ISMS

Separate ISMS for IT and OT:

  • Advantages: OT-specific procedures, clearer ownership, fits operational culture
  • Challenges: Duplication of effort, coordination overhead, potentially separate audits
  • Best For: Large organizations, companies with extensive legacy OT

Hybrid Approach (Recommended)

Core ISMS with OT-specific annexes:

  • Advantages: Single framework with OT appendices, flexible implementation, one certification
  • Challenges: Requires careful scope definition
  • Best For: Most energy companies

Extending ISO 27001 Clauses for OT

Clause 4: Context of the Organization

IT Focus: Business stakeholders, IT systems, enterprise architecture OT Extension:

  • Operations stakeholders (plant operators, control engineers)
  • Process control systems and field devices
  • Purdue model architecture
  • Safety system requirements and constraints
  • Regulatory requirements (NERC CIP, NIS2, etc.)

Clause 5: Leadership

IT Focus: CISO and IT security team leadership OT Extension:

  • Operations management involvement and commitment
  • Safety team coordination
  • OT security team or leader
  • Board understanding of OT risks

Clause 6: Planning

IT Focus: IT risk assessment, business continuity OT Extension:

  • OT risk assessment considering availability and safety
  • Consequence-driven analysis (safety, equipment, environmental)
  • Integration with safety risk processes
  • Operational constraints in planning

Clause 7: Support

IT Focus: IT security training and resources OT Extension:

  • OT-specific security training for operations staff
  • Operations team security awareness
  • Vendor and contractor management
  • Specialized OT security tools

Clause 8: Operation

IT Focus: Implementation of IT security controls OT Extension:

  • ISO 27019 OT-specific controls
  • Compensating controls for legacy systems
  • Integration with operational procedures
  • Coordination with safety procedures

Clause 9: Performance Evaluation

IT Focus: IT security metrics (incidents, vulnerabilities) OT Extension:

  • OT-specific metrics (availability focus)
  • Safety integration monitoring
  • Operational impact metrics
  • Control effectiveness for OT

Clause 10: Improvement

IT Focus: IT incident lessons learned, audit findings OT Extension:

  • OT incident analysis and lessons
  • Coordination with safety incident processes
  • Continuous improvement balancing security and operations

Annex A Control Extensions

ISO 27019 extends many Annex A controls with OT-specific guidance:

A.9 Access Control

  • Additional guidance on physical/logical convergence
  • Shared OT account management
  • Emergency "break glass" access
  • Vendor access controls

A.12 Operations Security

  • Extensive OT guidance on patching and change management
  • Malware protection adapted for OT
  • Backup and recovery for control systems

A.13 Communications Security

  • Network segmentation and zoning
  • OT protocol security
  • Unidirectional gateways and data diodes

A.17 Business Continuity

  • OT-specific continuity considerations
  • Safety system requirements in disasters
  • Manual operations procedures

Organizational Structure

Governance Model

  • Board/executive oversight of both IT and OT security
  • CISO with responsibility for IT security
  • OT Security Lead (may report to CISO or Operations Director)
  • IT/OT Security Coordination Committee
  • Integration with safety governance

Roles and Responsibilities

IT Security Team: Enterprise IT, office systems, business applications, IT networks OT Security Team: Control systems, field devices, process networks, OT protocols Shared Responsibility: Network boundaries, DMZ, remote access, vendor management

Policy Framework

  • Enterprise Information Security Policy (high-level, covers all)
  • IT Security Policy (IT-specific procedures)
  • OT/Control System Security Policy (OT-specific procedures)
  • Supporting standards and procedures for each domain

Risk Management Integration

Unified Risk Register

Single risk register covering both IT and OT with clear categorization:

  • IT risks (business systems, data breaches)
  • OT risks (control systems, safety, operations)
  • IT/OT boundary risks (integration points, DMZ)
  • Risk ownership clearly assigned

Risk Treatment Coordination

Ensure IT security measures don'''t negatively impact OT:

  • Review IT changes for potential OT impact
  • Test IT security tools before OT deployment
  • Coordinate patch and maintenance schedules
  • Share threat intelligence between IT and OT teams

Documentation Integration

Shared Documentation

  • Information Security Policy (enterprise-wide)
  • Risk assessment methodology
  • Incident response framework (with IT and OT procedures)
  • Disaster recovery approach
  • Training requirements

Separate Documentation

  • Technical procedures (IT-specific vs. OT-specific)
  • System inventories and network diagrams
  • Detailed control implementations
  • Vendor management procedures

Audit Integration

Combined Audits

Single ISO 27001 audit covering both IT and OT:

  • Advantages: More efficient, single certification, unified view
  • Requirements: Auditors need OT/ICS expertise
  • Considerations: May need specialized auditor

Separate Audits

Separate IT and OT audit activities:

  • Advantages: Specialized auditors, less disruption to operations, clearer scopes
  • Challenges: More time consuming, potential for inconsistency
  • When Used: Very large organizations, highly specialized OT

Next Lesson: Mapping ISO 27019 controls to NERC CIP requirements.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

Implementation Checklist

Next

Mapping to NERC CIP