The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software. Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
A – Accredited Certification
Like other ISO management system standards, certification to ISO27001 is not obligatory. Some organisations choose to implement the standard in order to benefit from the best practice it contains, while others decide they also want to get certified to reassure customers and stakeholders that its recommendations have been followed. Customers are increasingly asking for certification of their suppliers and for that reason many suppliers are also demanding certification of their supply chain.
ISO27001 Certification is a shrewd investment for any organisation, acting as an immediate, universally recognised indicator of an independently audited, best practice approach to information security, risk management & the protection of client data.
Achieving ISO27001 Certification does require an investment of time, effort & budget from an organisation, but there are significant regulatory, commercial, operational & reputational benefits that will repay the initial investment several times over.
B – Best Practice
ISO27002 is a code of practice – a generic, advisory document, not a formal specification like ISO27001. It recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity and availability of information. Organisations that adopt ISO27002 must assess their own information security risks, clarify their control objectives and apply suitable controls (or indeed other forms of risk treatment) using the standard for guidance.
Just as ISO 27002 provides a set of guidelines for best practice in implementing an Information Security Management System (ISMS), ISO27005 provides best practice guidelines for risk management.
As part of constructing a suitable and secure information security management system, you must assess the risks to your information and be prepared to mitigate these risks. The standard is structured logically around groups of related security controls – See ‘F’
C – Controls
An administrative, procedural, technical, physical or legal means of preventing or managing the impact upon an asset of an information security event or incident. The following types of control exist:
- Preventative – prevents impact upon an asset.
- Detective – detects impact upon an asset.
- Reactive – reacts to impact on an asset, includes:
- Corrective – actively reduces impact.
- Recovery – restores an asset after impact.
Controls may reduce information security threats or impacts, although most reduce vulnerabilities.
D – Data Protection
Within the 1998 Data Protection Act, it identifies the security obligation for controllers of personal data. In summary, controllers of personal data are required to:
- Implement appropriate technology that will keep data safe and secure, taking into account the state of technological development, the cost of the technology, the nature of the data that is being protected and the harm that might result from a security breach.
- Hire reliable staff and take steps throughout their employment to ensure their reliability. This will extend to pre-employment vetting and ongoing monitoring where appropriate.
- Use data processors who provide sufficient guarantees about security, who agree to work only pursuant to a contract and who agree to process data only on the controller’s instruction. The controller must take appropriate steps to ensure the reliability of the processor.
Collectively these provisions address all the major themes within a comprehensive information security management system, and they dovetail nicely with the headline requirements of ISO27001.
E – Employee Engagement
Many employees do not understand what information security is all about. You need to explain to your colleagues why information security is needed, the implications of not putting controls in place and how to perform certain tasks. In addition to training, awareness must give an answer to the question “Why?” – that is, explain to your employees why they should accept information security as a normal working practice.
There are many methods you can use, for example:
Include employees in documentation development – before you publish the documents, ask your employees to give their inputs.
Presentations – organise short meetings, conference calls or webinars where you can explain what new policies and procedures are being published and ask your employees for opinions about them, as well as clarify any misunderstandings.
Articles on your intranet or internal newsletters – simple stories (with as many examples as possible) that can help employees understand why information security is important.
E-learning – you can create short online training modules that explain the significance of these topics, as well as train your employees in spotting key areas of risk and how they can help mitigate them.
Videos – they are a very powerful presentation method – you can distribute them via email, through the intranet or use them at team / company events.
Team Meetings – use regular meetings that are organised in your organisation to briefly present what you are doing and how it affects your colleagues.
Day-to-day conversations –you have to sell the idea of information security / business continuity.
No matter which of these methods you use, you should prepare some kind of a plan where you should define which of these methods you will perform, and how often as well as regular measurement as to how effective they are.
F – Fourteen Security Controls Categories
G – Governance
Information security governance is the system by which an organisation directs and controls Information security. It also describes the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. In simplest terms, it’s a subset of the (even more grandiose sounding) discipline of corporate governance, focused, unsurprisingly on information security.
As discussed later senior management’s fundamental commitment to information security is the most important aspect of effectively managing the security risk to an organisation’s information assets also referred to as leadership duty of care or due care.
