Professional Documents
Culture Documents
ISO 27001 is the first of a family of international standards called ISO/IEC 27000, which provide specifications for the management of information security. Strictly related to ISO 27001 is the ISO 27002 Code of Best Practice that provides guidance on international best practice in information security management from around the world. ISO 27001 and ISO 27002 provide a framework to manage risks related to all the information security subject areas that may affect a business, from external threats (hackers, virus, etc.) to internal threats (employees, fraud, etc.). Organizations with an international presence and subsidiaries of European and American companies located in a foreign country should be interested in obtaining ISO 27001 certification to demonstrate a solid posture in regards to information security.
Benefits of Certification
An ISO 27001 certification will be valid for three years and will provide an organization with the following benefits: Demonstrate that effective security controls are in place to help create trusting business relationships. Improve security controls with a continuous and methodical approach Provide directors of U.S. and U.K.-listed companies (public and private sectors) with evidence of meeting the requirements of Combined Code, the Turnbull Guidance, Sarbanes Oxley and other legislations. Enable organizations outside of the U.S. and U.K. to demonstrate compliance with national and international data privacy and data protection legislations.
Compliance with ISO 27001 will require employees to embrace new security controls introduced by the standard. This organizational change could also affect company culture. Active involvement of top management and board of directors in the project implementation could add unanticipated layers to the process. The ISO 27001 compliance project may be seen as solely an initiative of the IT department rather than an of importance to the entire organization. The project can be seen as just additional workload and its benefits may be overlooked. Additional and proper communication at all levels of the organization about the projects requirements, benefits, etc. will be needed. The work and technical expertise needed may be beyond in-house resources.
Management Support
To gain management support, management will have to clearly understand the risks affecting the organization and how ISO 27001 will solve them. Moreover, ISO 27001 compliance project and the resulting ISMS will have to be aligned with the business model and strategy. Therefore, the direct involvement and commitment of senior management and CEOs to the project becomes essential to success.
Planning Ahead
Planning is a key factor in the ISMS project success. The recommended approach would be PDCA: Plan, Do, Check, Act.
Plan: Define the scope of the ISMS, the policies, and the approach to the risk assessment, and perform the risk assessment and evaluate remediation options. Do: Formulate the remediation plan, gather related documentation, and determine planned controls. Provide training and awareness programs to educate staff. Implement procedures to detect and respond to security incidents. Check: Monitor, review, test and audit the controls on an ongoing basis. Act: Review and address issues identified by tests and audits.
Communication
Compliance with ISO 27001 includes as a key component top-down communication of the information security vision to everyone in the organization. Proper communication will also facilitate the process of developing and enforcing the information security policy, the main component of the ISMS.
Risk Assessment
Risk assessment is at the heart of the ISMS. The risk assessment will identify the threats, vulnerabilities and impact of the vulnerabilities and controls in place. The organization will need to determine the criteria for accepting risks and identify the levels of risk it will accept. If an organization does not have a formal risk management function, it will have to remediate as soon as possible by delegating this responsibility to an external consulting firm. (need to explain why this must be outsourced?)
Control Selection
As part of the risk assessment, the organization will have to design, deploy, test and monitor controls to meet the identified risks. Controls include technological, physical controls and employees. An efficient methodology to approach control selection is to first classify and prioritize the risks. Then, starting from the risks with higher priority, controls should be chosen that are proportional to the related risk. As part of the control selection, an organization will complete the Statement of Applicability (SoA), the second most important document of the ISMS. The SoA is a list of controls described in Annex A of the ISO 27001 criteria along with a statement as to whether or not each of the controls applies to the organization. If applicable, the SoA describes how the control is applied and identifies the related policies and procedures. If the control is not applicable, the SoA provides reasons explaining why.
Documentation
Documentation is another fundamental component of the ISMS. The minimum documentation required includes: ISMS policy manual: information security policy, scope statement for the ISMS, the risk assessment, control objectives and the SoA. Evidence of the actions undertaken by management. Description of the management framework. The remediation action plan with documented procedures. The procedures used to manage the ISMS.
The level of details is proportioned to the complexity and size of the organization. However, the ISO 27001 identifies four levels of documentation: The corporate policy driving the ISMS Statement of Applicability and other policy Procedures describing who is responsible of doing what and how Operations/Work instructions that detail how each identified task will be performed.
Testing
Testing and auditing should be performed on an ongoing basis. An organization does not need to test and audit all aspects of the ISMS on a regular basis but at least ensure to test more often on all aspects that are mission-critical.
Conclusions
Organizations desiring to comply with ISO 27001 should anticipate obstacles on their way. However, those obstacles can be overcome as long as the ISMS is integrated into the organization and can count on top management support. With an ISO 27001 certification, an organization will be able to add value to the business and leverage its reputation by laying the foundations for a strong management of its information security.
References Nine Steps to Success. An ISO 27001 Implementation Overview. Alan Calder (2005) IT Governance. A Managers Guide to Data Security and ISO 27001/ISO27002. Alan Calder & Steve Watkins (2008).
Services
IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation
Certifications
Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV)