Overview
Why is ISO 27001 good for you?
Whether you manage internal information management systems, are responsible for information security or develop IT products and services for your customers, effective information security management systems (ISMS) are essential. They will help ensure you develop the right controls, systems and products to meet the ever increasing and demanding requirements of your customers and partners.
ISO 27001 aims to ensure that adequate controls (addressing confidentiality, integrity and availability of information) are in place to safeguard the information of ‘interested parties’. These include your customers, employees, trading partners and the needs of society in general.
An ISMS compliant to ISO 27001 can help you demonstrate to trading partners and customers alike that you take information security seriously. Accredited certification to ISO 27001 is a powerful demonstration of an organisation’s commitment in managing information security.
This article provides some practical guidance and advice for those who have been tasked in gaining certification for their organisation with regards to an ISMS.
This article has been updated by Phil Willoughby, LRQA Technical Services Manager.
Introduction to Implementing an ISMS
The UK FSA (Financial Services Authority) in its publication ‘Operational risk systems and controls’ (CP 142, page 57) refers to ISO 27001 in the context that ‘a firm should consider the adequacy of its systems and controls used to protect the processing and security of its information...’
In addition to the normal commercial need to protect confidential information, such as contractual and pricing information, intellectual property rights, etc.; there are recent events in the regulatory and corporate governance fields (Sarbanes-Oxley, Cobit, etc) that have placed ever more demanding requirements on the integrity of your corporate and financial information.
Implementing an Information Security Management System (ISMS) provides an assurance that security issues are being addressed in accordance with currently accepted best practice. Having your management system certified to ISO 27001 by an accredited third party certification body (such as LRQA) gives you an independent and unbiased view of the appropriateness and effectiveness of your ISMS and demonstrates your capability to the outside world.
First | Previous | Next | Last
The OECD Guidelines
The OECD (Organisation for Economic Co-operation and Development) Guidelines aim to raise awareness about the risk to information systems and networks; the policies, practices, measures and procedures available to address those risks; and the need for their adoption and implementation.
The nine principles of the guidelines apply to all policy and operational levels that govern the security of information systems and networks.
ISO 27001 provides an ISMS framework for implementing these principles using the PDCA (‘Plan - Do - Check - Act’) cycle and management system processes:
- Awareness - Participants should be aware of the need for security of information systems and networks, plus what they can do to enhance security.
- Responsibility - All participants are responsible for the security of information systems and networks.
- Response - Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.
- Risk assessment - Participants should conduct risk assessments.
- Security design and implementation - Participants should incorporate security as an essential element of information systems and networks.
- Security management - Participants should adopt a comprehensive approach to security management.
- Reassessment - Participants should review and reassess the security of information systems and networks, plus make appropriate modifications to security policies, practices, measures and procedures.
First | Previous | Next | Last
Getting started
Whatever the current state of your organisation, the starting point for implementing an ISMS is to obtain management commitment and support. Ideally, the motivation and direction will come from senior management, but success will come more easily if, at the very least, management understand the reasons for implementing an ISMS and fully support its design and operation.
First | Previous | Next | Last
Planning for success
Just like any project you take on, success is all the more likely if you develop a meaningful and realistic plan, measure performance against the plan and then be prepared to change it in the event of unforeseen circumstances.
The plan should recognise that developing the management system will require time and effort and should provide adequate resources. Overall responsibility for information security is often given to the IT Manager, but information security has a wider impact than just IT systems, including personnel, security, physical security and legal compliance. If your organisation already has an established quality management system in place then as ISO 27001 is aligned with ISO 9001:2008, this experience should be harnessed to provide a foundation for the ISMS.
Trade associations and organisations that have already achieved certification can be good sources of information on getting started and can provide opportunities to compare experiences. You may also like to consider attending an LRQA training event, where you will be able to discuss information security issues with other delegates and your tutor.