To be successful information security governance activities must be driven by the board of directors, senior management and designated key personnel. These activities should be undertaken in a manner consistent with an organisation’s risk management and strategic plans, compliance requirements, organisational structure, culture and management policies.
A key aspect of security governance is the need to define decision rights and accountability. Achieving this both in theory (the organisation is clearly defined) and practice (everyone knows what to do and how) requires the right culture, policy frameworks, internal controls and defined practices.
H – Human Resources
The role of HR is key to an organisation’s information security health, which is why ISO27001/2 has a section dedicated to all matters HR.
It not only outlines possible information security controls, but also includes vital implementation guidance in each of its sections related to the employment life-cycle, providing advice in relation to pre-employment, employment and post-employment activities.
1. Pre-employment phase
The pre-employment section covers areas such as screening or vetting and contracts/terms and conditions.
As an example, as part of the step-by-step guidance on screening, it includes information on how to establish what criteria and limitations should be used for checks and for handling sensitive data such as personal financial information. It also covers how best to identify who is eligible to carry out such checks.
2. Employment stage
During employment, all staff members have a duty of care towards their organisation’s information assets.
The IT department is usually expected to take care of security but, in fact, it takes care of IT security. The scope of an organisation’s information assets are much broader and are subject to a great many higher risks than IT can reasonably be expected to cover.
It is generally accepted that around 80% of organisational data breaches are caused by people rather than technical failure. This may be the result of staff using USBs to carry data that perhaps they shouldn’t be.
3. Post-employment period
The post-employment period is a very risky one in terms of organisations’ information security. They can end up being the target of malice, theft or reputational damage.
While not every organisation would face the same level of threat over losing protectively marked data, the Information’s Commissioner’s Office is very keen to show its displeasure over such incidents these days – and with possible fines of up to £500,000, a serious data breach could actually close some businesses.
ISO27002 offers clear guidance on suitable policies and procedures for the termination process, which includes advice on how staff should return assets and on how best to remove their access rights. It also offers clear guidelines on how to implement such policies.
I – Integrity, Availability and Confidentiality
At the heart of an Information Security Management System is the preservation of confidentiality, integrity and availability of information
Other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved
J – Justification for ISO27001
With information and data now the lifeblood of many organisations, putting measures in place to protect such information from threats, breaches of security and theft is often essential for ensuring the longevity and reputation of your business.
- Safeguarding your organisations information which will lead to reduced incidents, disruptions and accidents
- Provides customers and stakeholders with confidence in how you manage risk
- Allows for secure exchange of information and keeps confidential information secure
- Reduces customer audit impacts
- Allows you to ensure you are meeting your legal obligations
- Helps you to comply with other regulations
- Potentially provides you with a competitive advantage
- Consistency in the delivery of your service or product
- Manages and minimises risk exposure and builds a culture of security within the organisation
- Develops opportunities for positive PR for your organisation
- Reduces possible negative media stories which are generated from data and information breaches
- Protects the company, assets, shareholders and directors
K – Knowledge and Training
Adequate resources (people, time, money) should be allocated to the operation of the Information Security Management System (ISMS) and all security controls. In addition, the staff who must work within the ISMS (maintaining it and its documentation and implementing its controls) must receive appropriate training.
The success of the training program should be monitored to ensure that it is effective.
Therefore, in addition to the training program, you should also establish a plan for how you will determine the effectiveness of the training.
What you will need:
- A list of the employees who will work within the ISMS
- All of the ISMS procedures used for identifying what type of training is needed and which members of the staff or interested parties will require training
- Management agreement to the resource allocation and the training plans
Specific documentation is not required in the ISO standards. However, to provide evidence that resource planning and training has taken place, you should have some documentation that shows who has received training and what training they have received. In addition, you might want to include a section for each employee that lists what training they should be given. Also, you will probably have some type of procedure for determining how many people, how much money, and how much time needs to be allocated to the implementation and maintenance of your ISMS. It’s possible that this procedure already exists as part of your business operating procedures or that you will want to add an ISMS section to that existing documentation.
L – Leadership and Management Buy-in
The leadership and management team of an organisation plays an important role in the success of an Information Security Management System.
The Management responsibility section of ISO27001 states:
Management must make a commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS. Commitment must include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS have the proper training, awareness, and competency.
- Establishment of the following demonstrates management commitment:
- An information security policy; this policy can be a standalone document or part of an overall security manual that is used by an organisation
- Information security objectives and plans; again this information can be a standalone document or part of an overall security manual that is used by an organisation
- Roles and responsibilities for information security; a list of the roles related to information security should be documented either in the organisation’s job description documents or as part of the security manual or ISMS description documents.
- Announcement or communication to the organisation about the importance of adhering to the information security policy.
- Sufficient resources to manage, develop, maintain, and implement the ISMS
M –Measurement and Monitoring
To ensure that the ISMS is effective and remains current and fit for purpose ISO27001 requires:
Management to review the ISMS at planned intervals. The review must include assessing opportunities for improvement, and the need for changes to the ISMS, including the security policy and security objectives, with specific attention to previous corrective or preventative actions and their effectiveness.
Periodic internal audits – The results of the reviews and audits must be documented and records related to the reviews and audits must be maintained.
To perform management reviews, ISO27001 requires the following input:
- Results of ISMS internal and external audits and reviews
- Feedback from interested parties
- Techniques, products, or procedures which could be used in the organisation to improve the effectiveness of the ISMS
- Preventative and corrective actions (including those that might have been identified in previous reviews or audits)
- Incident reports, for example, if there has been a security failure, a report that identifies what the failure was, when it occurred, and how it was handled and possibly corrected.
- Vulnerabilities or threats not adequately addressed in the previous risk assessment
- Follow-up actions from previous reviews
- Any organisational changes that could affect the ISMS
- Recommendations for improvement
To perform internal audits on a periodic basis, you need to define the scope, criteria, frequency, and methods. You also need the procedure that identifies the responsibilities and requirements for planning and conducting the audits, and for reporting results and maintaining records.
The results of a management review should include decisions and actions related to:
- Improvements to the ISMS
- Modification of procedures that effect information security at all levels within the organisation
- Resource needs
The results of an internal audit should result in identification of nonconformities and their related corrective actions or preventative actions. ISO27001 lists the activity and record requirements related to corrective and preventative actions.
N – Not just a tick in a box
If implemented properly and with management buy-in to the process the value that ISO27001 can bring to your organisation can be significant.
87% of respondents to recent BSI Erasmus survey stated that implementing ISO 27001 had a “positive” or “very positive” outcome with 39% reported decreased down-time of IT Systems and the same number a decrease in the number of security incidents
Of those that were certified to the standard:
- 78% reported increased ability to meet compliance requirements
- 56% an increased ability to respond to tenders
- 51% an increased external customer satisfaction
- 62% increased relative competitive position
- ROI and sales increased despite rise in cost to develop and support IT
O – Organisation Objectives
An organisation’s ISMS is influenced by the needs and objectives, security requirements, the organisational processes used and the size and structure of the organisation.
It is essential that any security arrangements that are to be implemented relate to (or support) overall organisation objectives and strategy. They must be productive and reflect stakeholder requirements.
Understanding this relationship enables you to adopt strategies and make recommendations that will promote the business and for information security to enjoy the support of top management.
P – Policy, Process and Procedures
An Information Security Policy is the cornerstone of an Information Security Management System. It should reflect the organisation’s objectives and the agreed upon management strategy for securing key assets.
In order to be useful in providing authority to execute the remainder of the Information Security Management System, it must also be formally agreed upon by executive management.
The essence of a good information security policy:
- Keep it as short as possible
- Keep it relevant to the audience
- Keep it aligned to the needs of the business
- Keep it aligned to the legislation and regulatory frameworks in which you operate
- Do not marginalise it by aiming to “tick the box”, as the policy needs to add value to the employee and the overall outcomes and behaviours you are looking to promote
- Share it with all of your key stakeholders internally and externally
The policy document is exactly that – a high-level statement of the organisation’s position on the chosen topic (the “why”), not to be confused with the procedural documentation which deals with “how” the policy is to be enacted. Procedures are sometimes necessarily much longer documents if they are describing complex processes which must be followed.
Ideally, the policy should be brief and to the point about the user’s responsibilities towards the information they collect, use, access or otherwise process, and to sign-post them to the other relevant policies and procedures for the areas in which they operate.
Below is a list of mandatory documentation required by the standard:
- Scope (Clause 4.3)
- Information security policy (Clause 5.2 e)
- Information security risk assessment process (Clause 6.1.2)
- Information security risk treatment process (Clause 6.1.3)
- Statement of Applicability (Clause 6.1.3)
- Information security objectives (Clause 6.2)
- Evidence of competence (Clause 7.2)
- That ‘determined by the organisation as being necessary for the effectiveness of the information security management system’ (Clause 7.5.1 b)
- The extent necessary to have confidence that the processes required for operational planning and control have been carried out as planned (Clause 8.1)
- Results of information security risk assessments (Clause 8.2)
- Results of information security risk treatment (Clause 8.3)
- Evidence of the information security performance monitoring and measurement results (Clause 9.1)
- Internal audit programme(s) and the audit results (Clause 9.2 g)
- Evidence of the results of management reviews (Clause 9.3)
- Evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective actions (Clause 10.1)
Q – Quality Management System Approach
If you already have a Quality Management System / ISO9001 certification some of the elements you have implemented for your organisation can be used for your information security management system as well, namely:
Setting the organisation goals and tracking whether they have been achieved – the same mechanism is laid down in both standards, so management will be used to such systematic planning.
Management review – the principles for management review are the same for both management systems.
Document management – the procedures used for document management can be used for the same purpose in ISMS with minor adjustments.
Internal audit – the same procedures can be used for both QMS and ISMS, although you might use different people.
Corrective and preventive actions – the procedures used for QMS can be used for the same purpose in ISMS.
Human resources management – the same cycle of HR planning, training and evaluation is used for both management systems.
Therefore, if you have already implemented ISO 9001, you will have an easier job implementing ISO27001 (and vice versa) – you could save up to 30% of time. Further, you will have cheaper certification audits since certification bodies are offering the so called “integrated audits”, which means they will do both ISO 9001 and ISO 27001 in the same audit, charging you a smaller fee compared to separated audits.
R – Risk Assessment and Treatment
In order to comply with ISO27001 an organisation must define a risk assessment methodology for Information Security risks.
They must identify criteria for accepting risks and identify the acceptable levels of risk and develop a Risk Treatment Plan to bring all identified risks to an acceptable level.
- Identify all assets of the organisation relating to information security and compile an Asset Register.
- Identify combinations of threats and vulnerabilities relating to the asset, and then identify the impacts that losses of confidentiality, integrity and availability may have on the asset using an Asset Risk Assessment Report.
- The impacts take into account the business, legal or contractual obligations that the company has.
- The assessment then looks at the likelihood of the security failure occurring by a combination of the frequency of the threat and the likelihood of success.
- A combination of the impact and likelihood of the security failure provides a level of the risk normally in three categories:
- Low Risk: No immediate action required although there may be improvements in processes/technology that reduce the impact of the security failure further.
- Medium Risk: Must be included in the management review of the ISMS with actions identified if required and inclusion in the Risk Treatment Plan.
- High Risk: Must be included in the Risk Treatment Plan for positive actions to reduce the risk.
Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks.
Controls are typically selected by objective, taking into account:
- National and international legislation and regulations and Baseline Security Criteria
- Organisational objectives
- Operational requirements and constraints
- Cost of implementation and operation
- Balance investment against harm likely from security failures
S – Standards
The ISO27000 family of Standards is broad in scope. As technology evolves, new standards are continually being developed to meet the requirements of information security. ISO 27001 is a specification. It sets out specific requirements, all of which must be followed, and against which an organisation’s Information Security Management System (ISMS) can be audited and certified. All the other Standards in the ISO27000 family are Codes of Practice. They provide non-mandatory best practice guidelines which organisations may follow, in whole or in part.
A key feature of the standards is that they are applicable to any organisation, in any sector, of any size. Key concepts which govern the standards are:
- Organisations are encouraged to assess their own information security risks
- Organisations should implement appropriate information security controls according to their needs
- Guidance should be taken from the relevant standards
- Implement continuous feedback and use of the Plan, Do, Check, Act model
- Continually assess changes in threat and risk to information security issues.
