Implementing an Information Security Management System (ISMS) — LRQA Guidance

Why is BS7799 (ISO 17799) good for you?

Whether you manage internal information management systems, are responsible for information security or develop IT products and services for your customers, effective information security management systems (ISMS) are essential. They will help ensure you develop the right controls, systems and products to meet the ever increasing and demanding requirements of your customers and partners.

BS7799 aims to ensure that adequate controls (addressing confidentiality, integrity and availability of information) are in place to safeguard the information of ‘interested parties’. These include your customers, employees, trading partners and the needs of society in general.

An ISMS compliant to BS7799 part 2 can help you demonstrate to trading partners and customers alike that you take information security seriously. Accredited certification to BS 7799 is a powerful demonstration of an organisation’s commitment in managing information security.

This article provides some practical guidance and advice for those who have been tasked in gaining certification for their organisations with regards ISMS. A complementary document: ‘Implementing an ISMS - a Consultant’s Viewpoint’ is currently in preparation.

This article has been written by Geoff Brooks, LRQA Technical Services Manager.

First | Previous | Next | Last

Introduction to Implementing an ISMS

The UK FSA (Financial Services Authority) in its publication ‘Operational risk systems and controls’ (CP 142, page 57) refers to ISO 17799 in the context that ‘a firm should consider the adequacy of its systems and controls used to protect the processing and security of its information...’

In addition to the normal commercial need to protect confidential information, such as contractual and pricing information, intellectual property rights, etc.; there are recent events in the regulatory and corporate governance fields (Sarbanes-Oxley, Basel 2, etc.) that have placed ever more demanding requirements on the integrity of your corporate and financial information.

Implementing an Information Security Management System (ISMS) provides an assurance that security issues are being addressed in accordance with currently accepted best practice. Having your management system certified to BS 7799-2 by an accredited third party certification body (such as LRQA) gives you an independent and unbiased view of the appropriateness and effectiveness of your ISMS and demonstrates your capability to the outside world.

First | Previous | Next | Last

The OECD Guidelines

The OECD (Organisation for Economic Co-operation and Development) Guidelines aim to raise awareness about the risk to information systems and networks; the policies, practices, measures and procedures available to address those risks; and the need for their adoption and implementation. The nine principles of the guidelines apply to all policy and operational levels that govern the security of information systems and networks.

BS 7799-2 provides an ISMS framework for implementing these principles using the PDCA (‘Plan - Do - Check - Act’) cycle and management system processes:

• Awareness - Participants should be aware of the need for security of information systems and networks, plus what they can do to enhance security.
• Responsibility - All participants are responsible for the security of information systems and networks.
• Response - Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.
• Risk assessment - Participants should conduct risk assessments.
• Security design and implementation - Participants should incorporate security as an essential element of information systems and networks.
• Security management - Participants should adopt a comprehensive approach to security management.
• Reassessment - Participants should review and reassess the security of information systems and networks, plus make appropriate modifications to security policies, practices, measures and procedures.

First | Previous | Next | Last

Getting started

Whatever the current state of your organisation, the starting point for implementing an ISMS is to obtain management commitment and support. Ideally, the motivation and direction will come from top management, but success will come more easily if, at the very least, management understand the reasons for implementing an ISMS and fully support its design and operation.

First | Previous | Next | Last

Planning for success

Just like any project you take on, success is all the more likely if you develop a meaningful and realistic plan, measure performance against the plan and then be prepared to change it in the event of unforeseen circumstances.

The plan should recognise that developing the management system will require time and effort and should provide adequate resources. Overall responsibility for information security is often given to the IT Manager, but information security has a wider impact than just IT systems, including personnel, security, physical security and legal compliance. If your organisation already has an established quality management system in place then as BS 7799-2 is aligned with ISO 9001:2000, this experience should be harnessed to provide a foundation for the ISMS.

Trade associations and organisations that have already achieved certification can be good sources of information on getting started and can provide opportunities to compare experiences. You may also like to consider attending an LRQA training event, where you will be able to discuss information security issues with other delegates and your tutor.

First | Previous | Next | Last

Understanding the standard

The first step is to familiarise yourself with the standard, understand the criteria that you have to meet, the structure of the standard and hence the structure of your ISMS and associated documentation. The standard is in two parts:

• ISO 17799 (BS 7799-1) is not a standard itself, but a code of practice that provides security objectives and controls that may be selected and implemented to manage specific risks to information security.
• BS 7799-2 is the management system specification that defines the requirements you need to address to implement an ISMS and against which your certification body will audit you during the certification assessment. The specification includes the common elements of all management systems; management review, internal audit and improvement, etc. It also contains a section specifically aimed at identifying risks to your information and the selection of suitable controls from ISO 17799 to manage those risks.

First | Previous | Next | Last

Where next...?

There are two main elements to an ISMS and these can be tackled as two distinct activities. BS 7799-2 requires the establishment of an ISMS to identify and document the security requirements specific to your business. The standard also requires the management processes needed to demonstrate management commitment and control to be defined, i.e., management responsibility, management review of the ISMS and ISMS improvement.

First | Previous | Next | Last

Management processes

These processes are critical to the effective implementation of an ISMS. If your organisation already operates an ISO 9001 management system, these processes will be familiar to you. If this is the case, then the most efficient way forward is often to integrate the information security requirements into your existing management system, ensuring that appropriate information security expertise is available when and where required.

If you are implementing these processes for the first time, consider the overall intent of these management elements of the standard. Top management have significant impact on the effectiveness of the management system. Adequate resources (people, equipment, time and money) should be allocated to development, implementation and monitoring of the ISMS. Internal audits verify that the management system is operating as intended and identifies opportunities for improvement. Management review provides the opportunity for top management to assess how well the management system is operating and supporting the business.

