Great question! Too many organizations get this wrong. With the wrong approach you will set back your ISO registration by a year or more, misunderstand the whole point and cause substantial amounts of extra work.

Unfortunately there are many consultants out there who don’t understand this either and they are providing the misdirection.

ISO 27001 is a management system standard. Its goal is to enhance information security but the way it does it is to build a management system that ensures success. It is NOT about information security controls and protecting information. Well, obviously it is about these things but only in outcome terms – not in terms of process.

Too many organizations pass the ISO 27001 project to the information security or IT organizations. Or a consultant is sought with expertise in information security. Typically these sources will focus on technical and security aspects of information security and spend a lot of time and money reviewing your security status, conducting tests and designing solutions. While this is definitely part of the program it is NOT what ISO 27001 is about and it wont get you registered. Further, this is the most expensive part of information security and takes the most time. Delays and cost are a turn off to top management.

The whole philosophy behind ISO 27001 is that you establish processes within your organization so that you understand your information security situation, what that means in risk terms, that your communicate it clearly to those ultimately responsible and take only the actions that you want to. That is it. It is not about physical security, network scanners or patching processes. If any of these are good ideas in your organization the management system will identify them, quantify what that means and allow those responsible to work out the risk return decision.

Addressing the controls can often take years and you don’t need to have done that to get ISO 27001 registered. If you start from the management system direction you can be ISO registered in a few months and have ever improving information security from then on.

The background of the consultant who can do this best is those with more ISO experience than security experience. If your consultant is pressing for too much security then you probably have a long wait and a lot more effort to go before you get ISO registered.

Cavendish Scott has been consulting, auditing and training in ISO management system standards since 1985. Our expertise is in processes and management systems and in the careful and precise interpretation of standards and regulatory requirements into organizational processes and management systems. We guarantee successful ISO registration when we take on projects.

Currently, most organizations decide to become ISO 27001 certified because of customer or market pressure or because they deal with “important” customers and want to prove they are capable of handling information. More increasingly there are requirements in RFQs, when dealing with government contracts and meeting legislation e.g. HIPPA. These types of requirements are not going to go away and are likely to become more and more important. ISO 27001 certification answers these questions without any effort.

ISO 27001 is a management system standard for controlling information security that requires defined and documented procedures and processes that “assure” the management of information.

When working on ISO 27001, many organizations overlook the management system part and focus on strengthening information security. This is a mistake. The truth is that ISO 27001 does not require any particular security technique or performance of information security. Theoretically you could have very poor information security and still be ISO 27001 certified.

Management should be keen to do ISO 27001 because it gives them an objective understanding of the information security perspective without committing to spending indeterminate amounts of money on security.

Information Security Personnel should be keen to do ISO 27001 because it spreads the awareness of the importance of information security and clearly assigns ultimate responsibility to organization management.

You become certified following a successful audit by an accredited certification body. In order to satisfy the audit you must write procedures and define processes that describe your approach to conducting an information security risk assessment. There are other standards that provide information on how to do a risk assessment but unless you are going to invest in a computer based risk assessment tool, then excel provides an excellent mechanism. Microsoft also has a free risk assessment tool that could be used but the emphasis here is on “keep it simple”.

The risk assessment process needs to be comprehensive and includes criteria for risk calculation and a re-assessment cycle once any corrective actions have been taken.

A few other processes need to be in place too, including a formal process for dealing with security incidents that occur (or nearly occur), a process to review and generate a statement of applicability (defining which security controls are applicable and explaining them), contingency planning and a process for having information security contacts and knowledge of relevant legislation.

Additionally you need all of the supporting processes and procedures in place to make sure the management system remains effective including document control, record control, management review, objective setting, training, internal audit and corrective and preventive action.

All of these processes and procedures operate in a comprehensive and congruent management system that ensures awareness, responsibility and control over information security.

Although focusing on the security controls is a mistake (both from a certification and management perspective), it cannot be ignored. There are about 173 information security control requirements identified in ISO 27001 (and expanded in ISO 27002) from managing the physical access controls to HR issues (e.g. employment contracts) to software development controls to technical network and operating controls to legal and contingency planning. These requirements must be reviewed and conscious decisions made about how they are to be applied (or not). All of these reviews and decisions need to be recorded and traceable.

No individual control (or group of controls) are mandatory so long as management accept the responsibility for the residual risks that exist. In practice the system of information security controls need to be “appropriate” or it is likely that a certification body auditor will be uncomfortable recommending certification. Once everything is working a certification assessment needs to be completed.

Cavendish Scott provides consulting, training and auditing for ISO 27001. We guarantee that our consulting clients will pass their ISO assessment and get certified. Getting certified to ISO 27001 is fairly easy to achieve and our unique approach takes nearly all of the effort while providing a meaningful and easy to maintain system.