Search Results

404 error: Page not found Could be an availability or integrity failure Try removing .html from the URL and reloading the page, or find your way to the page you seek using the menu. Go home

General info about the ISO27k standards as a whole - their scope and objectives, the core standards, that sort of thing Previous Back to FAQ summary Next ISO27k standards What use is ISO27k for my organisation? For more on this, see the free business case template, part of the ISO27k Toolkit . Organisations that use the ISO27k standards gain worthwhile business benefits such as: Protecting valuable information : more specifically, information security enhances the confidentiality, integrity and/or availability of the information content, plus the associated processes, IT systems, networks, services etc ., without imposing excessive security that would prevent it being exploited for legitimate business purposes. Reducing losses : cost-effective security controls minimise the probability and severity of incidents caused deliberately (e.g. hacks, frauds, disinformation) or accidentally (e.g . floods, equipment failures, misconfigurations, inadvertent disclosures). Increasing assurance and trust : ISO27k conformiuty demonstrates the organisation’s commitment towards good practices for information security, privacy, compliance, ethics etc . to interested parties such as its customers, employees, partners, investors and the authorities. Achieving and maintaining compliance : various laws, regulations and contractual terms impose requirements relating to information security, privacy, accuracy, completeness, timeliness etc. Enhancing resilience : adequately protecting the information, IT systems and processes that are vital to important operational activities and business objectives reduces the possibility of costly disruptive incidents, adverse publicity, customer defections etc. Bolstering brands : aside from merely claiming to protect information, certified conformity with ISO/IEC 27001 and ISO/IEC 27701 enhances the organisation’s reputation. It is increasingly being expected or demanded by discerning customers, partners, investors and regulators - in other words, it confers competitive advantage. To be clear, there are costs associated with sound governance, risk management, security, privacy, assurance, incident management and so on ... but the business benefits outlined above substantially exceed the costs. The risks and costs involved in not taking security and privacy seriously can be existential, as is clear from the news headlines : serious hacking, ransomware and fraud incidents have devastated companies such as Sony Pictures Entertainment, Travelex and Barings Bank. Government institutions, defence, charities and healthcare organisations are far from immune. With such limited resources, S mall to M edium-sized E nterprises stand little chance if targeted, or if mistakes are made in their accounting and tax processes, IT systems and networks. Protecting and exploiting computer data and other forms of information is critically important for business and vital for human safety. There's no need to design a completely bespoke approach for your particular organisation. ISO27k constitutes a suite of internationally-recognised good security practices to suit any organisation, a stable platform on which to build. Are these IT security (cybersecurity) standards? When assessing and treating information risks, focus primarily on risks affecting critical business activities and information - the organisation's crown jewels'. The related computer systems, services and data play a secondary, supporting or enabling role, but don't forget the associated processes, people and relationships. Yes, largely, but they are not limited to IT. The ISO27k standards are about protecting and exploiting valuable information in all forms, not just computer systems, services, networks and data. Aside from computer data, 'information' includes: Printed or written information such as completed forms, signed contracts and rough notes; Information expressed verbally and visually at meetings, videoconferences, phone calls, briefings, seminars, even casual water-cooler or corridor conversations; Policies, procedures and work instructions; Shared corporate culture expressed through attitudes, priorities and ethics, plus personal angles such as body language, prejudices and bias; Knowledge and expertise in workers' heads, plus concepts, ideas, strategies, thoughts ...; Proprietary, business, personal, shared and public information; Intellectual property such as trade secrets, patents, trademarks and copyright information. Various business units, departments and teams generate or acquire, use and benefit from valuable information. IT Department is a custodian for much but not all of it. People throughout the business are accountable for both protecting and (legitimately) exploiting information in support of the organisation’s strategic objectives, with the guidance and assistance of IT, risk, security and other specialists. Suppliers of telecommunications and cloud services, plus utilities such as power and water, all have parts to play in maximising the value of information, while information is an integral and important part of the organisation's products supplied to customers, partners and the authorities (e.g. company accounts and tax reports). Where can I obtain [name any ISO27k standard]? Google and shop around for the best deal. P ublished ISO27k standards may be purchased directly from the ISO store or from the various national standards bodies and commercial organisations (agents). A few popular ISO27k standards are available through Amazon.com and other retailers. It is worth checking for localised/national versions of the standards. Several national standards bodies release translated versions of the standards in their own languages. They go to great lengths to ensure that the translations remain true to the originals, although naturally this takes time. ISO27k standards can be purchased as electronic documents or printed hardcopies. In addition to single-user PDFs, standards bodies may license electronic versions of the standards for multi-user internal corporate use, making the definitive standards readily available on the intranet. Are there qualifications for ISO27k professionals? Hands-on ISO27k ISMS implementation and audit experience, ideally with several organisations, is by far the best ‘qualification’ in the field. General information security and technology audit qualifications (such as CISSP, CISM and CISA) can help, and business management qualifications (such as MBAs) are well worthwhile. Not exactly, but there are certifications or designations. Unlike some IT certifications, ISO27k certifications lack a universally-recognized governing body. Common designations include ISO/IEC 27001 Lead Auditor (LA) , with various paths from formal training and audits to experience-based qualification, and ISO/IEC 27001/27002 Lead Implementer (LI) , which focuses on implementing the ISO27k standards. However, the value of such course-completion certificates is questionable. Demonstrable experience and competence are worth far more. Refer to ISO/IEC 27021 for guidance on “Competence requirements for information security management systems professionals”. Where else can I find answers on ISO27k and information security? Whatever your current state of expertise, actively engaging in study and debate gets you onto the personal development fast-track. Besides the ISO27k standards themselves, consider joining professional groups such as: (ISC) ² ACM SIG SAC CSA InfraGard ISACA ENGAGE ISO27k forum ISSA LinkeDin OWASP What is ISO/IEC? “ISO” is not an abbreviation but is in fact derived from the Greek word isos meaning equal. ISO primarily coordinates, facilitates and encourages collaboration between the national standards bodies, driving global standardisation. ISO is the name of the Swiss-based standards body known in English as the International Organization for Standardization . IEC is an abbreviation for the I nternational E lectrotechnical C ommission, another international standards body working closely with ISO on electrical, electronic and related technical standards. Standards developed jointly with ISO are prefixed “ISO/IEC” although in casual terms, we often shorten it to plain “ISO”. ISO/IEC also collaborate with other international organisations (both governmental and private sector) such as the ITU, the I nternational T elecommunication U nion. The ITU is primarily a trade body coordinating telecoms organisations and practices to enable worldwide communications. It allocates radio frequencies, for example, to minimise co-channel interference and encourage the manufacture of radio equipment that can be sold and used internationally. What are all those other obscure abbreviations? The processes are regimented - highly structured and consequently s-l-o-w. At several stages during the development of a standard, national standards body members are invited to vote and comment formally. The following abbreviations are used by the committee developing ISO27k standards: AG - A dvisory G roup AMD - Am end ment ARO - A pproved R S O riginator BRM - B allot R esolution M eeting CB - [IEC] C ouncil B oard CD - C ommittee D raft (1st CD, 2ndCD etc. , a quality-control phase, addressing editorial matters and typoos *) CDV - [IEC] C ommittee D raft for V ote COR - Technical Cor rigendum CS - [ISO] C entral S ecretariat DAM - D raft Am endment DCOR - D raft Technical Cor rigendum DIS - D raft I nternational S tandard (nearly there, down to proofreading, hold your breath *} DoC - D isposition