Since its publication in October 2005, ISO 27001 has been implemented in many organizations as the best practice for information security management, with over three hundred UK organizations independently certified against the standard.
So if these organizations, which range from small and medium to large enterprises, have implemented ISO 27001, why are we still hearing about lapses in information security? Neil O'Connor, principal consultant, Activity asks what lessons are there to be learnt from every organization, whatever its size, using ISO 27001 as a benchmark?
Introduction
Information security, and in particular the handling of personal information, has regularly been in the headlines over the last few months. There have been notable incidents at HM Revenue and Customs, the Ministry of Defense, Nationwide Building Society and Marks and Spencer among others.
These are all large organizations implementing information security management systems at least compliant with, if not certified against, the international standard for information security management, ISO 27001.
ISO27001
A key issue is that ISO 27001 is a management standard, not a security standard. It provides a framework for the management of security within an organization, but does not provide a 'Gold Standard' for security, which, if implemented, will ensure the security of an organization.
ISO 27001 takes a risk assessment based approach. An information security risk assessment is used to identify the security requirements of the organization, and to then identify the security controls needed to bring that risk within an acceptable level for the organization.
Once the security controls have been identified, ISO 27001 defines processes to ensure that a) these controls are implemented and are effective; and b) that the controls continue to meet the organization’s security needs.
The key points here are that:
The organization decides what level of security it needs. The level of risk acceptable to the organization is a management decision - ISO 27001 does not impose an acceptable level of risk. If management decides that a high risk of compromise of personal information is acceptable to the organization, then ISO 27001 will provide a management framework to implement that.
A risk assessment is used to identify the controls required by the organization.However, ISO 27001 does not define the risk assessment method to be used. All that the standard requires is that you document the method, and use it.
It is up to the organization to select the security controls it needs, based on the risk assessment and the organization’s acceptable level of risk (its 'risk appetite').
What does ISO 27001 give you?
ISO 27001 gives you a best practice management framework for implementing and maintaining security. It also gives you a baseline against which to work - either to show compliance or for external certification against the standard.
So what's missing?
You need to decide on a risk method and implement a risk assessment, select your security controls and ensure that these are adequate to meet the security needs of your organization. This requires information risk management and security expertise to implement. ISO 27001 does not tell you how to do this, but rather provides a framework within which to do it.
Furthermore, whilst ISO 27001 provides a list of controls in Annex A, this list is not meant to be exhaustive. In conjunction with ISO 27002 (ISO 17799) it provides guidance on the controls that you should consider.
However, it does not provide detailed guidance for your organization, the information that you handle, and the systems that you use. Again, security expertise is required both to implement an information security risk assessment and to define the required security controls.
It is perfectly possible to implement an ISO 27001-compliant information security management system (ISMS) without adequately addressing information security. This can either be 'designed in' to the ISMS by management accepting high risks (rare); or can arise from inadequate risk assessment or poor selection or implementation of security controls (common).
Compliance or external certification to ISO 27001 does not mean you are secure - it means that you are managing security in line with the standard, and to the level you think is appropriate to the organization.
If your risk assessment is flawed, you don't have sufficient security and risk assessment expertise, or you do not have the management and organizational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.
In the end, an organization will only implement information security effectively if there is a culture of understanding the value of information and protecting it. This requires visible management commitment and individual ownership and responsibility, backed up with effective security education and awareness. Without this, an ISO 27001 ISMS is unlikely to be effective, and hence information will not be appropriately protected.
Conclusion
ISO 27001 gives you a best practice management framework for implementing and maintaining security.It also gives you a baseline against which to work - either to show compliance or for external certification against the standard.
However, compliance or external certification to ISO 27001 does not mean you are secure - it means that you are managing security in line with the standard, and to the level you think is appropriate to the organization.
If your risk assessment is flawed, you don't have sufficient security and risk assessment expertise, or you do not have the management and organizational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.
Implementing ISO 27001 is the right way forward to ensure the security of an organization. However, to actually be secure, it is necessary to develop a culture of valuing information and protecting it, through:
A strong management commitment to information security; Individual ownership and responsibility for information security; and Effective information security education and awareness.
I commented on the recent announcement of Google achieving ISO27001 certification for their Google apps service. This raised a bit of debate amongst friends as to the weaknesses of ISO27001 itself. Like SAS-70, ISO27001 too has certain weaknesses that should not be overlooked….
Weakness 1 – It’s a security management system of your own specification.
