Information Security Management Systems
The family of standards for ISO 27000 is made up of many documents that refer to correct terminology, how to setup an information security management system, how to implement security using good controls and so on. In this short article we focus on 27001.
Its full name is ISO/IEC 27001:2013 – this is the Information Security Management System requirement standard. Following the standard will greatly enhance security.
ISO 27001 (ISMS), is a suite of activities regarding management of information risks (‘information security risks’). The ISO 27001 ISMS is a overarching management framework through which an organization identifies, analyzes and addresses its possible information risks. The ISO 27001 make sures that the security arrangements are good to keep pace with daily changes to the security threats, vulnerabilities and business impacts – an important aspect in such a dynamic field, and one of key advantage of ISO 27001 flexible risk-driven approach as compared to, say, PCI-DSS.
The ISO 27001 (ISMS) standard covers all type and all sizes of organizations (e.g. non-profits, multinationals, commercial enterprise & government agencies,),including all industries & markets (e.g. retail, banking, defense, healthcare, education and government).
ISO 27001 (ISMS) does not formally mandate specific information security controls since the controls that are required vary markedly across the wide range of organizations adopting the standard. The information security controls from ISO 27002 are noted in annex A to ISO 27001, rather like a menu. The Organizations adopting ISO 27001 can choose whichever specific information security controls are applicable to their particular information risks, drawing on those listed in the menu and most potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information risks, which is one vital part of ISO 27001 ISMS.
Management may elect to avoid, share or accept information risks than mitigate them through controls – a risk treatment decision within the risk management process.
ISO 27001 (ISMS) is derived from BS 7799 Part 2, which was first published as such by the British Standards Institute in 1999.
BS 7799 Part 2 which was revised in 2002, explicitly incorporating the Deming-style Plan-Do-Check-Act cycle.
BS 7799 part 2 which was adopted as ISO/IEC 27001 in 2005 with various changes to reflect its new custodians.
ISO/IEC 27001:2005 which was extensively revised in 2013, bringing it into line with the other ISO management systems standards and dropping explicit reference to PDCA. See the timeline page for more.
ISO 27001 Structure
ISO 27001:2013 has the following sections:
0 Introduction – describes a process for systematically managing information risks.
1 Scope – the standard specifies generic ISMS requirements suitable for organizations of any type, size or nature.
2 Normative references – only ISO 27000 is considered absolutely essential to users of ’27001: the remaining ISO 27000 standards are optional.
3 Terms and definitions – see ISO/IEC 27000.
4 Context of the organization – understanding the organizational context, the requirements and expectations of ‘interested parties’ and defining the scope of the ISO 27001 ISMS. Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” the ISO 27001 ISMS.
5 Leadership – top management must demonstrate leadership and commitment to the ISO 27001 ISMS, assign information security roles, responsibilities, authorities and mandate policy.
6 Planning – define and outlines the process to analyze identify, and plan to treat information risks, and clarify the objectives of information security.
7 Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
8 Operation – More detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors when needed).
9 Performance evaluation – measure, monitor, analyze and evaluate/audit/review information security controls, processes and management system, systematically improving things where it`s necessary.
10 Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISO 27001 ISMS.
Annex A Reference control objectives and controls – a bit more in fact than a list of titles of the control sections in ISO 27002. The annex is ‘normative’, implying that the certified organizations are expected to use it, but the main body says they are free to deviate from or supplement it in order to address their particular information risks. Annex A alone is hard to interpret. Please refer to ISO/IEC 27002 for more useful detail on the controls, including implementation guidance.
Bibliography – points readers to five related standards, plus part 1 of the ISO/IEC directives, for more information. In addition, ISO/IEC 27000 is identified in the body of the standard as a normative (i.e. essential) standard and there are several references to ISO 31000 on risk management.
So does it apply to our organisation?
The simple answer is yes! Security and observing good security practice applies to all organisations. In some cases failing to demonstrate standards in security can lead to a lack of confidence in an organisation or even loss of clients. We are usually approached by two broad groups of people – those that just want to get certified and those that want to improve security and in doing so meet the standard.
How does it apply to this sector?
If the standard is followed there will be a marked improvement in Confidentiality, Integrity and Availability (CIA). These areas can be used to measure the level of quality of Security in a typical organisation. Organisations that meet the standard have been through a rigorous process and in doing so have probably made many improvements.
