The Journey to ISO 27001 (Part 1)

by [Published on 3 July 2013 / Last Updated on 3 July 2013]

In this two part article we will take you through an introduction to ISO 27001.

If you would like to be notified of when Ricky Magalhaes releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

Many organisations have realised the value of achieving the ISO27001 accreditation. Many of the disciplines described in the certification and methodologies that should be adopted to achieve this accreditation help in keeping companies secure. In this article we will explore what this certification is about and in following articles we will cover security strategies to help achieve and maintain the certification. 

Introduction

ISO27001 is a security standard developed to provide a model for establishing, implementing, operating, monitoring and maintaining an information security management system. It is extensively accepted as the highest security standard in the industry for examining the efficiency of an organisation’s overall attitude to security.

The ISO27001 certification aims to alleviate the challenges faced by organisations with regards to IT security. Some of the challenges we face are:

  • Risk of data loss though error or malicious circumstances
  • Compliance with regulatory requirements with regards to security of data
  • Achieving an acceptable baseline security control
  • Protection for perimeter defence as well as internal leakage
  • Scrutiny from auditors
  • Security concerns and requirements with regards to employees, processes and technologies within the organisation

The ISO27001 certification requires organisations to be competent in four security management areas, they include:

  • Asset identification and valuation
  • Risk assessment and risk management
  • Risk acceptance criteria
  • Continual improvement and maintenance of the organisations security program

Benefits of the ISO27001 certification

  • Demonstrates security competence
  • Helps meet regulatory and compliance requirements
  • Provides customer assurance in risk management
  • Keeps confidential information secure
  • Allows secure information exchange
  • Provides the company with a competitive advantage
  • Improved client retentions through security satisfaction
  • Exposure to risk is reduced and managed
  • Lower costs because of reduced risk
  • Consistency in product and service delivery
  • Protects company assets, shareholders and directors

The process towards certification

Step 1: Planning and initiation

Do your research

It’s essential that you become familiar with ISO27001 standard. Research what the certification is comprised of, the process and make yourself aware of the various certification bodies to choose from.

Project Resources and Budget

Determine the resources and budget needed to achieve the goal. It would be helpful to perform an initial analysis to identify any constraints which may affect the resources or budget required.

Get management approval and support

For the process to work effectively it is paramount that management is completely behind the decision and offering their full support and approval. By achieving the support of senior management, this enforces the company’s ambition to pursue best practice thereby encouraging everyone within the organisation to work towards the same goal.

Register with your chosen certification body

Once everyone is on-board and excited by the prospects, the first steps towards the certification process can be taken. An application for registration with a chosen certification body will need to be completed and returned to a certification body for review, who will then inform the organisation with the go ahead once satisfied.

Step 2: Establish a project team

Choose a ISO Management representative and establish a project team

Appoint a responsible and knowledgeable people to manage, represent and audit the project. Organise a team to run the project under the guidance of the team leader. The chosen individuals should have sufficient knowledge of the ISO requirements and understand the controls and milestones needed to reach the accreditation. The team should work well together towards the same goal.

Management’s role

  • Make the strategic decisions for the implementation
  • Approve and allocate budget
  • Ensure resources for managing, developing, implementing and maintaining the certification
  • Ensure training is available to staff and that staff are competent with regards to the certification requirements

Representative’s role

  • Directing and monitoring tasks related to the certification
  • Ensuring that tasks are completed
  • Keep reviewing the information security management system (ISMS) regularly to keep up to date.

Internal auditor’s role

  • Assess and evaluate the ISMS

Step 3: Define the Information Security Management System (ISMS) Scope

Understanding the business function

To be able to define the ISMS Scope it’s important that the team understands the business. It’s important to have a good understanding of the following:

  • What the business function is, identifying core processes, support processes and relationships within the business.
  • Define business activities and services both internal and external
  • Review documentation that already exists within the organisation

Defining the scope

Your scope is dependent on the company requirements and capability. It may be more difficult for some organisations to implement the standard across the entire organisation so organisations may want to be selective when defining the scope and perhaps limiting it to only certain departments within the organisation. The scope is important as it will define the parts of the organisation to be covered by the ISMS. The scope should define the location, assets and technology to be included.

