The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
2. Introduction
The purpose of information security is to protect an
organisation’s valuable assets, such as information,
Intellectual property, hardware, and software.
Through the selection and application of appropriate
safeguards or controls, information security helps an
organisation to meet its business objectives by
protecting its physical and financial resources,
reputation, legal position, employees, and other
tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus
areas for organisations wishing to pursue compliance
to the ISO27001 Information Security standard.
3. Accredited Certification
Like other ISO management system standards, certification to
ISO27001 is not obligatory. Some organisations choose to
implement the standard in order to benefit from the best practice it
contains, while others decide they also want to get certified to
reassure customers and stakeholders that its recommendations
have been followed.
Customers are increasingly asking for certification of their suppliers
and for that reason many suppliers are also demanding certification
of their supply chain.
ISO27001 Certification is a shrewd investment for any organisation,
acting as an immediate, universally recognised indicator of an
independently audited, best practice approach to information
security, risk management & the protection of client data.
Achieving ISO27001 Certification does require an investment of
time, effort & budget from an organisation, but there are
significant regulatory, commercial, operational & reputational
benefits that will repay the initial investment several times over.
4. Best Practice
ISO27002 is a code of practice - a generic, advisory document, not
a formal specification like ISO27001. It recommends information
security controls addressing information security control objectives
arising from risks to the confidentiality, integrity and availability of
information.
Organisations that adopt ISO27002 must assess their own
information security risks, clarify their control objectives and apply
suitable controls (or indeed other forms of risk treatment) using the
standard for guidance.
Just as ISO 27002 provides a set of guidelines for best practice in
implementing an Information Security Management System (ISMS),
ISO 27005 provides best practice guidelines for risk management.
As part of constructing a suitable and secure information security
management system, you must assess the risks to your information
and be prepared to mitigate these risks. The standard is structured
logically around groups of related security controls. See F
5. Controls
An administrative, procedural, technical, physical
or legal means of preventing or managing the
impact upon an asset of an information security
event or incident. The following types of control
exist:
– Preventative - prevents impact upon an asset.
– Detective - detects impact upon an asset.
– Reactive - reacts to impact on an asset, includes:
Corrective - actively reduces impact.
Recovery - restores an asset after impact.
Controls may reduce information security threats
or impacts, although most reduce vulnerabilities.
6. Data Protection
Within the 1998 Data Protection Act, it identifies the security
obligation for controllers of personal data. In summary, controllers
of personal data are required to:
– Implement appropriate technology that will keep data safe and secure,
taking into account the state of technological development, the cost
of the technology, the nature of the data that is being protected and
the harm that might result from a security breach.
– Hire reliable staff and take steps throughout their employment to
ensure their reliability. This will extend to pre-employment vetting and
ongoing monitoring where appropriate.
– Use data processors who provide sufficient guarantees about security,
who agree to work only pursuant to a contract and who agree to
process data only on the controller's instruction. The controller must
take appropriate steps to ensure the reliability of the processor.
Collectively these provisions address all the major themes within a
comprehensive information security management system, and they
dovetail nicely with the headline requirements of ISO27001.
7. Employee Engagement
Many employees do not understand what information security is all about. You need to
explain to your colleagues why information security is needed, the implications of not
putting controls in place and how to perform certain tasks.
In addition to training, awareness must give an answer to the question Why? - explain to
your employees why they should accept information security as a normal working
practice.
There are many methods you can use, for example:
– Include employees in documentation development
– Presentations - organise short meetings, conference calls or webinars where you can explain what
new policies and procedures are being published and ask your employees for opinions about
them, as well as clarify any misunderstandings.
– Articles on your intranet or internal newsletters - simple stories (with as many examples as
possible)
– E-learning - you can create short online training modules that explain the significance of these
topics, as well as train your employees in spotting key areas of risk and how they can help
mitigate them.
– Videos - they are a very powerful presentation method - you can distribute them via email,
through the intranet or use them at team / company events.
– Team Meetings - use regular meetings that are organised in your organisation to briefly present
what you are doing and how it affects your colleagues.
– Day-to-day conversations - you have to sell the idea of information security / business continuity.
