Written by Steve Giachardi
There are many benefits to your organisation aligning or certifying to business standards: documenting that you have strong governance in place, ensuring that you are adopting best practice, and demonstrating that you take security seriously, to name a few. In this article we will discuss the benefits of aligning and certifying to ISO/IEC 27001.
There are many benefits to your organisation aligning or certifying to business standards: documenting that you have strong governance in place, ensuring that you are adopting best practice, and demonstrating that you take security seriously, to name a few. In this article we will discuss the benefits of aligning and certifying to ISO/IEC 27001.
Deriving from
the Greek word Iso, meaning equal, ISO/IEC 27001 is now widely recognised as the de
facto standard for information security, controlled by the governing body, the
International Organisation for Standardisation.
There are
31,910 organisations globally that are ISO/IEC 27001 certified, with 2,444 in the
UK and 9,111 in America alone. So, why are so many organisations choosing to
certify to ISO/IEC 27001?
Good governance,
best practice, strong controls, and maturing as an organisation are all
important and admirable objectives, but perhaps the greatest benefit is in fact
a commercial one. Information and cyber security are common boardroom topics,
that often filter down into what organisations demand from their suppliers.
This is particularly true, but not limited to, financial services, pharmaceuticals
and any industry that is highly regulated or that has valuable assets to
protect, such as customer data or intellectual property.
Demonstrating
that you take information security seriously, as a potential new supplier, can
ultimately mean the difference between winning or losing your next tender
process.
ISO/IEC 27001 Overview
This article discusses ISO/IEC 27001, its purpose and its benefits, addressing specification and requirements, ISMS (information security management system) specification and requirements, and issues with ISMS.ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2013 and is published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for, and recognised as best practice framework for, an ISMS. Organisations meeting the standard may gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process. Organisations will meet information security standards by aligning to ISO/IEC 27001, making them likely to win more business, especially in enterprise organisations.
International
information security standards
ISO/IEC 27001:2013 specifies 114 controls in 14 groups:
- A.5 - Information security
policies
- A.6 - How information
security is organised
- A.7 - Human resources
security - controls that are applied before, during, or after employment
- A.8 - Asset management
- A.9 - Access controls and
managing user access
- A.10 - Cryptographic
technology
- A.11 - Physical security of
the organisation's sites and equipment
- A.12 - Operational security
- A.13 - Secure communications
and data transfer
- A.14 - Secure acquisition,
development, and support of information systems
- A.15 - Security for
suppliers and third parties
- A.16 - Incident management
- A.17 - Business
continuity/disaster recovery (to the extent that it affects information
security)
- A.18 - Compliance - with
internal requirements, such as policies, and with external requirements,
such as laws.
ISMS
Requirements
The official
title of the standard is "Information technology— Security techniques —
Information security management systems — Requirements".
27001:2013
has ten short clauses, plus a long annex, which cover:
1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in
ISO/IEC 27000
4. Organisational context and stakeholders
5. Information security leadership and high-level
support for policy
6. Planning an information security management
system; risk assessment; risk treatment
7. Supporting an information security management
system
8. Making an information security management system
operational
9. Reviewing the system's performance
10. Corrective action
Annex A: List of controls and their objectives.
This
structure mirrors the structure of other new management standards such as
ISO 22301 (business continuity management); this helps organisations who
aim to comply with multiple standards, to improve their IT from different
perspectives.
Information
Security Management System
An information
security management system (ISMS) is a set of policies concerned with
information security management or IT related risks. The idioms arose primarily
out of BS 7799.
The
governing principle behind an ISMS is that an organisation should design,
implement and maintain a coherent set of policies, processes and systems to
manage risks to its information assets, thus ensuring acceptable levels of
information security risk.
As with all
management processes, an ISMS must remain effective and efficient in the long term,
adapting to changes in the internal organisation and external environment.
ISO/IEC 27001:2013 therefore incorporated the "Plan-Do-Check-Act"
(PDCA), or Deming cycle, approach:
- The Plan phase is
about designing the ISMS, assessing information security risks and
selecting appropriate controls.
- The Do phase involves
implementing and operating the controls.
- The Check phase
objective is to review and evaluate the performance (efficiency and
effectiveness) of the ISMS.
- In the Act phase,
changes are made where necessary to bring the ISMS back to peak
performance.
ISO/IEC 27001:2013 is a risk-based information security standard, which means that organisations need to have a risk management process in place. The risk management process fits into the PDCA model given above.
Other
frameworks such as COBIT and ITIL touch on
security issues, but are mainly geared toward creating a governance framework
for information and IT more generally. COBIT has a companion framework, Risk IT, dedicated
to Information security.
The
development of an ISMS framework based on ISO/IEC 27001:2013 entails the
following six steps:
- Definition of security
policy
- Definition of ISMS scope
- Risk assessment (as part of
risk management)
- Risk management
- Selection of appropriate
controls
- Statement of applicability
ISMS
Requirements
To be
effective, the ISMS must:
- have the continuous,
unshakeable and visible support and commitment of the organisation’s top
management
- be managed centrally, based
on a common strategy and policy across the entire organisation
- be an integral part of the
overall management of the organisation related to and reflecting the organisation’s
approach to risk management, the control objectives and controls and the
degree of assurance required
- have security objectives and
activities based on business objectives and requirements and led by
business management
- undertake only necessary
tasks and avoiding over-control and waste of valuable resources
- fully comply with the organisation
philosophy and mindset by providing a system that, instead of preventing
people from doing what they are employed to do, will enable them to do it
in control and demonstrate their fulfilled accountabilities
- be based on continuous
training and awareness of staff and avoid the use of disciplinary measures
and “police” or “military” practices
- be a never-ending process
Dynamic
Issues In ISMS
There are
three main problems which lead to uncertainty in information security
management systems (ISMS):
- Dynamically changing
security requirements of an organisation
Rapid
technological development raises new security concerns for organisations. The
existing security measures and requirements become obsolete as new
vulnerabilities arise with the development in technology. To overcome this
issue, the ISMS should organise and manage dynamically changing requirements
and keep the system up to date.
- Externalities caused by a
security system
Externality
is an economic concept for the effects borne by the party that is not directly
involved in a transaction. Externalities could be positive or negative. The ISMS
deployed in an organisation may also cause externalities for other interacting
systems. Externalities caused by the ISMS are uncertain and cannot be
predetermined before the ISMS is deployed. The internalisation of externalities
caused by the ISMS is needed in order to benefit internalising organisations
and interacting partners by protecting them from vulnerable ISMS behaviours.
- Obsolete evaluation of
security concerns
The
evaluations of security concerns used in ISMS become obsolete as the technology
progresses and new threats and vulnerabilities arise. The need for continuous
security evaluation of organisational products, services, methods and
technology is essential to maintain an effective ISMS. The evaluated security
concerns need to be re-evaluated. A continuous security evaluation mechanism of
ISMS within the organisation is a critical need to achieve information security
objectives. The re-evaluation process is tied with the dynamic security
requirement management process discussed above.
Summary
Is ISO/IEC 27001 accreditation for
everyone? Perhaps not. But if your business is serious about reducing risk, and
is looking for an effective way to assess the risks in your business (Plan),
implement controls to measure that risk (Do), use these to benchmark ongoing
performance (Check), and continuously review the ISMS as the business changes
over time (Act)? Yes, absolutely.
An ISO journey may seem like a big
undertaking but, for most, the benefits far outweigh the initial investment, and
the journey to accreditation can be surprisingly short. Rarely is there a
better opportunity to drive cultural change in a business and, not only that,
one that leads to both a mature information security posture, as well as your
business’s next big competitive advantage.