T – Testing
Effective Penetration Testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools, and conducted by a certificated, ethical professional tester. The resulting findings provide a basis upon which security measures can be improved.
There are specific points in your Information Security Management System (ISMS) project where penetration testing has a significant contribution to make:
- As part of the risk assessment process: uncovering vulnerabilities in any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
- As part of the Risk Treatment Plan, ensuring that controls that are implemented actually work as designed.
- As part of the ongoing corrective action/preventive action and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.
U – Understanding internal and external context
A key element of ISO27001 is the organisation’s context both internal and external with regard to information security. A deep understanding should be gained at the outset of an ISO27001 implementation and reviewed at least annually or when any major changes occur – e.g. changes to regulations.
- Any of “the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local.” (ISO27000)
- Key drivers and trends having an impact on the objectives of the organisation
- Relationships with, and perceptions and values of external stakeholders
- Organisation’s culture
- Governance, organisational structure, roles and responsibilities
- Policies and objectives and the strategies in place to achieve them
- Capital in terms of resources and knowledge (e.g. money, time, processes, systems, people and technology)
- Informal and formal information systems, information flows and decision making processes
- Adopted standards, guidelines, frameworks and models already in place
- Relationships with internal stakeholders
V – Vulnerabilities
Information security vulnerabilities are weaknesses that expose an organisation to risk. Understanding your vulnerabilities is the first step to managing risk. Below is a non-exhaustive list of the kind of vulnerabilities you should think about as part of your risk assessments and risk treatments:
W – Who should be in the ISMS Project Team
Your ISMS Project Team should be drawn from senior managers from those parts of your organisation most likely to be impacted by the management system and should also include some functional areas such as IT, facilities, procurement and HR, but absolutely should not be owned or driven by IT. Ideally you would also have an experienced project manager and a board level sponsor that is actively engaged and who chairs project boards.
X – XSS (Cross-Site Scripting) and other Cyber Attacks
According to the recently published Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and conducted by PWC, Cyber attacks have continued to grow in frequency and intensity over the last year and the focus seems to have shifted back towards large organisations. The proportion of large organisations that were successfully hacked continues to rise – up to nearly a quarter of respondents this year. One in four large organisations reported penetration of their networks, up by 4% from a year ago.
More worryingly, most of the affected companies were penetrated not just once but once every few weeks during the year – nearly a tenth of those affected are being successfully penetrated every day. Small businesses experienced fewer outsider attacks with 12 % of them being penetrated (down from 15% last year). Different industries experience different levels of network penetration attacks.
Telecommunication companies were the most affected; nearly a quarter of them reported penetration. Roughly one in six utility companies and banks were also affected.
The UK Government have provided some useful guidance for organisations to follow – Cyber security guidance for business
Y – Yielding Better Results
Investing time and resource upfront with Senior Management, Key Stakeholders and carrying out robust risk assessments within the right contexts will pay dividends on a number of levels.
Implementing ISO 27001 requires careful thought, planning, and coordination to ensure a smooth control adoption. The decision of when and how to implement the standard may be influenced by a number of factors, including different business objectives, existing levels of IT maturity and compliance efforts, user acceptability and awareness, customer requirements or contractual obligations, and the ability of the organisation to adapt to change and adhere to internal processes.
The more prepared you and your people are to comprehend the need for implementation, accept that some processes will require change and have the commitment to make it happen, the better the results for your organisation.
Z – Zipping through ISO27001
I hope that this A to Z of Information Security hasn’t put you off! As you will have seen, there are significant benefits both from a business protection basis and that of bringing on new business. For smaller businesses, based in one building with less than 20 employees, the implementation process doesn’t need to be too arduous and can be completed within a few short months and doesn’t need to cost a fortune.
It is a requirement of UKAS accreditation that the certification body does not provide consultancy services which it then itself certifies. Oak Consult can work with you to implement an Information Security Management System that will be fit for accredited certification. As part of our service, we will help you select a certification body whose fees will be appropriate and who can respond appropriately to your need for certification.
I hope you enjoyed this A to Z. To find out how Oak Consult can help you implement an Information Security Management System, click here.