As organisations go, there are those that welcome
internationally recognised standards with open arms, and those that
shy away citing cost or even applicability.
However, there is a need for standards within all organisations,
regardless of size or market. It is in defining the
Statements of Applicability (SoA) that the project becomes both
relevant and cost-effective.
There is "information" within every organisation that is relied
upon, so a system is required to manage its security. At the least,
we need to ensure that the information is viable for its
purpose.
Combined, these provide best practice guidance and a framework
for an information security management system (ISMS) -
ISO/IEC
27001 - and the management thereof -
ISO/IEC
27002 - for the protection, confidentiality, integrity and
availability of the information assets upon which an organisation
depends.
Code of practice
ISO/IEC 27002 is merely a code of practice, so organisations are
free to implement controls as they see fit, and the ISO/IEC 27001
standard incorporates only a simple summary of such controls and
does not mandate any.
An important element is the definition of the SoA, among other
scoping documents.
Through the SoA you are free to broaden or narrow the scope of
certification, as you see fit, limiting the focus of any analysis.
Understanding the SoA is crucial to attaching meaning to the
certificate.
If you only define "the HR department", the associated
certificate says nothing about the state of information security in
"procurement", "manufacturing", "the IT department" or even the
organisation as a whole. You set the scope.
Similarly, if the SoA asserts that some technical controls are
not necessary for specified reasons, the assessing body will check
that assertion but will not otherwise certify or fail those
controls or the lack of them. In fact, no technical controls may be
assessed at all as part of the assessment as ISO/IEC 27001 is
primarily a management standard and compliance requires only that
the organisation has a suite of management controls in place. If
you feel a control is not necessary, giving a valid reason should
suffice.
Start small
Look towards the information assets you currently manage or
those you feel you can easily manage within the reduced scope,
define a narrow SoA focused on what is already known and document
your process to define, design, implement and manage these
controls, including those "few" controls that may be missing.
Beyond certification or having marketing potential the process
of assessment should confirm or improve accountability internally
for information asset interfaces with wider business functions and
third parties, confirming the scope for use of information assets
with those partners.
Certification is optional, but is increasingly being mandated
from suppliers and business partners concerned about their
information security and the security of shared or common
information.
Bodies such as the British Standards Institution, the National
Institute of Science and Technology and various national bodies are
issuing approximately 1,000 certificates per year - and the trend
is growing.
By concentrating on the known information assets of a small
business function, defining your ISMS to manage these will get you
on the ladder and act as a springboard to widen your certification
later.
• David Gregg is an infrastructure and security consultant at
The Logic Group
ISO/IEC 27001
ISO/IEC 27001 is a formal standard towards which your
organisation can attain independent certification of its frameworks
to systematically and consistently design, implement, manage,
maintain and enforce information security processes and controls -
an information security management system (ISMS).
• It covers any organisation (commercial business, government
body or non-profit organisation), specifying the requirements for
establishing, implementing, operating, monitoring, reviewing,
maintaining and improving a well-documented ISMS, within the
context of the organisation's overall risk management
processes.
• It defines the requirements for custom security controls that
meet the specific needs of the organisation or, importantly, any
specified part or department thereof.