Five years ago, it was the rare technologist who spent much time dealing with compliance and regulatory issues.
Up until relatively recently, only a handful of technologists in certain highly regulated sectors — such as financial services or government — spent much time evaluating regulatory issues, ensuring adherence to defined legal or other mandates, or certifying systems for conformance to policy.
The rest of us didn’t really have that much to worry about in this regard. Sure, there may have been the occasional outside audit or the sporadic question from internal auditors — but for the most part, somebody else had to worry about compliance concerns, not us.
Fast forward to today. Now, we’re all impacted to some degree by some regulation or another. In addition to there being specific IT-related regulation in the sectors that were heavily regulated all along, other segments of industry — for example, healthcare and retailers — have specific requirements that relate to how IT operates.
Broad, sweeping issues like e-disclosure — disclosure rules pertaining to electronic evidence — and breach notification laws are actively changing the landscape and changing the way firms manage technology.
To add insult to industry, the regulations just keep piling on. It is not unheard of for a firm that was totally unregulated (from an IT point of view) five years ago to have a number of different and relatively new regulatory requirements to heed — with an eye toward more regulations in the works.
Given this “compliance mania,” it’s no wonder that talking to many IT managers about ISO 27001 is a difficult task.
For example, take a firm that’s swamped with trying to meet various regulations in its scope, and then someone comes along asking the firm to voluntarily comply with some other set of guidelines.
It’s no wonder that the firm might be — to put it mildly — “skeptical of the value.” After all, aren’t these just more rules to follow, more audits to deal with, and more all-around hassle for the organization? Don’t we have enough of those already?
In truth, though, the opposite is true. If employed strategically, ISO 27001 can yield tremendous benefits, both in terms of reduced overhead in security management and the useful streamlining of compliance efforts in other areas of the firm.
Therefore, even though it seems counterintuitive, keep an open mind as you read this brief overview of ISO 27001 — what it is, how it can be used, and how it might benefit you and your organization.
An Overview of ISO 27001
ISO 27001 is an international standard that governs the creation and ongoing maintenance of a process-oriented information security program (or information security management system, in the language of the standard) within an organization.
In other words, the standard defines a model that an organization can employ to systematically shape its information security department, taking into account the goals of the organization — e.g., business requirements, regulatory/legal obligations, the culture/constraints of the organization — with an eye toward continual improvement.
By taking a process-based approach to security, the model encourages the development of benchmarks, or metrics, that an organization can use to measure its success in accomplishing security goals, to measure its performance over time, and ultimately to refine and improve the program.
Now, all these sound like useful things — and, in fact, this standard is not unique in providing advice to firms about how to make information security more mature and reproducible.
However, one feature that separates ISO 27001 from other “common sense security advice” is that the standard is designed with certification in mind.
The standard allows a registrar (comprised of independent evaluators) to audit a firm against the standard. If the standard is implemented, it can certify that the organization conforms to it.
What Are the Benefits?
For organizations that are seeking to become ISO 27001 certified, there are obvious marketing benefits. For example, service providers, outsourcing partners, and other service-oriented firms — particularly those that deal with sensitive or regulated data on behalf of clients — are likely to realize quickly that having independent certification of their security is plain old good marketing.
However, even organizations that are not seeking certification can benefit from the standard. Specifically, the process is designed to streamline security — to make it more effective, efficient, mature and reproducible over the long term.
If, for example, efficiency and cost reduction are among the goals of the organization, the security program can be designed to eliminate areas of inefficiency and waste. If client focus is a goal, then the program can be designed to monitor and improve how client relationships are handled. If the goal is simply to achieve more reproducible and mature information security, there is a benefit there as well.
How Do I Sign Up?
What firm isn’t interested in increased efficiency, meaningful metrics, improvement over time and enhanced maturity? Of course, maintaining the status quo is free — or, more precisely, that comes with imperceptible costs. On the other hand, making an investment in a firm’s security will have an associated cost that may sometimes be significant.
If you intend to become certified, for example, you’re probably looking at a significant expense. You may not have met all of the documentation requirements for certification, and you may not have processes in place — such as risk management and treatment — that are required to conform to the standard.
If the goal is certification, you must meet all of the areas required by the standard, and anything that you don’t have in place currently will be an upfront cost.
However, if you don’t plan on becoming certified but you’re still interested in making use of the standard to improve security within your firm, it’s useful to take a page out of the standard itself in order to decide on your approach.
Start by examining your own priorities, move to evaluating what portions of the standard are most applicable to your priorities, and then evaluate how much of those portions you can implement, given your budget.
For example, if maturity is the primary goal of your organization, start by looking at the areas of the standard that have an impact on maturity — for example, documentation requirements, resource management and program improvement.
If your focus is on the implementation of specific controls, start by looking at the relevant portion of the standard.
There is no such thing as a panacea, particularly when it comes to security. However, the ISO 27001 standard has quite a few concepts that any organization can use to improve productivity and effectiveness.
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit, and secure solutions development.