– You should prepare a plan defining which of these methods you will perform, and how often as
well as regular measurement as to how effective they are.
8. Fourteen Security Controls
Categories
Control
Categories
IS Policies
Organisation
Human Resources
Asset
Management
Access Control
Cryptography
Physical &
Environmental
Operations
Communications
System
Acquisition,
Development /
Maintenance
Supplier
Relationships
Incident
Management
Business
Continuity
Compliance
9. Governance
Information security governance is the system by which an organisation directs and
controls Information security. It also describes the process of establishing and
maintaining a framework to provide assurance that information security strategies
are aligned with and support business objectives, are consistent with applicable
laws and regulations through adherence to policies and internal controls, and
provide assignment of responsibility, all in an effort to manage risk.
In simplest terms, it is a subset of the discipline of corporate governance, focused,
unsurprisingly on information security.
As discussed later senior management’s fundamental commitment to information
security is the most important aspect of effectively managing the security risk to an
organisation’s information assets also referred to as leadership duty of care or due
care.
To be successful information security governance activities must be driven by the
board of directors, senior management and designated key personnel.
These activities should be undertaken in a manner consistent with an
organisation’s risk management and strategic plans, compliance requirements,
organisational structure, culture and management policies.
A key aspect of security governance is the need to define decision rights and
accountability. Achieving this both in theory and practice requires the right
culture, policy frameworks, internal controls and defined practices.
10. Human Resources
HR is key to an organisation’s information security health, which is why ISO27001/2 has a
section dedicated to all matters HR.
It not only outlines possible information security controls, but also includes vital
implementation guidance in each of its sections related to the employment lifecycle,
providing advice in relation to pre-employment, employment and post-employment activities.
1. Pre-employment phase
Covers areas such as screening or vetting and contracts/terms and conditions.
2. Employment stage
During employment, all staff members have a duty of care towards their organisation’s
information assets.
The IT department is usually expected to take care of security but, in fact, it takes care of IT
security. The scope of an organisation’s information assets are much broader and are subject to
a great many higher risks than IT can reasonably be expected to cover.
It is generally accepted that around 80% of organisational data breaches are caused by
people rather than technical failure. This may be the result of staff using USBs to carry data
that perhaps they shouldn’t be.
3. Post-employment period
The post-employment period is a very risky one in terms of organisations’ information security.
They can end up being the target of malice, theft or reputational damage.
ISO27002 offers clear guidance on suitable policies and procedures for the termination
process, which includes advice on how staff should return assets and on how best to remove
their access rights. It also offers clear guidelines on how to implement such policies.
11. Integrity, Availability and
Confidentiality
At the heart of an
Information Security
Management System is the
preservation of
confidentiality, integrity and
availability of information
Other properties, such as
authenticity, accountability,
nonrepudiation, and
reliability can also be
involved
Integrity
Availability
Confidentiality
12. Justification for ISO27001
With information and data now the lifeblood of many organisations, putting
measures in place to protect such information from threats, breaches of
security and theft is often essential for ensuring the longevity and reputation
of your business.
– Safeguarding your organisation’s information which will lead to reduced incidents,
disruptions and accidents
– Provides customers and stakeholders with confidence in how you manage risk
– Allows for secure exchange of information and keeps confidential information secure
– Reduces customer audit impacts
– Allows you to ensure you are meeting your legal obligations
– Helps you to comply with other regulations
– Potentially provides you with a competitive advantage
– Consistency in the delivery of your service or product
– Manages and minimises risk exposure and builds a culture of security within the
organisation
– Develops opportunities for positive PR for your organisation
– Reduces possible negative media stories which are generated from data and information
breaches
– Protects the company, assets, shareholders and directors
13. Knowledge and Training
Adequate resources (people, time, money) should be allocated to the operation of
the Information Security Management System (ISMS) and all security controls. In
addition, the staff who must work within the ISMS (maintaining it and its
documentation and implementing its controls) must receive appropriate training.
The success of the training program should be monitored to ensure that it is
effective.
You should also establish a plan for how you will determine the effectiveness of the
training.