First | Previous | Next | Last
Understanding the standard
The first step is to familiarise yourself with the standard, understand the criteria that you have to meet, the structure of the standard and hence the structure of your ISMS and associated documentation. The standard is in two parts:
- ISO 27002 is not a standard itself, but a code of practice that describes security objectives and controls that may be selected and implemented to manage specific risks to information security.
- ISO 27001 is the management system specification that defines the requirements you need to address and implement, against which your certification body will audit you during the certification assessment. The specification includes the common elements of all management systems; management review, internal audit and improvement, etc. It also contains a section specifically aimed at identifying risks to your information and the selection of suitable controls defined in Annex A to manage those risks.
First | Previous | Next | Last
Where next...?
There are two main elements to an ISMS and these can be tackled as two distinct activities. ISO 27001 requires the establishment of an ISMS to identify and document the security requirements specific to your business. The standard also requires the management processes needed to demonstrate management commitment and control to be defined, ie, management responsibility, management review of the ISMS and ISMS improvement.
First | Previous | Next | Last
Management processes
These processes are critical to the effective implementation of an ISMS. If your organisation already operates an ISO 9001 management system, these processes will be familiar to you. If this is the case, then the most efficient way forward is often to integrate the information security requirements into your existing management system, ensuring that appropriate information security expertise is available when and where required.
If you are implementing these processes for the first time, consider the overall intent of these management elements of the standard. Top management have significant impact on the effectiveness of the management system. Adequate resources (people, equipment, time and money) should be allocated to development, implementation and monitoring of the ISMS. Internal audits verify that the management system is operating as intended and identifies opportunities for improvement. Management review provides the opportunity for top management to assess how well the management system is operating and supporting the business.
You may find it useful to link these management processes to the Control Objectives in Annex A; as many of the controls complement the management elements of ISO 27001.
Much of the advice given in the LRQA Guidance for implementing a QMS is equally valid for the implementation of the management processes for ISO 27001.
First | Previous | Next | Last
Define the scope
It is essential that the logical and geographical scope of the ISMS is accurately defined, so that the boundaries of your information security system and security responsibilities can be identified. The scope should identify the people, places and information covered by the ISMS.
Once you have defined the scope, then the information assets covered by the scope can be identified, along with their value and owner.
First | Previous | Next | Last
ISMS policy
The requirements relating to the ISMS policy are addressed in both ISO 27001 (4.2.1 b) and ISO 27002. There are also references to the policy in other requirements of ISO 27001 and in Annex A controls which provide indications of what the policy should contain. For instance, the ISMS policy requires criteria for risk evaluation to be defined, supported by details requirements in 4.2.1c) and 5.1f). Other policies will be required to meet certain control objectives.
First | Previous | Next | Last
Risk assessment and risk management
Risk assessment is the foundation on which an ISMS is built. It provides the focus for the implementation of security controls and ensures that they are applied where they are most needed, are cost effective and, just as importantly, are not applied where they are least effective. The risk assessment helps to answer the question, ‘How much security do we need?’
The risk assessment involves all owners of information assets. You are unlikely to be able to conduct an effective risk assessment without them.
The first step is to decide on, then document, a method of risk assessment. There are proprietary methods available, normally computer-based, such as CRAMM. ISO 27005/ ISO/IEC TR 13335-3 and give more information to enable and organisation to select or develop a method suitable to their own structure and complexity of information systems.
The risk assessment process involves identifying and valuing the information assets. The valuation may be other than financial and take into account such things as reputational damage and compromise of regulatory compliance. The process should then consider the threats and vulnerabilities associated with the assets and the impact of their exploitation. Finally, determine the level of risk and identify the controls to be implemented to manage those risks.
The identification of threats, vulnerabilities and their impacts must take into account the security environment. For example, the threat of denial of physical access to the premises is greater for an organisation based on an industrial estate next to a petrochemical plant than it is for an office on a small urban office park. Likewise, the threat of credit card data theft is greater than for the theft of daily production data of a small engineering company.