If you have a need to manage risk in your organisation, improve client confidence or generally keep your security model robust and current then you should be looking to a standard to help achieve this.
What if I see an ISO ‘badge’ what does it mean? Should I do business with them?
The truth is that some organisations will get the badge (or ‘a badge’ that looks similar) just to do business or win tenders. Unfortunately not every organisation out there follows their standards through a proper process. An example would be an independent auditing consultancy that takes you through a standard ‘unofficially’ and then issues its own certification to you – how much would that be worth?
Our advice is always to look for standards that are government approved (UKAS – United Kingdom Accreditation Service) and also to ask for examples of how the standard is met in day to day work – the basic requirement is that the company should be audited by UKAS which is an independent approved body.
How do we achieve the ISO 27001 standard?
There are a number of steps, here is a brief summary:
You should review at a simple level what security or standards are in place at present and what needs you really have. At this stage take a little time to discuss your security requirements and read up on ISO 27001 – how could it help you? If you have enough technical know-how in house you could even contact the certification body direct to get some advice; alternatively a good security consultancy would guide you through the process and make these actions on your behalf. Additionally, you should collect any documentation you have that is related to security and risk, including Business Impact Analysis (BIA) and documentation of systems and processes.
Step 1 – Internal Audit (GAP Analysis)
Have an ISO 27001 internal audit. This is essentially a GAP analysis stage (Where are we? And where do we want to be?) where a consultant or member of staff will work through the areas in the standard and create an evidence file and a set of responses to the points in the standard.
Step 2 – Implementation
The end result of Step 1 (GAP analysis) is used to formulate an implementation plan which details what needs to be done to improve or reach the required level. It’s important to note that some aspects of the standard will not necessarily apply. The ISMS (Information Security Management System) is also established during this stage – the ISMS is usually comprised of a set of documents. Some people prefer to implement it using a package or online service e.g. Microsoft Sharepoint.
Step 3 – UKAS Approved Audit
Now that the organisation is ready you would contact an approved certification body to review the ISMS and perform a formal audit. The results of the audit will indicate any required areas of improvement or comments which should then be worked upon. The follow up audit will take place once any shortcomings have been met.
Mandatory requirements for ISO 27001 certification
ISO 27001 is a formalized specification for an ISMS with two distinct purposes:
- It lays out the design for an ISMS, describing the important parts at a fairly high level;
- It could be used as the basis for formal compliance assessment by accredited certification auditors in order to certify an organization is compliant.
These are mandatory documentation is explicitly required for ISO 27001 certification:
- ISMS scope (as per clause 4.3)
- Information security policy (clause 5.2)
- Information risk assessment process (clause 6.1.2)
- Information risk treatment process (clause 6.1.3)
- Information security objectives (clause 6.2)
- Evidence of the competence of the people working in information security (clause 7.2)
- Other ISO 27001 ISMS-related documents deemed necessary by the organization (clause 7.5.1b)
- Operational planning and control documents (clause 8.1)
- The results of the [information] risk assessments (clause 8.2)
- The Decisions regarding [information] risk treatment (clause 8.3)
- Evidence of the monitoring and measurement of information security (clause 9.1)
- The ISO 27001 ISMS internal audit program and the results of audits conducted (clause 9.2)
- Evidence of top management reviews of the ISMS (clause 9.3)
- Evidence of nonconformities identified and corrective actions arising (clause 10.1)
- Various others:Annex A mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures. However, despite Annex A being normative, organizations are not formally required to adopt and comply with Annex A: they can use other structures and approaches to treat their information risks.
Certification auditors will check that these fifteen types of documentation are (a) present, and (b) fit for purpose.
The ISO 27001 standard does not specify precisely what form the documentation should take, but section
7.5.2 talks about aspects such as the titles, authors, formats, media, review and approval, and
7.5.3 concerns document control, implying a fairly formal ISO 9000-style approach. Electronic documentation (such as intranet pages) are just as good as paper documents, in fact better in the sense that they are easier to control and update.
ISO 27001 ISMS scope, and Statement of Applicability
ISO 27001 is intended to drive the implementation of an enterprise-wide ISMS, ensuring that all parts of the organization benefit by addressing their information risks in an appropriate and systematically-managed and secure manner, organizations can scope their ISMS as broadly or as narrowly as they wish – but scoping is a crucial decision for senior management (clause 4.3). A documented ISMS scope is a mandatory requirement for certification.