What you will need:
– A list of the employees who will work within the ISMS
– All of the ISMS procedures used for identifying what type of training is needed and which
members of the staff or interested parties will require training
– Management agreement to the resource allocation and the training plans
Specific documentation is not required in the ISO standards. However, to provide
evidence that resource planning and training has taken place, you should have
documentation that shows who has received training and what training they have
received.
In addition, you might want to include a section for each employee that lists what
training they should be given.
14. Leadership and Management Buy-in
The leadership and management team of an organisation plays an important
role in the success of an Information Security Management System.
The Management responsibility section of ISO27001 states:
Management must make a commitment to the establishment, implementation,
operation, monitoring, review, maintenance, and improvement of the ISMS.
Commitment must include activities such as ensuring that the proper resources
are available to work on the ISMS and that all employees affected by the ISMS
have the proper training, awareness, and competency.
Establishment of the following demonstrates management commitment:
– An information security policy; this policy can be a standalone document or part of an
overall security manual that is used by an organisation
– Information security objectives and plans; again this information can be a standalone
document or part of an overall security manual that is used by an organisation
– Roles and responsibilities for information security; a list of the roles related to information
security should be documented either in the organisation’s job description documents or
as part of the security manual or ISMS description documents.
– Announcement or communication to the organisation about the importance of adhering
to the information security policy.
– Sufficient resources to manage, develop, maintain, and implement the ISMS.
15. Measurement and Monitoring
To ensure that the ISMS is effective and remains current and fit for purpose ISO27001 requires:
– Management to review the ISMS at planned intervals. The review must include assessing opportunities for improvement,
and the need for changes to the ISMS, including the security policy and security objectives, with specific attention to
previous corrective or preventative actions and their effectiveness.
– Periodic internal audits - The results of the reviews and audits must be documented and records related to the reviews and
audits must be maintained.
To perform management reviews, ISO27001 requires the following input:
– Results of ISMS internal and external audits and reviews
– Feedback from interested parties
– Techniques, products, or procedures which could be used in the organisation to improve the effectiveness of the ISMS
– Preventative and corrective actions (including those that might have been identified in previous reviews or audits)
– Incident reports, for example, if there has been a security failure, a report that identifies what the failure was, when it
occurred, and how it was handled and possibly corrected.
– Vulnerabilities or threats not adequately addressed in the previous risk assessment
– Follow-up actions from previous reviews
– Any organisational changes that could affect the ISMS
– Recommendations for improvement
To perform internal audits on a periodic basis, you need to define the scope, criteria, frequency, and
methods. You also need the procedure that identifies the responsibilities and requirements for planning and
conducting the audits, and for reporting results and maintaining records.
The results of a management review should include decisions and actions related to:
– Improvements to the ISMS
– Modification of procedures that effect information security at all levels within the organisation
– Resource needs
The results of an internal audit should result in identification of nonconformities and their related corrective
actions or preventative actions. ISO27001 lists the activity and record requirements related to corrective and
preventative actions.
16. Not just a tick in a box
If implemented properly and with management buy-in to the
process the value that ISO27001 can bring to your organisation
can be significant.
87% of respondents to recent BSI Erasmus survey stated that
implementing ISO 27001 had a "positive" or "very positive"
outcome with 39% reported decreased down-time of IT Systems
and the same number a decrease in the number of security
incidents
Of those that were certified to the standard:
– 78% reported increased ability to meet compliance requirements
– 56% an increased ability to respond to tenders
– 51% an increased external customer satisfaction
– 62% increased relative competitive position
– ROI / sales increased despite rise in cost to develop and support IT
17. Organisation Objectives
An organisation’s ISMS is influenced by the needs
and objectives, security requirements, the
organisational processes used and the size and
structure of the organisation.
It is essential that any security arrangements that are
to be implemented relate to (or support) overall
organisation objectives and strategy. They must be
productive and reflect stakeholder requirements.
Understanding this relationship enables you to adopt
strategies and make recommendations that will
promote the business and for information security to
enjoy the support of top management.
18. Policy, Process and Procedures
An Information Security Policy is the cornerstone of an Information Security Management
System. It should reflect the organisation's objectives and the agreed upon management
strategy for securing key assets.
In order to be useful in providing authority to execute the remainder of the Information
Security Management System, it must also be formally agreed upon by executive
management.
