What is ISO27001

Author: Gary Hibberd

Date: 16 June 2020

 

ISO 27001 is the international standard for the development of a formal Information Security Management System (ISMS). I like to think of it as a quality standard for Information Security, as it gives customers confidence that the company holding this certification has achieved a high degree of security capability.

Many people believe that ISO 27001 is too complex for small organisations to implement. But this isn’t true. I have implemented an ISMS into a company with just two people in it. I have also implemented it into organisations with 2,000. Both were successful, and both reaped the benefits from following this best practice.

 

Standard practice

Irrespective of the size of the organisation, the great thing about International Standards like this is that they demonstrate the organisation implementing them, has invested time, effort and resources into developing and implementing best practice policies and procedures.

ISO 27001 is a standard that helps drive down risk and increase confidence. It’s a standard that helps build stronger relationships, and it’s a standard that offers brand protection (against cyberattacks and data breaches).

 

Secure by design

The structure of the standard has been formalised using the ‘Annex SL’, standard and comprises of the following sections;

1. Context of the Organisation
2. Leadership
3. Planning
4. Support
5. Organising
6. Performance Evaluation
7. Improvement

Looking through these sections, you should see that the standard is well structured to take you on a ‘journey’; from inception (Context) through to the continual improvement of the standard (Improvement).

 

Context of the Organisation

In this first section of the standard, you are expected to define and detail what the context of your organisation is. What services do you offer? What are your objectives? Who are your stakeholders and customers? What are the external (and internal) risks to your business?

These are just some of the questions you will need to answer. But it shouldn’t be difficult to describe your own organisation, right?

 

Leadership

One of the powerful messages I take from the structure of this standard is this; Once you have detailed the context of your organisation, you need to demonstrate leadership in the implementation of the standard. 

I often tell people that if you don’t have leadership support and backing, then you shouldn’t try and implement the standard. It will be frustrating for you. It will be difficult, and it’ll scare the children! This section of the standard expects you to outline what support you have, how that support is demonstrated (e.g. attending meetings and signing off policies), and what roles and responsibilities have been defined.

The development and signing off of policies can take time and requires commitment from the leaders of the organisation, so take your time in the development of these policies and get them right.

 

Planning

Like all good plans, you must first understand what you’re looking to achieve. Once you have this, you can start making plans to meet them. Are you looking to drive down instances of phishing attacks? Increase awareness of cyberattacks? How do you plan to capture this information? Having a clear approach to risk management and risk treatment means you can put in place measures to manage the risks (which we’ll do in the ‘Operations’ stage). 

 

Support

As the saying goes; No man (or woman) is an island. What resources do you need? Who is going to assist in the development of the ISMS? What are their competencies? What skills and knowledge do they have? How are you going to get the support of your stakeholders (e.g. employees)? How are you making them aware of their roles and responsibilities (in relation to Information security)?

Gaining support for Information Security is of significant importance and should not be overlooked. For me, this is probably one of the most important parts of the standard.

 

Operation

Ok, now you’ve done some planning, you understand your objectives, and you have some support from the business, because the leaders have communicated the importance of this standard. Now it’s time to conduct that Risk Workshop and capture those risks. It’s time for people to make decisions on what risk treatments to apply; Shall you accept, avoid, reduce, or transfer the risk?

This is a short section of the standard, but it’s the place where the rubber meets the road! It’s where all the action is, and your ISMS begins to come to life. It can take some time to develop the Risk register, and it can take time to implement the risk treatment (e.g. Reduction of a risk can become a whole project of its own).

 

Evaluation

If you’ve done all the above (and I’m sure you will), you need to evaluate the effectiveness of the processes. How do you measure your successes (and failings)? How are you capturing this information? Remember; What gets measured gets done.

The evaluation can be achieved through an internal audit, which includes an audit schedule, and external audits too, which are performed by qualified Security auditing companies.

The evaluation phase also encompasses management reviews, which are a great indication of leadership and management support (see above).

 

Improvement

Now you’ve got to the point where everything is working fine, but ‘fine’ is not good enough. From the outset, the leaders in the organisation must make a commitment to implementing an ISMS, and it’s continual improvement. How are you capturing deficiencies in the ISMS? Who is evaluating them and how are you implementing these changes?

 

ANNEX A

I left the scary part to the end!

The final section of ISO 27001 is known as the “Annex A Controls”. When put together, these 114 controls add up to your ‘Statement of Applicability’ (SoA), and every ISO 27001 implementation needs one.

Your job is to read each control and decide if it’ applicable to you, and if it is applicable, how you have satisfied that control.

For example;

A6.1.4 – Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

Notice that the word ‘appropriate’ appears at the start of this control. You’ll see that word a lot in ISO 27001. It simply means that it’s up to you to decide how you’ve implemented that control. This is usually dependent upon the size and complexity of your organisation. This is why I said from the outset, that ISO 27001 could be implemented just as easily for two people as it can for 2,000. The ‘appropriateness’ will vary; The control does not.

So your response could be;

Our company are part of the local Cybercluster and receive regular updates (via user groups) from the NCSC and NCA. We are members of the Business Continuity Institute and CiSP (Cyber information Sharing Partnership).

 

Conclusion

ISO 27001 Is an international standard that helps drive down risk and increase value. It can help you win new business and reduce the chances of suffering a data breach.

It’s not mandatory to have ISO 27001, but organisations that have implemented it have seen an uplift of their client engagements and confidence in their position in the market place.

ISO 27001 is not complicated. It can be complex if approached in the wrong way, and there are several subtle aspects and trip-wires that you need to be on the lookout for(!) But it is not complicated.

So, what is ISO 27001? It’s a way to see if the company you are dealing with has high standards. I like working with people who have high standards…

I think we all do.