Below are my highlights and comments on the ISACA article ‘Planning for and Implementing ISO 27001” by Charu Pelnekar was published recently and is available in its full detail on ISACA’s website. Definitely worth a full read. Below are a few highlights that leaped from the page that I wanted to highlight.
Benefits of establishing an ISMS:
– “Enable enterprises to benchmark against peers” <– Highlights a good question, how are YOU benchmarking your information security efforts? Are you basing it on staying out of the WSJ and riding the media wagon, or are you doing something different. Industry surveys, publicly traded company statements, and industry sector considerations are excellent perspectives. Considering the maturity and benchmarking that program against comparable peers – based on revenue, complexity, locations, sector, what is sensitive, customer base, and legislation are equally valuable (and seldom considered completely)
– “Provide relevant information about IT security to vendors and customers” <– Responding to multiple client and partner information security verification audits is a necessity today. A trend that will continue until the use of standards and their adoption is consistent and proven. Further highlighted by the author when considering the benefit of gaining a “Comfort level of interoperability due to common set of guidelines followed by the partner organization”.
– “Enable management to demonstrate due diligence” <– There is legal precedence that the existence, operation, and proven maturity of an iSMS to be a significant factor in determining a business proving due diligence with regard to safeguarding information.
– “Assist in determining the status of information security and degree of compliance” <– A worthwhile pursuit and consideration for the risk management and internal teams within every organization. Pivoting / Agility / Adaptable / (insert latest phrase here) organizations need to constantly adapt how they innovate, similarly they should evaluate the adequacy of their current information security programs (the actual program) and the effectiveness of the program. This is not a commitment to grow, but instead to shift left and right as needed at the current time.
Costs of implementation depend on numerous factors, but a highly sensitive variable is the health of the IT organization and sophistication of the enterprise information security program. Within the ISMS is the process of risk assessments designed to identify risks – the greater the number of risks and necessary remediation costs can be significant (with respect – this is not the cost of implementing the program, but instead of raising the operating state of the organization in line with the risk tolerance of the business. Regardless, these must be managed appropriately in order for the ISO 27001 to be considered effective and certifiable.
The complexity to managing and operating a mature information security program that adheres to ISO 27001:2005 is dependent upon several factors, but one s standout is the scale of operations – that can be defined as “# of employees, business processes, work locations, products and or services offered”
Implementing an ISMS for an organization begins with several key and required efforts. The sequence, thought, and support applied to each ensures that the business has an enhanced information security posture that is both sustainable and meaningful. These include:
- Defining the ISMS Policy
- Defining the scope of the ISMS
- Performing a security risk assessment (on the in-scope environment)
- Managing the identified risks with consideration of the risk tolerance and risk criteria
- Selecting controls to be implemented and applied, and finally preparing the SOA.
The article published by ISACA in Volume 4 2011, available for free to all members, and the author provide a nice high level breakdown on what is required for an enterprise to reach ISO 27001 certification. I would add that linkages is the only major high level component absent in the article. Linkage throughout the program is essential to ensuring a cost effective and business appropriate program is established and maintained.
For those serious about maturing their organization, ISO 27001:2005 is a good objective. For deeper understanding on what is required I would encourage purchasing a copy of the entire 2700X standard family to have full understanding on implementation; safeguard controls; and risk assessment programs. A nice article on SANS on implementing an ISMS is available here (pdf).
Another way of considering the benefits of a mature security program…is will an organization be compliant with PCI DSS or other legislative requirements as a result of implementing ISO 27001. Simple answer, yes. Longer answer another day.
Thoughts and challenges?
– James DeLuccia