July 19th, 2011
Increasingly, though, it’s recognized that what’s needed to maintain information security at the very highest levels is a comprehensive set of policies and best practices that encompass not only technical safeguards but also day-to-day management procedures. And in 2005, this thinking resulted in a formal set of policies and procedures known as ISO 27001:2005.
The policies described by ISO 27001:2005 seek to improve the quality of an organization’s information security management system, or ISMS. These policies aim to help the organization to examine risks and vulnerabilities, to design and implement the controls needed to address those risks, and to set up a management process that makes sure the controls remain effective over the long-term, even as technologies and the organization itself evolves. The goal is to be as comprehensive as possible and replace the kinds of inconsistent, ad hoc controls often found in large organizations.
Once an organization has implemented the ISO policies and had the relevant procedures formally audited by another, specially authorized group, the organization will enjoy a new standing among its business partners. Its customers, suppliers, and other partners will be assured that the organization is, as it were, doing the right thing when it comes to protecting all information that needs protecting.
The ISO 27001:2005 is based on a standard ISO model known as Plan-Do-Check-Act. (It actually was first described by quality control guru Dr. W. Edwards Deming.) In broad strokes, this cycle calls, first, for an organization to assess its security risks and select appropriate controls. This means examining not only the protection of digital information it stores in computers but also any sensitive information kept in paper or other physical form.
Next, the selected controls must be put in place and the appropriate people trained to use each of them properly. And with that done, the controls must then be put into operation wherever necessary.
Once the controls are up and running, the organization needs to review and evaluate their operation, making sure each one is doing what it’s supposed to with maximum efficiency and effectiveness.
Finally, the organization must make changes where necessary to ensure that any gaps found in the previous step get closed.
In brief, ISO 27001:2005 is based on the idea that information security depends mainly on people doing the right things, not solely the use of specialized security technologies. Indeed, it assumes that the actions of employees, not those of hackers and other outsiders, are the main threat to security. It’s not that every employee must be viewed as potentially a self-interested criminal, but that without the proper procedures and checks in place, the inadvertent mistakes that people make while doing their daily jobs can compromise security and open the organization to unwanted risk.
December 2nd, 2009
With any project as complex as the implementation of ISO 27001 there are some things to avoid. Here are two quick things you shouldn’t do.
1.
Don’t focus on information security. Although it sounds counter-intuitive it is only the “content” of ISO 27001 that is about information security. What’s more is that if you achieve this and focus on the ISO 27001 process, it will ensure that information security is taken care of properly in your organization.
ISO 27001 is a management system standard. It is a standard that describes requirements for a system for managing information security. It does not include information security itself – merely the processes through which you will manage information security. If you set the processes in place effectively they will (you will) effectively manage your information security.
The management system processes fall into two categories. The “primary” processes in the standard are about the processes to understand your current information security perspective, quantify the risk to your organization and plan actions to accept or reduce the risk to make it acceptable. It is implicit that senior management will be involved in accepting poor security… or pay to lower the risk. There is no requirement in the standard that the risk has to be addressed or lowered, merely that management acknowledge it and accept it. Other primary processes include a process to react to security incidents (or near incidents), contingency planning covering information security and a process to have access to information security contacts and information security legal requirements.
In addition to the primary processes, “support” processes include document control, records management, training, internal auditing, management and corrective and preventive action.
All of these processes must be formally defined in written procedures that describe a coherent and comprehensive system of processes that help understand and control information security.
It has to be said that although ISO 27001 is not “about” information security, it does make specific reference to information security technologies. In an appendix it lists a number of general categories including physical access, human resources, communications, operations, etc. These categories are expanded in some detail in ISO 27002 and ISO 27001 requires that these controls are considered when reviewing risks in the organization and that their non-applicability is formally justified in a “statement of applicability”. Thus the pair of standards do actually require and cover information security but as mentioned earlier none of the requirements are mandatory. Further, certification is about having a formal management system to ensure information security is consistently and continually addressed to ensure it is and remains effective. If you focus on the security issues you are not contributing towards ISO 27001 certification and you are not assuring the consistency and sustainability of information security management. Don’t ignore the security issues but deliberately address the management system issues. That is the long term solution.
2.
Don’t over-complicate your risk assessment method. Risk is a calculation derived from probability and consequence. To make it objective it needs to be quantified as a numeric value so that it can be compared to what management says it will accept. This can be quite complex. Ultimately risk usually includes subjective assessments of what the probability is and what value the consequence might affect. There is a tendency to attempt to formalize each step and even break steps into multiple stages so the subjectivity can be limited. However, truth is that when you add all the stages together the subjectivity still exists. Keep the risk assessment methodology simple. What is the max value of the information asset that may be compromised? How serious is the threat? How serious is the vulnerability? (avoid breaking it down too far). And when assigning numbers try 1-5 rather than 1-10.
The key factor to a good risk assessment is to identify the risks. Most people in your organization will understand what that means when the risk and consequence is described and they will know how serious they are. So long as you do a good job of identifying risk the numbers assigned and range they exist within are lest important.
If this is your first attempt at a risk assessment then keep it simple. You can always make it more complex next time around.
Cavendish Scott, Inc. is experienced at implementing ISO 27001 management systems . We guarantee successful ISO certification and design and implement practical and easy to maintain systems. We also provide ISO 27001 training and conduct ISO 27001 audits including gap assessments.