First | Previous | Next | Last
Risk treatment
The risk assessment identifies risk levels which are then compared to the acceptable level of risk determined by the organisation’s security policy. Appropriate actions are taken to manage risks which are above the acceptance level, with the possible actions being:
- Implementing security controls selected from Annex A to reduce the risk to an acceptable level. The risk level should be recalculated to confirm that the residual risk is below the acceptance level. The selected controls are recorded in the Statement of Applicability, which should include the justification for the inclusion or exclusion of each control, status and provide traceability to the risk assessment.
- Accepting the risk in accordance with the management’s policy and criteria for risk acceptance. There may be instances where residual risk is above the acceptance level after action has been taken, in which case the residual risk should also be subject to the risk acceptance process. A record of the management’s acceptance of risk should be maintained.
- Removing the risk by changing the security environment. For example, installing secure applications where vulnerabilities have been identified in data processing applications or maybe moving physical assets to a higher floor, if there is a risk of flooding. Such decisions need to take account of business and financial considerations. Again, the residual risk should be recalculated following risk removal actions.
- Transferring the risk by taking out appropriate insurance or outsourcing the management of physical assets or business processes. The organisation accepting the risk should be aware of, and agree to accept, their obligations. Contracts with outsourcing organisations should address the appropriate security requirements.
The risk treatment plan is used to manage the risks by identifying the actions taken and planned, plus the timescales for the completion of outstanding actions. The plan should prioritise the actions and include responsibilities and detailed action plans.
First | Previous | Next | Last
Certification
Not all certification bodies are made the same. When selecting the body you want to work with ensure they are accredited by a national body. In the UK, this is the United Kingdom Accreditation Service (UKAS). Visit its website (www.ukas.com) for further information on accreditation.
Certification is an external validation of your quality management system, to ensure that it meets the requirements of ISO 27001:2005, the internationally recognised, information security management system standard.
For more information on ISO 27001, visit the ISMS International User Group website (www.xisec.com).
Your choice of certification body will also say a lot to your customers about how seriously you take management systems. You need to choose a certification body that can help you develop your management system to realise its potential. With LRQA, you will be allocated an account manager who will discuss the best way to approach certification for you.
All LRQA assessors go through a rigorous selection and training programme, followed by continual professional development. This gives you the assurance that by choosing LRQA as your certification body, you will get a thorough but fair assessment, supporting the ongoing development of your management system. In addition, as the LRQA brand is recognised globally, it will provide purchasers, anywhere in the world, with the confidence that your management system meets the requirements of ISO 27001.
Since 1985, we have been designing our services with you in mind. This means we take your individual needs and requirements into account when shaping our service offer. Our complementary support package has been developed to help you make the most from your management systems, including:
- Free customer events
- Freephone technical helpdesk
- Online technical helpdesk through our online customer support area
- Account management assistance
For information on gaining ISO 27001 certification with LRQA, visit www.lrqa.co.uk/iso27001. See the training section for details on LRQA’s range of engaging and informative ISMS courses. To learn more about LRQA products and services, contact our business advisors on 0800 783 2179.
To learn more about LRQA products and services, contact our business advisors on 0800 783 2179
Page last modified on 07 February 2007
Article can be found online at:
http://www.lrqa.co.uk/help/Implementation/isms/lrqaguidance/
Care is taken to ensure that the information herein is accurate and up-to-date. However, LRQA accepts no responsibility for inaccuracies in, or changes to, such information.
| The Lloyd’s Register Group comprises charities and non-charitable companies, with the latter supporting the charities in their main goal of enhancing the safety of life and property for the benefit of the public and, ultimately, the environment.
Lloyd's Register and LRQA are trading names of the Lloyd's Register Group of entities. Services are provided by members of the Lloyd’s Register Group. For further details please see http://www.lr.org/entities © LRQA 2012 . All rights reserved. |
 |