Implementing an Information Security Management System (ISMS) — Consultants Viewpoint

Is ISO 27001 right for your organisation?

In today's information society, electronic data is critical for almost everything we do. We rely on Internet connectivity and email. Laptops and PDA's have enabled a new mobile workforce. In short, information has now become a truly business critical asset. Protecting this asset through developing robust information security strategies and implementing effective information security controls is a key management responsibility. Additionally, on account of the ever-increasing amount of legislation relating to the processing and storage of information, managers have a statutory responsibility to ensure that their company's data is protected.

Most companies will have implemented an information security management system to one degree or another. Achieving full compliance with a recognised industry standard is a way of demonstrating to clients, both existing and potential, as well as to shareholders, that your company is serious about information security governance. ISO 27001 is the international standard for information security management and provides the ideal benchmark for certification. The benefits of embedding this standard in your information security management system (ISMS) should become apparent in the very early stages of implementation - and deliver lasting value to your organisation.

The purpose of this article is to help managers decide if a formal ISMS is appropriate for their organisation. It is written by Malcolm Armitage, a registered CISSP (Certified Information Systems Security Professional) with (ISC)². Malcolm is a Director with SeQuality Management Solutions Ltd (www.sequality.co.uk) with many years experience helping organisations develop and implement such systems and achieve ISO 27001 certification. It is written from the consultant perspective and is designed to be read in conjunction with the LRQA Guidance article.

This article has been written by Malcolm Armitage, Independent Consultant.

First | Previous | Next | Last

Benefits

Clients have cited several benefits associated with implementing a formal ISMS and achieving certification:

• Increases potential client base and sales pipeline through satisfying specific contractual demands



• Protects the value of IT investments



• Reduces reputational risk



• Integrates disaster recovery / business continuity



• Formalises the asset inventory



• Avoids security incidents lying dormant and dropping off the radar



• Embeds continuous improvement in information security processes



• Assists external financial auditors and simplifies the audit process

First | Previous | Next | Last

The initial steps

Let us look first at what we are trying to achieve by implementing an ISMS. In this day and age we rely more and more on information in electronic form (although paper documents must not be precluded from this). You should stand back and imagine how your organisation would (or could) cope if this key information was lost or corrupted, or its confidentiality was compromised.

A small company who may use a computer for payroll and a few letters would probably be not significantly disrupted if all were lost. Providing the payroll could be manually re-created and not too many key addresses were lost, business could continue as usual. However, if a larger organisation suffered a similar incident just one of the following could be disastrous:

An organisation could go out of business overnight if adequate steps had not been taken. So this is the starting point: – deciding if an ISMS is necessary. A full business case containing both financial and qualitative benefits should be developed.

With ISO 27001 the organisation has the option to ‘ring fence’ different activities. As an example, an organisation may decide to apply certain controls to specific contracts or certain processes.

It is essential to get top-level management buy-in, not just to authorise the expenditure but to covey to the organisation that information security is taken very seriously and that if policies aren’t adhered to, disciplinary action may be taken. A full business case containing both financial and qualitative benefits should be developed and this can help get senior management buy-in. Once again, the initiative will fail without a high degree of management commitment.

A project team should be established with members from key departments – this should be a business initiative and not purely reliant on the IT department. This is to ensure that all relevant and applicable information is captured from around the organisation.

First | Previous | Next | Last

Selecting a consultant

You may decide not to involve a consultant and go it alone, after all information security isn’t rocket science, just good business practice. You may choose a combination of both internal and external resource. However, it is important to factor in the cost of these internal resources into the business case.

Whichever way you look at it, there is a cost involved whether it’s fees paid to an external consultant or hours charged to the project by using internal resource. Don’t forget that the external consultants will have done this before and should be able to reduce the duration of the project.

When it comes to selecting an external consultant a referral must be the preferred option. One who comes highly recommended from a colleague or business associate knows that you are aware of his approach and method of working.

If a referral is not possible, consider contacting your local Business Link, (http://www.businesslink.gov.uk/) who have access to a national register of approved consultants. The assessment is independent and reviewed annually. The British Computer Society (www.bcs.org) also maintains a register of consultants known as The Professional Advice Register.

Another option is to approach the assessment companies. These often have a list of consultants that their clients have used. They may be able to supply a list of two or three people for you to consider.

There are many factors to consider when choosing a consultant which include:

• (ISC)² - International Information Systems Security Certification Consortium administers the examinations for the Certified Information Systems Security Professional (CISSP). They provide a portal where a consultant’s qualification can be verified. http://www.isc2.org/



• BCS – British Computer Society administers the ISEB (Information Systems Examinations Board) CiISMP exam. http://www.bcs.org/

If all the above factors are met, you should ask yourself the most important question: Do I like these guys? You don’t have to invite them to your house for dinner, but for the implementation to be successful you will have to develop a deep working relationship. Remember that, from your perspective, consultancy companies are only as good as the resources they put on the ground.

