Information Security and ISO27001
Whether we are talking about a bank, a telecommunication company, a government office or even a small shop, information is the most important asset organizations have. Yet very few organizations approach information security the right way and thus continuously expose themselves to unacceptable risks.
Most organizations associate information security to specific products, solutions or technologies, as if the acquisition of hardware and software could magically take care of all the security risks the organization is exposed to. However, real information security is achieved through well documented and managed security processes, involving competent members of staff with clear roles and responsibilities and through the appropriate use of a wide range of security controls.
For instance, it make no sense having a network firewall if there is not a clear documented change management process to control its configuration, no regular review of the firewall logs and firewall rules, not a competent firewall administrator, no backup of firewall configuration, no firewall testing etc.
When it comes to achieving information security, the only standard which can really help organization today is ISO27001. Originally introduced in 2005, based on the British standard BS7799-2, ISO27001 underwent a new revision just over a year ago in 2013 and that is the version currently in use.
ISO27001 helps an organization by clearly defining the set of processes, responsibilities and controls required for the management of information security risk and the achievement of the organization's information security objectives. Such set of processes, responsibilities and security controls is also called an Information Security Management System (ISMS). With regards to the security controls, ISO27001 identifies a list of 114 best practice security controls, which can be considered by an organization to mitigate information security risks. None of these 114 controls is mandatory and, in ISO27001, they are in fact placed in an appendix called Annex A. However, since they are best practice it is very unlikely for any organization to justify the exclusion of more than a handful of them (usually one or two at most). From 10,000 feet, ISO27001 requirements may read as follows:
Set the organization's information security objectives
Assess and treat the risks to ensure the achievement of those objectives.
Ensure members of staff have the right level of competence and clear roles and information security responsibilities;
Monitor and review security controls, processes, performance and the achievement of information security objectives;
Ensure continuous improvements by learning from security events and applying both proactive and reactive measures;
Allocate resources to ensure all the above can be done over and over again.
Key Facts about ISO27001
It is important to highlight some of the key facts about ISO27001 most organizations are unaware of. Being aware of such facts can help organizations save a lot of time and, most important, can fast track the improvement of an organization's security posture.
While they may all be commonly referred to as ISO standards, NOT ALL ISO documents are requirements documents. Specifically, NOT ALL ISO standards in the 27000 series contain requirements to be met. The only document organizations should comply to is ISO27001, while most of the others are guidelines document written with the intent to help organizations meet the requirements of ISO27001 (see the section at the end of this article);
Implementing all the controls in Annex A, however well, DOES NOT mean complying with the requirements of ISO27001 and hence it provides little confidence with regards to the ability of an organization to manage information security risks and information security objectives;
The value of an ISO27001 certification is directly proportional to the reputation of the chosen certification body, much like the value of a degree relates to the reputation of the university issuing it. That being said, no certification body is the best so shopping around to see what the various certification bodies have to offer is a good idea;
ISO27001 IS NOT about having a bunch of information security policies and procedures and any consultancy company claiming that should be avoided as any ISO27001 certification achieved on that basis would be worthless;
ISO27001 compliance and certification cannot be delegated to an external consultant. Using a sport analogy, it doesn't matter how good your personal coach is, he/she will not be able to train and run the race for you. It is your body and your legs and your muscles. Similarly, no matter how good the consultancy company you use is, it can never take charge of the organization and make changes on your behalf. Good consultancy will only help you achieve your goal faster and with better results.
Competence in ISO27001, either of a consultant or an auditor can be measured by the ability to explain in plain english any of the requirements of the standard. Suggesting that something must be done just because ISO27001 says so is a clear indication you should be begin looking elsewhere for either your consultant or auditor. ISO27001 is a best practice standard and not a religious book one must accept on faith!
ISO27001 Series Quick Reference
While ISO27001 is the ONLY standard organizations have to comply with, it is good to bear in the mind the following other key standards and how they relate to ISO27001.
- ISO27002 – A guideline document helping an organization interpret and implement each of the proposed 114 security controls. None of the proposed guideline is a requirement and organizations are free to implement each control as they see fit, also referring to guidelines from other sources;
- ISO27003 – This is THE ONLY document to really provide organizations with some practical guidelines to meet the requirements of ISO27001, the second best thing to attending an ISO27001 implementation course from a reputable provider.
- ISO27004 – This document provides a number of useful metrics for the measurement of the best practice security controls;
- ISO27005 – This document provides guidelines on developing and information security risk management methodology.