To use a metaphor, ISO27001 allows businesses to set its own high-jump bar, document how tall it is and what it is made of, how they intend to jump over it … and then they jump over it. The certification body simply declares that they have successfully performed a high jump over a bar of their own design. The design and height of the bar does not have to be published or released to partners.
Weakness 2 – Scoping
Organizations can scope the standard to their entire business, a specific business unit, process or site. Take the example of a well-known online American bank that scoped ISO27001 purely to their marketing department.
One of the challenges of the standard is the logo and branding associated with certification does not identify the scope, for obvious practical reasons, possible misleading the customer in thinking the organization rather a specific part of the organization is entirely compliant.
A clear statement of scope, identifying precisely what business functions are included, is only available by viewing the actual awarded certificate, which is usually closely guarded by the company.
Weakness 3 – Industry Take-up and Understanding
The wide scale adoption and alignment of both the public and private sector to ISO27001 has been exceptional to say the least. ISO27001 is seen internationally as the information security management standard.
Actual certification of organizations against ISO27001 however has been slow. At the last count there were only 550 companies in the UK that have registered for certification. Compare that to a whopping 4061 in Japan. The reasons for this slow taken I believe to be due to two main reasons 1) misunderstanding of what the standard is, and 2) perceived high project cost. These two are strongly interlinked.
Misunderstanding – ISO27001 is still seen, wrongly, as technical security standard. I often hear organizations say that “we align ourselves with 27001 but the standard is too high to go for certification”. Organizations see it as both technically and procedurally challenging, adding additional overhead to their business. My experience has been that they are usually close if not operating to the 27001 specifications, what they’re lacking is a few pieces of documentation to square the circle.
Cost – ISO27001 is still seen, again wrongly, as an expensive standard to adhere too, requiring Gucci technology and highly documented processes. This is also exacerbated by over eager implementers who typically (although not always) over specify\interpret the requirements of the standard. Registering and maintaining ISO27001 can cost an organization as little as £750 a year. Compare that to the WTE required in meeting with and responding to customer audits and it’s a small outlay.
Weakness 4 – Business to Business focused
While ISO27001 can obviously give business-to-business relationships a competitive advantage, it is unlikely to influence business to consumer relationships. Consumers see through the logo, if they see it at all, as just a marketing gimmick.
A prime example of “transparent logo” syndrome can be found with the Investor in People certification. Over 25,000 organizations have Investor in People status and yet the awareness and understanding of what this means to the prospective employee is extremely limited.
Weakness 5 – Is it truly and independent assessment?
Recently the monopoly of the ‘Big Four’ audit firms (PwC, Deloitte, E&Y & KMPG), which dominate 97% of FTSE 350, came under scrutiny. This is mainly due to their ‘disconcertingly complacent’ in their role in the financial crisis.
This appears to be history repeating itself. The collapse of Enron, the largest bankruptcy in U.S. history at that time, and Arthur Andersen, Enron’s auditing firm, on trial on charges of obstruction of justice for shredding Enron documents, provides a sound example of the inherent weakness in trusted third party audit.
The audited are also the paying customers; this may risk undermining the ‘independency’ of the assessment.
So what does all this mean?
Benefits
Implementing or certifying ISMS against ISO/IEC 2001 can bring a number of benefits to an organization:
• Following a defined structured approach, with international recognition, can ensure that an ISMS is fit for purpose
• Information security issues, and how to mitigate associated risks, will be identified, managed monitored and improved in a planned manner
• Appropriate processes and procedures for information security management will be defined, documented and embedded in practice
• Demonstration of organizational commitment to information security, will ensure adequate allocation of resources, identification of roles and responsibilities and appropriate training
• Data will be protected against unauthorised access, demonstrating its authoritative nature, while authorised users will have access to data when they require it
• Continuity of an organization’s business will be effectively managed, improving its profile and increasing opportunities
• Intellectual property rights can be protected
• Independent verification of compliance with the standard can ensure that an organization has not been negligent regarding appropriate laws on the privacy of personal information. In England and Wales the standard is recognized by the Information Commissioner as an appropriate source of advice for ensuring compliance with the Data Protection Act (1998).
Certified organizations should expect their customers to undertake a less comprehensive or less frequent audit but not expect customers to go quiet on their information security requirements entirely.
Customers cannot solely rely upon ISO27001 and that weakens the very purpose for which it was conceived. It is however the best we have as an internationally accepted standard for the time being.
