Almost all of us have heard in some way of either ISO 9000 or ISO 14000 certification. These standards have become commonplace in today's business world as accepted benchmarks for quality control and environmental friendliness. In the manufacturing and service sectors, these standards are almost expected and are taken as a sign that a company bearing these marks has been checked out and proven to follow an accepted code of best practices.
What many of us do not know is that there is another set of ISO standards that are beginning to play a more significant role in the risk management arena. These standards are, respectively, the code of practice for information security management (ISO 17799) and the requirements for information security management systems (ISO 27001). It has been accepted that there are very close ties between information security and risk management, and these standards contribute to this relationship.
What Is the Difference?
Both the ISO 17799 and 27001 standards were derived from multiple iterations of the originating British Standards Institute standard number BS7799. Originally this standard consisted of two parts. Part one was first adopted as ISO 17799. Part two was later adopted in 2005 as ISO 27001. The ISO 17799 standard will be renumbered under the ISO 27000 series of standards as ISO 27002 sometime in 2007 or 2008.
ISO 17799 is a code of practice. In essence, it is a set of guidelines that an organization may use in developing an information security management system. These guidelines have been developed over many years and have gone through many revisions. The guidelines are internationally accepted as one of the industry de facto best practice baselines. There is no certification for ISO 17799 as it is a set of guidelines that can be used to help ensure the compliance and successful implementation of the ISO 27001 specifications.
ISO 27001 is the set of requirements for developing an information security management system. This is the standard that an organization will need to adhere to in order to receive ISO 27001 certification. This standard has several key components that are required in order to achieve compliance. Of particular interest for this discussion are requirement for security policy and the requirement for a documented procedure for the assessment and treatment of risk.
Regulatory Compliance and Risk Management
Regardless of which regulatory standard you are dealing with, ISO 27001 gives a baseline paradigm. Compliance with or certification in ISO 27001 will give you strong IT-related controls that will also help satisfy the requirements of many regulatory standards. The depth to which ISO 27001 can help you in achieving compliance to other regulatory standards is dependent upon which controls you select and how you implement those controls.
One of the strongest values ISO 27001 brings is its agnostic approach. There are absolutely no requirements in ISO 27001 for any specified technology. In fact, compliance to the standard can be theoretically achieved without even owning a computer. What is required by the standard is the selection of IT-related controls and an implementation of these controls in a way that provides strength to them. This is how the standard ties so tightly into the risk management arena.
The following are three key excerpts from the standard dealing with the management of risk:
Organizations are required to define and document their risk assessment approach [4.2.1c].
"The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results." [4.2.1c]
Risk assessments are to be regularly reviewed at planned intervals [4.2.3d].
In addition to the above, the standard also requires that when selecting controls, there must be a demonstrated relationship between the selected controls to the results of the risk assessment and risk treatment process: "Control objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks as well as legal, regulatory and contractual requirements." [4.2.1g]
The standard also covers the acceptable options for the treatment of risk. These options include risk avoidance, risk acceptance, risk mitigation (through application of controls) and risk transference.
The Information Security Management System
As mentioned previously, the ISO 27001 standard is the set of requirements for developing an Information Security Management System (ISMS). The assessment, management and treatment of risk are intertwined throughout the whole process.
The ISMS is based on the PDCA model: Plan, Do, Check and Act. Simply, it is a living, cyclical process that must be followed to ensure that the ISMS and, by default, the management of risk are not just static processes that are written and then shelved to collect dust.
Tying It All Together
ISO 27001 will help you to develop an approach to risk management that is based on the selection, implementation, review and monitoring of strong controls. The development of an ISMS and a "risk based" approach are both processes that require a significant investment in time. The following is a short walk through of the four steps in the PDCA model placing emphasis on the risk related components that are required at each step. In real life, there are far more steps than those which are covered here.
Step 1 - Plan: Establish the ISMS
Define risk assessment approach
Analyze and evaluate risks
Identify and evaluate risk treatment options
Select control objective and controls
Management approves residual risks
Management authorizes implementation of ISMS
Step 2 - Do: Implement and Operate the ISMS
Define management actions, resources, priorities, roles and responsibilities
Correlate to risk treatment plan for managing identified risks
Define how to measure effectiveness of controls
Implement procedures for detection of incidents
Step 3 - Check: Monitor and Review the ISMS
Execute monitoring and review procedures
Regularly review effectiveness of ISMS
Measure effectiveness of controls
Regularly review risk assessments and update residual risks
Step 4 - Act: Maintain and Improve the ISMS
Implementation of identified improvements to ISMS
Take appropriate preventive and corrective actions
Review lessons learned
Communicate taken actions
Meet documentation requirements
Ensure documents are controlled
Ensure records are controlled
Requirements and Certification
Another requirement under ISO 27001 that will help achieve compliance to other regulatory standards is the requirement for the control of documentation and records.
