Core Control Failure Pattern
Actions happened (email directive, scanning), but outcomes were not verified. Security controls were assumed operational even when they were blind. ISO 27001 maturity is evidence-driven: "show me control effectiveness".
ISO 27001 Control Mapping Table
| Control Area | Control Intent | What Failed | Risk Created | Remediation |
|---|---|---|---|---|
| A.5/A.6 Policies + Responsibilities | Define enforceable policies and accountable roles | Patch directive had no accountable owner, tracking, or escalation | Critical risk stayed open, unnoticed | RACI + SLA + auto-escalation + closure evidence requirement |
| A.8 Asset Management | Maintain inventory and ensure assets are controlled | Internet-facing ACIS not reliably governed in vuln/asset scope | Unknown exposure surface | Authoritative inventory (CMDB), internet-facing catalog, enforced scanning/patch scope |
| A.12.6.1 Technical Vulnerability Mgmt | Identify, remediate, and verify vulnerabilities | Known CVE with patch stayed open for 78 days | Remote code execution on web tier | Critical CVE workflow: detect → ticket → patch → verify → attest; KPI: SLA compliance + aging |
| A.12.1.2 Change Management | Control and validate changes | No validated confirmation of patch deployment | False sense of remediation | Change validation gate: patch proof + runtime verification; evidence stored |
| A.12.4 Logging & Monitoring | Record events and detect anomalies | Monitoring blindspot: tool blind for 19 months due to expired cert | Attack persistence + undetected exfiltration | Control-health monitoring (cert expiry, pipeline checks), anomaly detection for outbound flows |
| A.13.1.3 Network Segregation | Separate networks and restrict movement | Web portal could reach 51 internal databases; minimal segmentation | Lateral movement + broad data access | Tier segregation, allow-listing, service identity controls |
| A.9 Access Control | Least privilege and need-to-know access | Over-permissive data access paths from web tier | Mass exposure once perimeter breached | Privilege review, network ACLs, service-to-service authN/Z |
| A.10 Cryptographic Controls | Protect sensitive data with encryption | PII (SSNs) stored unencrypted at rest | High-impact breach outcomes | Encrypt high-sensitivity fields at rest + key management and rotation |
| A.16 Incident Management | Consistent incident handling and response | 40-day delay to public disclosure; unclear decision authority | Legal and regulatory exposure | Incident severity model + legal decision matrix + timeboxed disclosure workflow + tested playbooks |
| A.18 Compliance | Identify and meet legal obligations | Notification obligations not operationalised; readiness not tested | Delayed reporting; enforcement risk | Obligations register + notification matrix + tabletop exercises + evidence of execution |
| A.15 Supplier Relationships | Manage third-party risk including components | Open-source component risk not embedded in operational monitoring | Critical CVEs not governed | Component inventory (SBOM mindset) + vulnerability feed monitoring + response SLAs |
Closing Point
ISO 27001 does not "stop hacks". It prevents governance drift. Equifax failed because controls were not owned, not verified, and not escalated when broken. If you cannot prove effectiveness with evidence, you do not have a control — you have a belief.