The essence of a good information security policy:
– Keep it as short as possible
– Keep it relevant to the audience
– Keep it aligned to the needs of the business
– Keep it aligned to the legislation and regulatory frameworks in which you operate
– Do not marginalise it by aiming to "tick the box", as the policy needs to add value to the employee
and the overall outcomes and behaviours you are looking to promote
– Share it with all of your key stakeholders internally and externally
The policy document is exactly that - a high-level statement of the organisation’s position on
the chosen topic (the "why"), not to be confused with the procedural documentation which
deals with "how" the policy is to be enacted. Procedures are sometimes necessarily much
longer documents if they are describing complex processes which must be followed.
Ideally, the policy should be brief and to the point about the user’s responsibilities towards
the information they collect, use, access or otherwise process, and to sign-post them to the
other relevant policies and procedures for the areas in which they operate.
19. Quality Management System
Approach
If you already have a Quality Management System / ISO9001 certification some of
the elements you have implemented for your organisation can be used for your
ISMS as well, namely:
– Setting the organisation goals and tracking whether they have been achieved - the same
mechanism is laid down in both standards.
– Management review - the principles for management review are the same for both
management systems.
– Document management - the procedures used for document management can be used
for the same purpose in ISMS with minor adjustments.
– Internal audit - the same procedures can be used for both QMS and ISMS, although you
might use different people.
– Corrective and preventive actions - the procedures used for QMS can be used for the
same purpose in ISMS.
– Human resources management - the same cycle of HR planning, training and evaluation is
used for both management systems.
Therefore, if you have already implemented ISO 9001, you will have an easier job
implementing ISO27001 - you could save up to 30% of time.
Further, you will have cheaper certification audits since certification bodies are
offering the so called "integrated audits", which means they will do both ISO 9001
and ISO 27001 in the same audit, charging you a smaller fee compared to
separated audits.
20. Risk Assessment and Treatment
In order to comply with ISO27001 an organisation must define a risk assessment methodology for Information
Security risks.
They must identify criteria for accepting risks and identify the acceptable levels of risk and develop a Risk
Treatment Plan
Risk Assessment
Identify all assets of the organisation relating to information security and compile an Asset Register.
Identify combinations of threats and vulnerabilities relating to the asset, and then identify the impacts that
losses of confidentiality, integrity and availability may have on the asset using an Asset Risk Assessment Report.
The impacts take into account the business, legal or contractual obligations that the company has.
The assessment then looks at the likelihood of the security failure occurring by a combination of the frequency
and the likelihood of the threat
A combination of the impact and likelihood of the security failure provides a level of the risk normally in three
categories:
– Low Risk: No immediate action required although there may be improvements in processes/technology that reduce the
impact of the security failure.
– Medium Risk: Must be included in the management review of the IMS with actions identified if required and inclusion in the
Risk Treatment Plan.
– High Risk: Must be included in the Risk Treatment Plan for positive actions to reduce the risk.
Risk Treatment
Selecting the most appropriate risk treatment option involves balancing the costs and efforts of
implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as
social responsibility and the protection of the natural environment. Decisions should also take into account risks
which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative
consequence) but rare (low likelihood) risks. = ISO 31000:2009
21. Standards
The ISO27000 family of Standards is broad in scope. As technology evolves,
new standards are continually being developed to meet the requirements of
information security.
ISO 27001 is a specification. It sets out specific requirements, all of which must
be followed, and against which an organisation's Information Security
Management System (ISMS) can be audited and certified.
All the other Standards in the ISO27000 family are Codes of Practice. They
provide non-mandatory best practice guidelines which organisations may
follow, in whole or in part.
A key feature of the standards is that they are applicable to any organisation,
in any sector, of any size. Key concepts which govern the standards are:
– Organisations are encouraged to assess their own information security risks
– Organisations should implement appropriate information security controls according to
their needs
– Guidance should be taken from the relevant standards
– Implement continuous feedback and use of the Plan, Do, Check, Act model
– Continually assess changes in threat and risk to information security issues.
22. Testing
Effective Penetration Testing involves the simulation of a malicious
attack against the security measures under test, often using a
combination of methods and tools, and conducted by a
certificated, ethical professional tester. The resulting findings
provide a basis upon which security measures can be improved.