Specifically, risk managers will need a number of documents, including the description of your risk assessment methodology, risk assessment reports, risk treatment plans and overall documented procedures.
The standard explicitly states that records must be protected and controlled. Specifically, controls are required for the identification, storage, protection, retrieval, retention time and disposal of records.
The most common question that arises concerning ISO 27001 is regarding the necessity to pursue certification to the standard. Many organizations often feel that simply complying with the standard should be sufficient to meet their needs. This is commensurate with common attitudes towards risk management and information security. Organizations often see security and risk management as technical issues as opposed to management issues which have associated high costs with little return.
Many organizations are so overburdened with regulatory issues that there is little interest in adopting a voluntary standard. Many organizations also take a reactive approach to security and risk management, and often only decide to act once a problem has occurred.
ISO 27001 certification can provide a third-party assurance that your organization is serious about information security and managing the associated risks. Certification can also help satisfy compliance auditors that your organization has a process for addressing risks and maintaining documents and records as well as potentially reducing audit time and cost. This will assist in providing a detailed and structured approach to security and risk management, which will ensure that you have the right people, processes and technology in place in order to suit your business model. ISO 27001 provides a framework that accounts for most of the common regulatory requirements that are currently in place. The standard also provides for embedded accountability. Certification illustrates that the organization's senior management are committed to the security of their business including the protection of confidential customer information.
The ISO 27001 standard corresponds to ISO 9001 and ISO 14001, and as a result acts as a compliment to the goals which the other standards strive to achieve. Certification to the ISO 27001 standard can provide an invaluable marketing advantage, especially when dealing across international borders.
Steps to Certification
Certification requires involving a registrar authorized to recommend certification for this standard. Depending on what country you are located in, you may have a wider selection of registrars to choose from. Different registrars may vary their process on certification, but regardless of which registrar you may choose there are a few key steps involved.
Step one covers the majority of the administration: Contacting a registrar, obtaining a quote, submitting an application for registration, and co-ordination with a client representative from the registrar.
Step two is optional but is highly recommended: Contact and secure a reputable consultant who is experienced in ISO 27001 certification for a pre-certification audit. Your consultant will be able to review all the key required components and identify any nonconformities that may exist which could jeopardize successful certification. This stage is critical as it gives you an opportunity to work with a third party independent consultant to find areas of concern and correct these prior to the actual certification audit. An experienced consultant may also be able to assist you during you certification audit by liaising with the auditors to provide clear explanations in terms of the standard to help facilitate a successful audit.
Finally, a certification audit is conducted and if successful, recommendation is passed through to the certifying body. Once approved, a certificate is issued and your organization becomes registered.
ISO 27001 is an internationally accepted standard that has been shown to validate the controls an organization has in place for the management of both security and risk. Certification to the standard facilitates many of the legal and regulatory requirements covered by other legal and regulatory standards.
ISO 27001 can be viewed as an overall program that combines risk management, security management, governance and compliance. It helps an organization ensure that the right people, processes and technology are in place that are appropriate to the business model and that facilitate a proactive approach to managing security and risk.
The standard helps foster a strong culture where strong values are promoted concerning the protection of client and business information. The standard provides accountability for actions.
Finally, certification provides an objective validation by an impartial certifying body that the organization is vigilant in undertaking due diligence. This provides peace of mind to shareholders, clients, business partners and employees and sets the bar for suppliers. Additionally certification can provide a competitive advantage and facilitate audits to other regulatory standards.
Experto: De normas y certificaciones: el caso de la Seguridad de la Información, por Ignacio Cortés (21/07/2006)
Experto: El valor de la información en las organizaciones, por Andrés Borrego (15/02/2007)
Experto: Sistema de Gestión de Seguridad de la Información: ISO 27001 e ISO 27004, por Alejandro Corletti (16/03/2007)
Experto: ISO 27001: Los controles (y II), por Alejandro Corletti (12/01/2007)
Experto: ISO 27001: Los controles (I), por Alejandro Corletti (24/11/2006)
Experto: Sistema de Gestión de Seguridad de la Información: Análisis de ISO 27001:2005, por Alejandro Corletti (06/11/2006)
Noticia: BELT IBÉRICA, S.A. es la sexta empresa española que consigue el certificado oficial en Sistemas de Gestión de Seguridad de la Información ISO 27001:2005 (16.02.07)
Pinche aquí para escuchar la entrevista sobre el proceso de certificación en ISO 27701 de Belt Ibérica, S.A.