ISO 27001: Road to Compliance

ISO 27001 is the first of a family of international standards called ISO/IEC 27000, which provide specifications for the management of information security. Strictly related to ISO 27001 is the ISO 27002 Code of Best Practice that provides guidance on international best practice in information security management from around the world. ISO 27001 and ISO 27002 provide a framework to manage risks related to all the information security subject areas that may affect a business, from external threats (hackers, virus, etc.) to internal threats (employees, fraud, etc.). Organizations with an international presence and subsidiaries of European and American companies located in a foreign country should be interested in obtaining ISO 27001 certification to demonstrate a solid posture in regards to information security.

Benefits of Certification
An ISO 27001 certification will be valid for three years and will provide an organization with the following benefits: Demonstrate that effective security controls are in place to help create trusting business relationships. Improve security controls with a continuous and methodical approach Provide directors of U.S. and U.K.-listed companies (public and private sectors) with evidence of meeting the requirements of Combined Code, the Turnbull Guidance, Sarbanes Oxley and other legislations. Enable organizations outside of the U.S. and U.K. to demonstrate compliance with national and international data privacy and data protection legislations.

The Road to Certification

ISO 27001 requirements are mandatory in order to achieve compliance whereas ISO 27002 provides suggestions on how to improve controls but are not required for compliance. Nevertheless, organizations should go beyond the requirements of ISO 27001 and embrace the guidelines of ISO 27002.

Challenges You May Face

Without proper planning, the following obstacles could create roadblocks for an effective ISO implementation:

2009 Enterprise Risk Management, Inc. All rights reserved.

Compliance with ISO 27001 will require employees to embrace new security controls introduced by the standard. This organizational change could also affect company culture. Active involvement of top management and board of directors in the project implementation could add unanticipated layers to the process. The ISO 27001 compliance project may be seen as solely an initiative of the IT department rather than an of importance to the entire organization. The project can be seen as just additional workload and its benefits may be overlooked. Additional and proper communication at all levels of the organization about the projects requirements, benefits, etc. will be needed. The work and technical expertise needed may be beyond in-house resources.

Getting the Job Done Initial Approach

The design and implementation of ISMS is more a management role than a technological one. To succeed, the project must be adequately resourced and the project leader will need to: Communicate to all levels of the organization why information security is important for the company and the benefits of being ISO 27001 certified. Know how the project is going to be structured and the key elements/requirements. Know how and where to find the necessary help.

Management Support
To gain management support, management will have to clearly understand the risks affecting the organization and how ISO 27001 will solve them. Moreover, ISO 27001 compliance project and the resulting ISMS will have to be aligned with the business model and strategy. Therefore, the direct involvement and commitment of senior management and CEOs to the project becomes essential to success.

Scope the Project

ISO 27001 requires scoping the components of the ISMS policy. The scope typically depends on the characteristics of the business, the organization, its location, assets and technology. Organizations should also consider business and legal or regulatory requirements, and contractual security obligations. Management will have to decide what is inside and outside of the scope by defining logical and/or physical boundaries.

Planning Ahead
Planning is a key factor in the ISMS project success. The recommended approach would be PDCA: Plan, Do, Check, Act.

2009 Enterprise Risk Management, Inc. All rights reserved.

Plan: Define the scope of the ISMS, the policies, and the approach to the risk assessment, and perform the risk assessment and evaluate remediation options. Do: Formulate the remediation plan, gather related documentation, and determine planned controls. Provide training and awareness programs to educate staff. Implement procedures to detect and respond to security incidents. Check: Monitor, review, test and audit the controls on an ongoing basis. Act: Review and address issues identified by tests and audits.

Communication
Compliance with ISO 27001 includes as a key component top-down communication of the information security vision to everyone in the organization. Proper communication will also facilitate the process of developing and enforcing the information security policy, the main component of the ISMS.

Risk Assessment
Risk assessment is at the heart of the ISMS. The risk assessment will identify the threats, vulnerabilities and impact of the vulnerabilities and controls in place. The organization will need to determine the criteria for accepting risks and identify the levels of risk it will accept. If an organization does not have a formal risk management function, it will have to remediate as soon as possible by delegating this responsibility to an external consulting firm. (need to explain why this must be outsourced?)

Control Selection
As part of the risk assessment, the organization will have to design, deploy, test and monitor controls to meet the identified risks. Controls include technological, physical controls and employees. An efficient methodology to approach control selection is to first classify and prioritize the risks. Then, starting from the risks with higher priority, controls should be chosen that are proportional to the related risk. As part of the control selection, an organization will complete the Statement of Applicability (SoA), the second most important document of the ISMS. The SoA is a list of controls described in Annex A of the ISO 27001 criteria along with a statement as to whether or not each of the controls applies to the organization. If applicable, the SoA describes how the control is applied and identifies the related policies and procedures. If the control is not applicable, the SoA provides reasons explaining why.

Documentation
Documentation is another fundamental component of the ISMS. The minimum documentation required includes: ISMS policy manual: information security policy, scope statement for the ISMS, the risk assessment, control objectives and the SoA. Evidence of the actions undertaken by management. Description of the management framework. The remediation action plan with documented procedures. The procedures used to manage the ISMS.

2009 Enterprise Risk Management, Inc. All rights reserved.

The level of details is proportioned to the complexity and size of the organization. However, the ISO 27001 identifies four levels of documentation: The corporate policy driving the ISMS Statement of Applicability and other policy Procedures describing who is responsible of doing what and how Operations/Work instructions that detail how each identified task will be performed.

Testing
Testing and auditing should be performed on an ongoing basis. An organization does not need to test and audit all aspects of the ISMS on a regular basis but at least ensure to test more often on all aspects that are mission-critical.

Conclusions
Organizations desiring to comply with ISO 27001 should anticipate obstacles on their way. However, those obstacles can be overcome as long as the ISMS is integrated into the organization and can count on top management support. With an ISO 27001 certification, an organization will be able to add value to the business and leverage its reputation by laying the foundations for a strong management of its information security.

References Nine Steps to Success. An ISO 27001 Implementation Overview. Alan Calder (2005) IT Governance. A Managers Guide to Data Security and ISO 27001/ISO27002. Alan Calder & Steve Watkins (2008).

2009 Enterprise Risk Management, Inc. All rights reserved.

ERM wants to hear from YOU.

With this edition of our newsletter, were rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to editor@emrisk.com.

Enterprise Risk Management: At a Glance

ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future.

Services
IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation

Some of our Clients

ABN-AMRO Private Banking Bacardi-Martini, Inc. Bancafe International Banco Industrial de Venezuela Banco ITAU Bank United Caja Madrid Bank Carnival Cruise Lines, LLC CitiBank Coconut Grove Bank Commerce Bank E-data Financial Florida International University Florida Power & Light Company Heico Aerospace Helm Bank Knight Ridder Nova Southeastern University Rinker Materials Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc. The International Bank of Miami TransAtlantic Bank U.S. Century Bank

Certifications
Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV)

For more information, visit www.emrisk.com

E-mail: info@emrisk.com Phone: 305-447-6750 800 Douglas Road North Tower, Suite 835 Coral Gables, FL 33134