In For most organisations today, information is the most vital asset. Information security can be described as the conservation of confidentiality, integrity and the availability of this information the three pillars of the IT Security Triad.ISO 27001 is an international standard forinformation security best practice. The standard can be implemented in, and is applicable for all types of organisations, including commercial enterprises, government bodies and not-for-profit organisations,for designing a compliant Information Security Management System (ISMS). The standard provides the framework for a vendor-neutral, technology-neutral management system, that assures an organisation and its stakeholders that its information security measures are in place and are effective.
The structure of the standard
ISO 27001 has five main clauses (mandatory controls), 11 domains, 39 control objectives and 133 controls. The mandatory clauses include:
Establishing the ISMS
Management commitment
Internal ISMS audits
Management review of the ISMS
ISMS improvement.
A fundamental tenet of ISO 27001 is the Deming Cycle of plan, do, check and act. The 11 domains covered under the standard include:
Security policy
Organisation of information security
Asset management
Human resource security
Physical and environmental security
Communications and operations management
Network access control
Information systems acquisition, development and maintenance
Information security incident management
Business continuity management
Compliance
Albeit the standard does not touch upon areas such as green computing or wireless technology per se, there is nothing stopping you from including this in your list of controls.
In fact, the controls cited in the standard are general guidelines to ensure that the important areas under these domains are not erroneously omitted. Hence, it affords you the freedom of including your own controls to address the technology rolled out in the organisation. Having said that, it is important to note, that the reason for the omission of any controls cited in the standard, must be mentioned in the Statement of Applicability (SOA).
So what is the recipe to ensure the ISO 27001s success in an organisation? The first and foremost ingredient is to understandthe culture of the organisation, business objectives and garnertop management support. Management support and commitment in terms of manpower resources and financial resources are critical. Recognition of information security as being a priority by top management still remains one of the biggest challenges for CIOs / IT managers, worldwide. The second biggest challenge happens to be,getting sufficient resources. Information security is not only about IT it is also about, amongst other things, organisational and cultural issues and human resource management. So if your management feels that the IT department can handle this without support from top management and other resources (manpower and financial) or support from other departments, the project is doomed from the beginning.
The next step usually involves identifying the scope forISO 27001 compliance. This is a crucial element else it will adversely affect the cost and ROI of ISO 27001 implementation.More often than not, it is not necessary for an enterprise to adopt a companywide implementation of the standard. If need be, this can be extended or staggered to other divisions / business units, at a later stage.
Once the scope has been identified, it is crucial to have a plan in place for implementation.
Although this is not part of the standard, it can be one of the major pitfalls failing to plan means planning to fail. If youthink you will be able to roll this out in two to three months, then you will land up with a pile of procedures, polices and other documentation, which nobody will care about. The standard is not just about documentation but you should be able to implement and measure the documented procedures and processes as well.
The backbone of a majority of, if not all, information security standards, is decision-making based on risk assessment. The ISO 27001 is no exception to this rule. In fact, the standard explicitly states the requirement of a risk assessment to be conducted prior to the selection of any controls.
From a business, compliance or contractual perspective, the risk assessment exercise mustidentify the threat and vulnerability for each asset, which has a likelihood of impacting the information security triad of confidentiality, integrity or availability. This also makes business sense, since the organisation would be able to divert its funds towards addressing the most critical risks identified.
The risk assessment process would also enable the management to identify ways of addressing this risk whether the risk needs to be mitigated, avoided, transferred or accepted.
Building a good team is another crucial ingredient for success. In my experience, involving cross-functional teams, including legal and HR professionals is absolutely necessary, especially when it involves framing policies and penalties for violation of the policies. A CIO / IT manager cannot be expected to frame these policies without seeking guidance from these functional areas. Compliance (Domain 11) mandated by law applicable to the organisation for example, need to be addressed by involving the legal team.
The costs involved for implementation and certification need to be conveyed to the top management, as well as the ROI. Some of the costs which could come into play are - cost of internal resources to produce policies and procedures, cost of external consultants, cost of registration for certification, etc.
So what is the ROI for an organisation implementing ISO 27001? Is being ISO 27001 certified just a marketing gimmick?
The ISO 27001 certification does definitely give you the edge over an organisation that is not certified, and it could become your unique selling point, especially if you handle customer sensitive data. The ISO 27001 certification instils confidence in your customers that their personal information is protected.
Obtaining an ISO 27001 certification demonstrates that you have addressed, implemented and controlled the security of your information. From the firms perspective, it can lead to cost savings. Imagine the loss to an organisation because of a leakage of company confidential data, for instance, business strategy, the loss of reputation built over the years, the cost of the customers private data being compromised and subsequent law suits, etc. By obtaining the certification, you effectively establish that relevant laws and regulations have been addressed.
Add new comment