Documenting that you have strong governance in place, ensuring that you are adopting best practice and demonstrating that you take security seriously, are just a few top reasons to align to business standards like ISO.
Deriving from the Greek word Iso, meaning equal, ISO/IEC 27001 is now widely recognised as the de facto standard for information security, controlled by the governing body, the International Organisation for Standardisation.
There are 31,910 organisations globally that are ISO/IEC 27001 certified, with 2,444 in the UK and 9,111 in America alone. So, why are so many organisations choosing to certify to ISO/IEC 27001?
Good governance, best practice, strong controls, and maturing as an organisation are all important and admirable objectives, but perhaps the greatest benefit is in fact a commercial one. Information and cyber security are common boardroom topics, that often filter down into what organisations demand from their suppliers. This is particularly true, but not limited to, financial services, pharmaceuticals and any industry that is highly regulated or that has valuable assets to protect, such as customer data or intellectual property.
Demonstrating that you take information security seriously, as a potential new supplier, can ultimately mean the difference between winning or losing your next tender process.
This article discusses ISO/IEC 27001, its purpose and its benefits, addressing specification and requirements, ISMS (information security management system) specification and requirements, and issues with ISMS.
ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2013 and is published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for, and recognised as best practice framework for, an ISMS. Organisations meeting the standard may gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process. Organisations will meet information security standards by aligning to ISO/IEC 27001, making them likely to win more business, especially in enterprise organisations.
ISO/IEC 27001:2013 specifies 114 controls in 14 groups:
The official title of the standard is "Information technology— Security techniques — Information security management systems — Requirements".
27001:2013 has ten short clauses, plus a long annex, which cover:
This structure mirrors the structure of other new management standards such as ISO 22301 (business continuity management); this helps organisations who aim to comply with multiple standards, to improve their IT from different perspectives.
An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799.
The governing principle behind an ISMS is that an organisation should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organisation and external environment. ISO/IEC 27001:2013 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:
ISO/IEC 27001:2013 is a risk-based information security standard, which means that organisations need to have a risk management process in place. The risk management process fits into the PDCA model given above.
Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework, Risk IT, dedicated to Information security.
The development of an ISMS framework based on ISO/IEC 27001:2013 entails the following six steps:
ISMS Requirements To be effective, the ISMS must:
There are three main problems which lead to uncertainty in information security management systems (ISMS):
Rapid technological development raises new security concerns for organisations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology. To overcome this issue, the ISMS should organise and manage dynamically changing requirements and keep the system up to date.
Externality is an economic concept for the effects borne by the party that is not directly involved in a transaction. Externalities could be positive or negative. The ISMS deployed in an organisation may also cause externalities for other interacting systems. Externalities caused by the ISMS are uncertain and cannot be predetermined before the ISMS is deployed. The internalisation of externalities caused by the ISMS is needed in order to benefit internalising organisations and interacting partners by protecting them from vulnerable ISMS behaviours.
The evaluations of security concerns used in ISMS become obsolete as the technology progresses and new threats and vulnerabilities arise. The need for continuous security evaluation of organisational products, services, methods and technology is essential to maintain an effective ISMS. The evaluated security concerns need to be re-evaluated. A continuous security evaluation mechanism of ISMS within the organisation is a critical need to achieve information security objectives. The re-evaluation process is tied with the dynamic security requirement management process discussed above.
Is ISO/IEC 27001 accreditation for everyone? Perhaps not. But if your business is serious about reducing risk, and is looking for an effective way to assess the risks in your business (Plan), implement controls to measure that risk (Do), use these to benchmark ongoing performance (Check), and continuously review the ISMS as the business changes over time (Act)? Yes, absolutely.
An ISO journey may seem like a big undertaking but, for most, the benefits far outweigh the initial investment, and the journey to accreditation can be surprisingly short. Rarely is there a better opportunity to drive cultural change in a business and, not only that, one that leads to both a mature information security posture, as well as your business’s next big competitive advantage.