ISO 27001: Making Information Security Management Work for You
By Jim Saropoulos, Exolytic, Inc.
Organizations have been searching for an objective benchmark to measure the security of potential business partners and to distinguish the security of their own services. ISO 27001 has emerged as the standard of choice.
A brief look at – ISO 27001 and ISO 27002 – Information Technology, Security Techniques, and Information Security Management Systems Requirements.
ISO 27001 is formally entitled, "Information Security Management – Specification with Guidance for Use." Its purpose is to serve as the foundation for third party audits. Not surprising, it is process-oriented.
The standard contains an Introduction and seven sections describing the following:
Introduction – the standard uses a process approach
- Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature
- Normative references – only ISO/IEC 27002:2005 is considered absolutely essential to the use of ISO 27001.
- Terms and definitions – a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.
- Information security management system – the 'guts' of the standard, based on the Plan-Do-Check-Act cycle where:
Plan = define requirements, asses risks, decide which controls are applicable;
Do = implement and operate the ISMS;
Check = monitor and review the ISMS; and
Act = maintain and continuously improve the ISMS. Also specifies certain specific documents that are required and must be controlled, and states that records must be generated and controlled to prove the operation of the ISMS, e.g. certification audit purposes.
- Management responsibility – management must demonstrate their commitment to the ISMS, principally by allocating adequate resources to implement and operate it.
- Internal ISMS audits – the organization must conduct periodic internal audits to ensure the ISMS incorporates adequate controls which operate effectively.
- Management review of the ISMS – management must review the suitability, adequacy, and effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the need for changes.
- ISMS improvements – the organization must continually improve the ISMS by assessing and, where necessary, making changes to ensure its suitability and effectiveness, addressing nonconformance (noncompliance) and, where possible, preventing recurrent issues.
ISO 27002 defines an overarching security framework consisting of 133 specific controls organized around 39 control objectives. This balanced framework serves as the basis for both measuring an organization's effectiveness in addressing risk and structuring an organization's overall security program.
ISO/EIC 27002 suggests literally hundreds of best-practice information security control measures that organizations should consider to satisfy the stated control objectives. Like ISO/IEC 27001, ISO 27002 does not mandate specific controls but leaves it to the users to select and implement controls that suit them, using a risk-assessment process to identify the most appropriate controls for their specific requirements. They are also free to select controls not listed in the standard, just as long as their control objectives are satisfied.
Broad Use of the Standards
History has shown that far more organizations used ISO 17799 as a framework for conducting comprehensive security assessments to improve the security and controls of their IT infrastructure rather than for the specific purpose of certification. It is important to recognize that the ISO standards have significant value beyond certification.
Compliance vs. Certification
The decision to certify or comply is more than one of cost. The ISO 27001 and 27002 standards serve different purposes. ISO 27001 assesses whether an organization follows a coarse-grained set of processes that are integral to maintaining the security of an enterprise. Certification assumes that if these processes are in place then effective security automatically follows. In contrast, 27002 describes a comprehensive set of concrete and fine-grained practices with which an enterprise can be compared.
Just as with ISO 9000, the marketplace is not homogenous. Certain vertical markets such as aerospace or certain supply chains may latch on to the ISO 27001 certification as a required fact of life.
Where Most Organizations Fall Short
After conducting numerous ISO 27002 assessments, it is clear that many organizations fall short in the same areas and those deficiencies can cause a cascade of non-compliance of other required controls. For example, few organizations have an up to date inventory of their information assets. When information asset catalogs exist, they frequently do not contain information about data wonder, business risk, and information sensitivity. Without this information, it is impossible to develop meaningful information handling policies and procedures.
IT departments have traditionally operated on the heroic actions of individual employees, people that know exactly how the environment is put together and do whatever it takes to keep the systems running. While seemingly efficient, the problem with that model is that the organization suffers if that key person is suddenly out of the picture for some reason. Few organizations have formally documented operating procedures that enable critical functions to be performed consistently by multiple people.
Perhaps most importantly, the standard recognizes that security must be a corporate commitment, not the responsibility of a specialty group within IT. This requires the creation of a cross-functional security management team. Few organizations currently have such a security management team in place. On the other hand, the ones that do are making remarkable progress.
The ISO 27001 and ISO 27002 standards have gained attention for being a practical mechanism for both assessing and asserting good security practices. ISO 27002, in particular, helps companies build comprehensive and cost-effective enterprise security programs, ensuring that security resources are applied wisely and efforts are focused on act ivies that reduce real business risk. Investment in ISO 27002 compliance promises a high return because the requirements are largely a superset of other major regulations.
If you are interested in receiving ISO Certification, please contact Mike Prior, MassMEP Business Development Manager at 508-831-7020 or email@example.com