Security Zone: Promoting accountability through ISO/IEC 27001 & 27002 (formerly ISO/IEC 17799)

As organisations go, there are those that welcome internationally recognised standards with open arms, and those that shy away citing cost or even applicability....

As organisations go, there are those that welcome internationally recognised standards with open arms, and those that shy away citing cost or even applicability.

However, there is a need for standards within all organisations, regardless of size or market. It is in defining the Statements of Applicability (SoA) that the project becomes both relevant and cost-effective.

There is "information" within every organisation that is relied upon, so a system is required to manage its security. At the least, we need to ensure that the information is viable for its purpose.

Combined, these provide best practice guidance and a framework for an information security management system (ISMS) - ISO/IEC 27001 - and the management thereof - ISO/IEC 27002 - for the protection, confidentiality, integrity and availability of the information assets upon which an organisation depends.

Code of practice

ISO/IEC 27002 is merely a code of practice, so organisations are free to implement controls as they see fit, and the ISO/IEC 27001 standard incorporates only a simple summary of such controls and does not mandate any.

An important element is the definition of the SoA, among other scoping documents.

Through the SoA you are free to broaden or narrow the scope of certification, as you see fit, limiting the focus of any analysis. Understanding the SoA is crucial to attaching meaning to the certificate.

If you only define "the HR department", the associated certificate says nothing about the state of information security in "procurement", "manufacturing", "the IT department" or even the organisation as a whole. You set the scope.

Similarly, if the SoA asserts that some technical controls are not necessary for specified reasons, the assessing body will check that assertion but will not otherwise certify or fail those controls or the lack of them. In fact, no technical controls may be assessed at all as part of the assessment as ISO/IEC 27001 is primarily a management standard and compliance requires only that the organisation has a suite of management controls in place. If you feel a control is not necessary, giving a valid reason should suffice.

Start small

Look towards the information assets you currently manage or those you feel you can easily manage within the reduced scope, define a narrow SoA focused on what is already known and document your process to define, design, implement and manage these controls, including those "few" controls that may be missing.

Beyond certification or having marketing potential the process of assessment should confirm or improve accountability internally for information asset interfaces with wider business functions and third parties, confirming the scope for use of information assets with those partners.

Certification is optional, but is increasingly being mandated from suppliers and business partners concerned about their information security and the security of shared or common information.

Bodies such as the British Standards Institution, the National Institute of Science and Technology and various national bodies are issuing approximately 1,000 certificates per year - and the trend is growing.

By concentrating on the known information assets of a small business function, defining your ISMS to manage these will get you on the ladder and act as a springboard to widen your certification later.

• David Gregg is an infrastructure and security consultant at The Logic Group

ISO/IEC 27001

ISO/IEC 27001 is a formal standard towards which your organisation can attain independent certification of its frameworks to systematically and consistently design, implement, manage, maintain and enforce information security processes and controls - an information security management system (ISMS).

• It covers any organisation (commercial business, government body or non-profit organisation), specifying the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a well-documented ISMS, within the context of the organisation's overall risk management processes.

• It defines the requirements for custom security controls that meet the specific needs of the organisation or, importantly, any specified part or department thereof.

Read more on IT risk management