Step 4: Gap analysis and Security Risk assessment

Undertake a risk assessment to determine the areas where the possibility of threat could endanger the confidentiality, integrity and availability of information. The analysis should include physical sites and buildings, business processes, information system infrastructure, resources and assets as well as people within the organisation. By doing this you can gauge the effectiveness of existing controls.

The risk assessment should involve:

  • identification of assets
  • identification of threats
  • identification of existing controls
  • determination and analysis of the existing risk level through use of security tools and report generation
  • determination of an acceptable risk level
  • determination of possible control options to limit areas of risk

Inventory of information assets

Make sure to record all of the assets correctly. Be sure to include intellectual and shared assets as well.

Step 5: ISMS Documentation development

ISO27001 requires extensive documentation. Documentations required include policies, standards and procedures that ensure the business is adhering to the requirements of ISO27001 in a competent manner that is attainable. The documentation is a very important part of the ISO27001 certification process as it forms the criteria the organisation is measured against to meet the ISO standard.

Documentations steps include:

  • Review existing and develop a ISMS structure
  • develop documentation for the ISMS structure
  • develop the ISMS policy
  • develop the ISMS manual
  • develop procedures and guidelines

It’s important that you write appropriate documentation for the organisational needs and make sure you commit what is documented to practice. During the certification process the documentation will be checked to gauge whether its compliant with the ISO standard and following this the organisation’s activities will be checked against both the ISO standard as well as your own documentation for compliance.

Make sure to review your documentation throughout the process to ensure nothing is omitted.

To pass the first stage audit (Document Review) and move on the second audit you would need to have documented the following correctly:

  • The ISMS scope
  • ISMS policy and objectives
  • Risk assessment methodology
  • Risk assessment report
  • Statement of applicability
  • Risk treatment plan
  • Procedures for managing documentation
  • Procedures on measuring effectiveness of controls
  • Corrective and preventative actions
  • Documentation on internal audit
  • Documentation on management review
  • Controls for record management

Required records:

  • Records related to effectiveness and performance of the ISMS
  • Records of management decisions
  • Records of significant security incidents
  • Records of training, skills, experience and qualifications
  • Results of internal audit
  • Results of management review
  • Results of corrective actions
  • Results of preventive actions

If applicable to your business supply documentation for:

  • Inventory of assets
  • Information security policy
  • Acceptable use of assets
  • Roles and responsibilities of employees
  • Procedures for the operation of information processing
  • Access control policy
  • User activity logs
  • Statutory, regulatory and contractual requirements list

Other documentation (not mandatory) if you’re implementing these controls:

  • Change of management policy
  • Backup policy
  • Disposal and destruction policy
  • Information exchange policy
  • Password policy
  • Clear desk and clear screen policy
  • Policy on use of network services
  • Mobile computing and teleworking policy
  • Bring your own device policy
  • Incident management procedure

Conclusion

The benefits of being ISO 27001 certified far outweigh what has been mentioned in this article, the real value is in the combination of all parts of the accreditation and in developing and maintaining the level required by the accreditation. So many organisations look to get the certification just because they have to and end up certifying at great cost but adding little value to the internal processes and security posture of the organisation. The guidance provided by the accreditation is there to improve and maintain a high level of security posture.

If you would like to be notified of when Ricky Magalhaes releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

The Author — Ricky M. Magalhaes

Ricky M. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Ricky has over 16 years of experience in the security arena covering all ten domains including best practice and compliance. Ricky is a strategist on security and innovating creative ways to achieve compliance and mitigate risk, to many blue chip entities and forms part of the advisory boards to many organisations worldwide.

Latest Contributions

Advertisement

Featured Links