You may find it useful to link these management processes to the ‘ISO 17799 Control Objective: Information security infrastructure’; as many of the controls complement the management elements of BS 7799-2.

Much of the advice given in the LRQA Guidance for implementing a QMS is equally valid for the implementation of the management processes for BS 7799-2.

First | Previous | Next | Last

Define the scope

It is essential that the logical and geographical scope of the ISMS is accurately defined, so that the boundaries of your information security system and security responsibilities can be identified. The scope should identify the people, places and information covered by the ISMS.

Once you have defined the scope, then the information assets covered by the scope can be identified, along with their value and owner.

First | Previous | Next | Last

ISMS policy

The requirements relating to the ISMS policy are addressed in both BS 7799-2 (4.2.1 b) and ISO 17799 (3.1). There are also references to the policy in other requirements of BS 7799-2 and in ISO 17799 controls which provide indications of what the policy should contain. For instance, the acceptance of risk should satisfy the ‘organisation’s policy and criteria for risk acceptance’ (BS 7799-2, 4.2.1, f 2). The policy should include or reference lower tier policies, addressing the security of the information assets.

First | Previous | Next | Last

Risk assessment and risk management

Risk assessment is the foundation on which an ISMS is built. It provides the focus for the implementation of security controls and ensures that they are applied where they are most needed, are cost effective and, just as importantly, are not applied where they are least effective. The risk assessment helps to answer the question, ‘How much security do we need?’

The risk assessment should involve all owners of information assets. You are unlikely to be able to conduct an effective risk assessment without them.

The first step is to decide on, then document, a method of risk assessment. There are proprietary methods available, normally computer-based, such as CRAMM, but many organisations develop their own methodologies, based on the principles of BS 7799-2 and the structure and complexity of their information systems.

The risk assessment process involves identifying and valuing the information assets. The valuation may be other than financial and take into account such things as reputational damage and compromise of regulatory compliance. The process should then consider the threats and vulnerabilities associated with the assets and the impact of their exploitation. Finally, determine the level of risk and identify the controls to be implemented to manage those risks.

The identification of threats, vulnerabilities and their impacts must take into account the security environment. For example, the threat of denial of physical access to the premises is greater for an organisation based on an industrial estate next to a petrochemical plant than it is for an office on a small urban office park. Likewise, the threat of credit card data theft is greater than for the theft of daily production data of a small engineering company.

First | Previous | Next | Last

Risk treatment

The risk assessment identifies risk levels which are then compared to the acceptable level of risk determined by the organisation’s security policy. Appropriate actions are taken to manage risks which are above the acceptance level, with the possible actions being:

• Implementing security controls selected from ISO 17799 to reduce the risk to an acceptable level. The risk level should be recalculated to confirm that the residual risk is below the acceptance level. The selected controls are recorded in the Statement of Applicability, which should include the justification for the inclusion or exclusion of each control and provide traceability to the risk assessment.
• Accepting the risk in accordance with the management’s policy and criteria for risk acceptance. There may be instances where residual risk is above the acceptance level after action has been taken, in which case the residual risk should also be subject to the risk acceptance process. A record of the management’s acceptance of risk should be maintained.
• Removing the risk by changing the security environment. For example, installing secure applications where vulnerabilities have been identified in data processing applications or maybe moving physical assets to a higher floor, if there is a risk of flooding. Such decisions need to take account of business and financial considerations. Again, the residual risk should be recalculated following risk removal actions.
• Transferring the risk by taking out appropriate insurance or outsourcing the management of physical assets or business processes. The organisation accepting the risk should be aware of, and agree to accept, their obligations. Contracts with outsourcing organisations should address the appropriate security requirements.

The risk treatment plan is used to manage the risks by identifying the actions taken and planned, plus the timescales for the completion of outstanding actions. The plan should prioritise the actions and include responsibilities and detailed action plans.

First | Previous | Next | Last

Certification

Not all certification bodies are made the same. When selecting the body you want to work with ensure they are accredited by a national body. In the UK, this is the United Kingdom Accreditation Service (UKAS). Visit its website (www.ukas.com) for further information on accreditation.

Certification is an external validation of your quality management system, to ensure that it meets the requirements of BS 7799-2:2002, the internationally recognised, information security management system standard.

For more information on BS 7799, visit the ISMS International User Group website (www.xisec.com)

Your choice of certification body will also say a lot to your customers about how seriously you take management systems. You need to choose a certification body that can help you develop your management system to realise its potential. With LRQA, you will be allocated an account manager who will discuss the best way to approach certification for you.

All LRQA assessors go through a rigorous selection and training programme, followed by continual professional development. This gives you the assurance that by choosing LRQA as your certification body, you will get a thorough but fair assessment, supporting the ongoing development of your management system. In addition, as the LRQA brand is recognised globally, it will provide purchasers, anywhere in the world, with the confidence that your management system meets the requirements of BS 7799-2.

Since 1985, we have been designing our services with you in mind. This means we take your individual needs and requirements into account when shaping our service offer. Our complementary support package has been developed to help you make the most from your management systems, including:

• Free customer events
• Freephone technical helpdesk
• Online technical helpdesk through our online customer support area
• Account management assistance

For information on gaining BS 7799-2 certification with LRQA, visit www.lrqa.co.uk/bs7799. See the training section for details on LRQA’s range of engaging and informative ISMS courses. To learn more about LRQA products and services, contact our business advisors on 0800 783 2179.

First | Previous | Next | Last