There are specific points in your Information Security Management
System (ISMS) project where penetration testing has a significant
contribution to make:
– As part of the risk assessment process: uncovering vulnerabilities in
any internet-facing IP addresses, web applications, or internal devices
and applications, and linking them to identifiable threats.
– As part of the Risk Treatment Plan, ensuring that controls that are
implemented actually work as designed.
– As part of the ongoing corrective action/preventive action and
continual improvement processes, ensuring that controls continue to
work as required and that new and emerging threats and
vulnerabilities are identified and dealt with.
23. Understanding internal and
external context
A key element of ISO27001 is the organisation’s context both internal and external with
regard to information security. A deep understanding should be gained at the outset of
an ISO27001 implementation and also reviewed at least annually or when any major
changes occur e.g. changes to regulations.
External context
Any of the cultural, social, political, legal, regulatory, financial, technological, economic,
natural and competitive environment, whether international, national, regional or local.
(ISO27000)
Key drivers and trends having an impact on the objectives of the organisation
Relationships with, and perceptions and values of external stakeholders
Internal context
Organisation’s culture
Governance, organisational structure, roles and responsibilities
Policies and objectives and the strategies in place to achieve them
Capital in terms of resources and knowledge (e.g. money, time, processes, systems,
people and technology)
Informal and formal information systems, information flows and decision making
processes
Adopted standards, guidelines, frameworks and models already in place
Relationships with internal stakeholders
25. Who should be in the
ISMS Project Team?
Your ISMS Project Team should be drawn from senior
managers from those parts of your organisation most
likely to be impacted by the management system and
should also include some functional areas such as IT,
facilities, procurement and HR, but absolutely should not
be owned or driven by IT.
Ideally you would also have an experienced project
manager and a board level sponsor that is actively
engaged and who chairs project boards.
26. XSS (Cross-Site Scripting) and
other Cyber Attacks
According to the recently published Information Security Breaches Survey
2014, commissioned by the Department for Business, Innovation and Skills
(BIS) and conducted by PWC, Cyber attacks have continued to grow in
frequency and intensity over the last year and the focus seems to have shifted
back towards large organisations. The proportion of large organisations that
were successfully hacked continues to rise - up to nearly a quarter of
respondents this year. One in four large organisations reported penetration
of their networks, up by 4% from a year ago.
More worryingly, most of the affected companies were penetrated not just
once but once every few weeks during the year - nearly a tenth of those
affected are being successfully penetrated every day. Small businesses
experienced fewer outsider attacks with 12 % of them being penetrated
(down from 15% last year). Different industries experience different levels of
network penetration attacks.
Telecommunication companies were the most affected; nearly a quarter of
them reported penetration. Roughly one in six utility companies and banks
were also affected.
The UK Government have provided some useful guidance for organisations
to follow - Cyber security guidance for business
27. Yielding Better Results
Investing time and resource upfront with Senior Management, Key
Stakeholders and carrying out robust risk assessments within the right
contexts will pay dividends on a number of levels.
Implementing ISO 27001 requires careful thought, planning, and
coordination to ensure a smooth control adoption.
The decision of when and how to implement the standard may be
influenced by a number of factors, including different business
objectives, existing levels of IT maturity and compliance efforts, user
acceptability and awareness, customer requirements or contractual
obligations, and the ability of the organisation to adapt to change and
adhere to internal processes.
The more prepared you and your people are to comprehend the need
for implementation, accept that some processes will require change
and have the commitment to make it happen, the better the results
for your organisation.
28. Zipping through ISO27001
I hope that this A to Z of Information Security hasn’t put you off!
As you will have seen, there are significant benefits both from a
business protection basis and that of bringing on new business.
For smaller businesses, based in one building with less than 20
employees, the implementation process doesn’t need to be too
arduous and can be completed within a few short months and
doesn’t need to cost a fortune.
It is a requirement of UKAS accreditation that the certification
body does not provide consultancy services which it then itself
certifies.
Oak Consult can work with you to implement an Information
Security Management System that will be fit for accredited
certification. As part of our service, we will help you select a
certification body whose fees will be appropriate and who can
respond appropriately to your need for certification.