First | Previous | Next | Last

Scoping the system

Consider carefully what the ISMS is intended to cover and what you expect to get from it. It’s important to include all the activities that fall within the scope of the ISMS. Should you seek formal certification, this is what your assessment body will use as the starting point.

Potential customers may well ask to see the approved scope to ensure you can provide, and are assessed to provide, exactly what they require.

The objectives should also be considered and documented. Think carefully about these. The days of ‘we want to be best in class’ have gone. The standards now require that an element of continual improvement is demonstrable.

Identify and engage key stakeholders and assemble the correct project team. Implementing an ISMS involves more than just the IT organisation and it is important that the business as a whole sees the benefits of the implementation and understands its impact. Team size and the appropriate project leader are specific to each organisation. The project team should be able to devote sufficient time to the implementation. A smaller group of closely involved individuals is usually more effective than a larger team of occasional part-timers. Should you have engaged a consultant, it is important that they are supported by internal resources: nobody understands the business better than those working in it. When consultants leave, knowledge can walk out the door with them.

As with any new project, a plan should be produced, but be realistic. If funding is sought from your local Business Link, they may require sight of the plan. The complexity of this will depend on the size of the organisation and the scope of the ISMS. You may decide that the ISMS is to be applied to only some activities within the organisation.

Try to keep your plan relatively simple yet include sufficient detail to show important milestones. Include review activities on the plan so that progress can be formally monitored. Update the plan on a regular basis. Ensure you keep senior management informed of progress.

First | Previous | Next | Last

Deriving the list of assets

It’s important to establish just what needs protection. It may sound obvious, but the first part of understanding what you need to protect is understanding what you have. This is not always immediately apparent as it is important to value each asset not just in terms of financial value but also in terms of the impact such a loss would have on the organisation. In order to do this you should nominate representatives from each department or key areas. When building this list it’s important to capture all the obvious and important assets such as the electronic ones, but don’t forget the old analogue modem that’s used daily by accounts to pay people etc. Conversely, make sure that the not so important assets in the organisation are excluded.

Remember that you are trying to capture the key components that need consideration in terms of information security. Consider the ‘what if’ scenario on the selected asset: what would it mean in terms of financial loss or reputation if they became unavailable or corrupted (the business impact analysis). Also take into consideration the fact that company assets may be located offsite – laptops are an example of this.

First | Previous | Next | Last

Risk assessment

Once the list of assets has been established a risk assessment methodology should be selected and undertaken on these assets. There are tools available to assist with the risk assessment process that may be worth considering. Which ever risk assessment methodology is selected it’s important that it is appropriate and repeatable.

A risk treatment plan should be produced to manage and mitigate the identified risks. Appropriate controls can then be selected from ISO 27001 Annex A to satisfy the risk assessment and risk treatment requirements.

First | Previous | Next | Last

Statement of applicability (SoA)

An SoA must be prepared that shows the controls that have been selected from ISO 27001 and the reasons for their selection. It must also show the controls currently implemented. Where any controls have not been selected because they are inappropriate for the organisation, the justification for their exclusion must also be noted.

First | Previous | Next | Last

Audit the system

As with other management systems once the system is up and running it should be audited to confirm that it meets the requirements of the standard and the expectations of the organisation.

The audits should include technical conformance checking in addition to process conformance. They should ideally be conducted by trained staff who are independent to the activity being audited but have sufficient knowledge to ensure that no wool is being pulled over they eyes! As usual, any weaknesses must be addressed in a controlled manner.

First | Previous | Next | Last

Certification

The big question … should we go for external certification?

I feel that once an organisation has gone through the process of implementing an Information Security Management System it seems only right to get a third party in to assess the organisation to the ISO 27001 standard.

Achieving full compliance might not be appropriate for all organisations, but it is a powerful message to give to clients, shareholders and financial auditors. If you have used a consultant they should be able to assist you with this choice.

The benefits certainly outweigh the cost.

I have seen financial auditors visit an organisation on behalf of their clients to conduct an audit perhaps, as part of a SAS 70 or Sarbaines Oxley requirement or as part of a due diligence visit. It certainly lightens the air when one can reach for the certificate issued by an accredited independent third party!

When considering a certification body, the following should be on the list:

• Make sure they are accredited by UKAS or other internationally recognised accreditation body



• That the assessors have the right approach, knowledge and detailed experience in your industry



• The size and profile of the certification body – in this global economy there are benefits in choosing one that’s present worldwide.



• One that delivers practical advice and encourages continual development, as the standard requires.

First | Previous | Next | Last

Sources of further information

The following is just a small sample of sites that provide additional information of information security and security advice:

http://www.sans.org
http://www.mi5.gov.uk
http://www.pwcglobal.com (use search box [security])
http://www.niscc.gov.uk