The “Statement of Applicability” (SoA) is a mandatory requirement of section 6.1.3. SoA refers to the output from the information risk assessments, in a particular, the decisions around treating those risks. The SoA for instance, take the form of a matrix identifying various types of information risks on one axis and risk treatment options on the other, shows that how the risks are to be treated in the body, and who is accountable for them. It usually references the relevant controls from ISO/IEC 27002 but the organization may use a completely different framework such as NIST SP800-53, the ISF standard, BMIS and/or COBIT or a custom approach which ever they like. The information security control objectives and controls from ISO/IEC 27002 are provided as a checklist at Annex A in order to avoid ‘overlooking necessary controls’: they are not required.
The ISO 27001 ISMS scope and SoA are crucial if a third party intends to attach any reliance to an organization’s ISO/IEC 27001 compliance certificate. If an organization’s ISO/IEC 27001 scope only includes “Acme Ltd. Department X”, for example, the associated certificate says absolutely nothing about the state of information security in “Acme Ltd. Department Y” or indeed “Acme Ltd.” as a whole. Similarly, if for some reason management decides to accept malware risks without implementing conventional antivirus controls, the certification auditors may well challenge such a bold assertion but, provided the associated analyses and decisions were sound, that alone would not be justification to refuse to certify the organization since antivirus controls are not in fact mandatory.
In effect (without actually using the term “metrics”), the 2013 edition of the standard requires the use of metrics on the performance and effectiveness of the organization’s ISMS and information security controls. Section 9, “Performance evaluation”, requires the organization to determine and implement suitable security metrics … but gives only high-level requirements.
Certified compliance with ISO/IEC 27001 by an accredited and respected certification body is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are concerned about the security of their information, and about information security throughout the supply chain or network.
At this stage you would expect to receive an official certificate stating the details of the standard and the expiry date. The UKAS auditor would need to be fully satisfied in order to have reached this stage. Also important is to schedule in regular maintenance or surveillance visits from the security consultant that performed the initial audit or implementation. Usually these visits will take place once or twice a year with a fuller assessment every three years.
Typically you could pay anywhere from £400 up to £900 per day for a good security consultant for the internal audit and depending on the size and complexity of the organisation the official UKAS audit cost will vary with daily rates ranging around the £700 to £900 mark.
The largest cost is often the implementation of the actual standard as it may require more equipment and configuration. It’s also important to consider the time investment factor, staff training and use of new systems may have an impact in the short term on productivity as well as confidence. In the long run however the benefits will outweigh the costs for most organisations.
ISO 27001 is a great standard that has been used as the basis for major improvements across all sectors. To reach and maintain the standard will ensure that the organisation is following best practices in all areas. It also leads to a robust and improved service to end users – both internal users as well as the clients of the organisation itself.
According to the ISO survey for 2017, there are around 40,000 ISO/IEC 27001 certificates worldwide, increasing by about 20% annually:
ISO 27001 Certification brings a number of benefits above and beyond mere compliance, in much the same way that an ISO 9001 certificate says more than just “We are a quality organization”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires senior management approval (which is an advantage in security awareness terms,).
The certificate has marketing potential and demonstrates that the organization is taking information security management seriously. However, the assurance value of the certificate is mostly dependent on the ISMS scope and SoA – in other words, don’t put too much faith in an organization’s ISO/IEC 27001 (ISMS) compliance certificate if you are highly dependent on its information security. In just the same way that certified PCI-DSS compliance does not mean “We guarantee to secure credit card data and other personal information”, certified ISO/IEC 27001 compliance is a positive sign but not a cast-iron guarantee about an organization’s information security. It says “We have a compliant ISMS in place”, not “We are secure”. That’s an important distinction.
Our partner ship with cleints and the resultant improvements have enabled us develop sectorspecific case studies. We would be glad to share a case study relevant to your industry and discuss how we can help you to achieve excellence by implementing any management system inyour company.
Our philosophy goes far beyond customer satisfaction. We believe in not only satisfying our clients, but delighting them, with our unique result-oriented consulting methodology that brings in sustainable competitive advantage.