The term “information security” may have different connotations, depending on the person who is asked about it. For an average computer user, information security would probably refer to his PC’s antivirus software; a networking professional would take this term to be directed at the proper configuration of the network’s firewalls and routers; and for senior management, the phrase could mean ensuring that the organization is not vulnerable to a data breach. With the amount of subjectivity is attached to this term, the task of implementing information security is an organization may seem like a colossal challenge.
One of the best ways to approach information security is to adopt a framework based on the many best practices and standards available worldwide. One of the key advantages of basing your information security program on these practices is that they have evolved and improved as a result of continuous feedback, and have been successful in many institutions. Of the numerous standards available, the most popular standard is the ISO 27001 Information Security Standard. The ISO 27001 grew from its humble beginnings as a British Standards (BS 7799), into a universally accepted information security best practice, under the umbrella of the International Organization for Standardization (ISO).
The ISO 27001 standard, formally referred to as “ISO/IEC 27001:2005 – Information technology – Security techniques – Information Security Management Systems – Requirements”, can be used by any type of organization, be it a small educational institution or a Fortune 500 company. Thousands of organizations worldwide have adopted this standard as a way of demonstrating their commitment to information security, meeting regulatory requirements and providing that their environments comply with international best practices. If your organization is liable for storing and protecting sensitive customer data, then achieving ISO 27001 certification is a great way to boost your confidence in the organization’s security posture.
Approach to security
ISO 27001 is a non-technical standard, meaning that one will not find any references to Windows, UNIX or Cisco in its contents. Rather, the document contains a list of 133 controls from which organizations can freely choose, depending on the risks present in their particular environment. These controls cover almost everything within the scope of information security – passwords, access control, human resources, network logs, remote network monitoring, physical security, incident response, business continuity and more. Some of these controls and monitoring can be achieved with the help of outside network services providers with low cost.
ISO 27001 is rather unique in its approach to information security. It does not mandate specific information security controls, instead it requires organizations to create and maintain an Information Security Management System (ISMS) – an overall management and control framework that addresses an organization’s information security risks.
Organizations typically have in place all sorts of security controls – such as antivirus software, backups, firewalls, policies and staff training. However, without ISMS, these controls cannot create an overall solution. This makes it difficult for management to know whether they are operating effectively or not. For example, an organization may destroy all its HR related papers to ensure confidentiality, but is unaware that all their salary information is accessible via a shared network drive. Similarly, important parts of information security, like business continuity and physical safety, may be completely ignored or managed independent of the security program. The ISMS is a proper framework which coordinates and integrates all different security activities under a single umbrella.
Applying ISO 27001
While an ISO 27001 implementation is a comprehensive exercise, the duration and resources required vary from one organization to another. There are certain steps that remain common.
1) The first step is deciding the scope; what area will the ISMS cover? This could be anything and everything – a new system, a data centre or the entire organization itself. Any processes or systems outside the scope need not be considered part of the ISMS and need not be certified.
2) The second step requires senior management to state their commitment to information security by issuing a formal statement in the form of an Information Security Policy signed by the CEO or the board. The purpose of this is to communicate that information security has been endorsed at the highest level and across the organization, and is no longer just an IT issue. Once the policy is in place, risk assessment begins. For this, organizations must create an inventory of all the hardware and software assets contained within the scope of their ISMS and identify what risks they may be subject to.
Once the risks have been highlighted, organizations must start choosing controls from the ISO 27001 standard to mitigate the risks. The entire risk management exercise must be documented to be used as reference when audited.
3) The last step involves creating a document, referred to as the Statement of Applicability, in which the organization must justify its selection of the 133 controls (in ISO 27001) that were implemented and which it decided others were not applicable. A strong justification, with a properly documented risk assessment, must support these decisions. Without the documentation, the organization may face problems showing due cause for not choosing any controls.
Once an organization has completed ISMS as required by ISO 27001, it may contact an ISO 27001 accredited certification body that is authorized to audit and certify organizations as being compliant with the standard. Certification audits are conducted by ISO 27001 lead auditors and can be lengthy procedures. Certification usually involves multiple stages.
1) The first stage involves the auditors assessing the accuracy and completion of the organization’s ISMS documentation – the information security policy, the statement of applicability, ISMS scope, etc. Any discrepancies found are reported back to the organization so that they can be promptly remediated.
2) The second stage involves a thorough checking of the actual ISMS against the requirements of ISO 27001 to confirm that the organization is meeting the requirements of the standard. Senior management may have to prove its commitment to the ISMS by showing documented evidence of regular reviews and actions taken to improve it.
Upon a successful audit, the organization is granted a certificate stating the scope of their ISMS and its compliance to the ISO 27001 standard. Certification is not a one-time exercise, and there are routine follow-up audits to ensure consistent performance.
Given the ever-changing landscape of information security, organizations should consider achieving the ISO 27001 certification to be a significant milestone, not an end goal.
* * *
“Information Security” image courtesy of Shutterstock.