o f C omments DR - Defect Report DTR - Draft Technical Report DTS - Draft Technical Specification FCD - F inal C ommittee D raft (ready for final approval (voting), but rarely used *) FDAM - Final Draft Amendment FDIS - F inal D raft/D istribution I nternational S tandard (just about ready to publish, final tweaks, pinch your nose and count to 100 *) HoD - H ead o f D elegation ICT - I nformation and C ommunications T echnology IEC - I nternational E lectrotechnical C ommission IPR - I ntellectual P roperty R ights IS - I nternational S tandard (published! Yay!) ISO - International Organization for Standardization ITTF - I nformation T echnology T ask F orce ITU - I nternational T elecommunication U nion ITU-R – ITU - R adiocommunications Sector ITU-T – ITU - T elecommunication Standardization Sector JCG - J oint C oordination G roup JTAB - J oint T echnical A dvisory B oard JTC 1 – [ISO + IEC] J oint T echnical C ommittee 1 JWG - J oint W orking G roup MB - (ISO) M ember B ody NB - N ational B ody NC - (IEC) N ational C ommittee NP - N ew P roject (the formal scoping phase, clarifying the proposal and formally seeking approval to proceed with the standards development project *) NWI - N ew W ork I tem OWG - O ther W orking G roup PAS - P ublicly A vailable S pecification PC - P roject C ommittee PDAM - P roposed D raft Am endment PDTR - P roposed D raft T echnical R eport PDTS - P roposed D raft T echnical S pecification PT - P roject T eam PWI - P reliminary W ork I tem - initial feasibility and outline scoping activities PWI - P reliminary W ork I tem RER - R eferencing E xplanatory R eport RG - R apporteur G roup RS - R eferenced S pecification SC - S ubC ommittee SD - S tanding D ocument - now known as Committee Document SG - S tudy G roup SMB - (IEC) S tandardization M anagement B oard SP - S tudy P eriod (preparing the NWIP …) SWG - S pecial W orking G roup TAG - (ISO) T echnical A dvisory G roup TC - T echnical C ommittee TMB - T echnical M anagement B oard TR - T echnical R eport (published! See next Q&A) TS - T echnical S pecification (published! See next Q&A) WD - W orking D raft (1st WD, 2ndWD etc . - content development “preparatory” drafting phase WG - W orking G roup Aside from international standards, what are TRs and TSs? See the ISO DIrectives for even more detail. ISO/IEC publishes a range of different types of standards, as well as covering a number of different subjects: An I nternational S tandard (IS) is the most common form of ISO/IEC standard, including product/technical standards, test methods, ‘codes of practice’ (good practices) and management standards. An IS “provides rules, guidelines or characteristics for activities or for their results, aimed at the achievement of the optimum degree of order in a given context”. Most aim to describe the final objective without prescribing the method of getting there (although they don’t all meet that aim!). The review cycle is 5 years (maximum). A T echnical S pecification (TS) is a standard on an immature subject that is still being developed, and is not quite ready to become a full IS. Feedback is encouraged in order to drive further development leading, eventually, to the release of an IS. Internally within the committee, final drafts are called PDTS P roposed D raft T echnical S pecifications. A T echnical R eport (TR) is informative rather than providing firm guidance. It may draw on surveys and reports, and may attempt to describe the state of the ar’. Final drafts of these are called PDTR P roposed D raft T echnical R eports. A P ublicly A vailable S pecification (PAS) responds to an urgent need to drive consensus on some emerging topic. Alternative and perhaps incompatible views may be expressed by parallel PASs from different expert streams. A PAS is supposed to be replaced by a TS or IS, or withdrawn, within 6 years. An I nternational W orkshop A greement (IWA) is a PAS produced outside of the ISO/IEC world - for example by some technical or industry body. It too has a maximum life of 6 years. What is JTC 1/SC 27 and what are WGs? Once you have ISMS experience, consider getting involved with SC27's standards work by contacting your national standards body and volunteering. ISO/IEC JTC 1/SC 27 is the J oint T echnical C ommittee 1 /S ubC ommittee 27 responsible for numerous information security, privacy and technological standards, including ISO27k series. SC 27 is spread across five W orking G roups focused in particular areas: · WG1 for I nformation S ecurity M anagement S ystems; · WG2 for cryptography; · WG3 for security evaluation; · WG4 for security controls and services; · WG5 for identity management and privacy technologies. How can I keep up with ISO27k? If you have ISO27k news, please share it with the user community via the ISO27k Forum. An easy way to keep in touch with developments is to bookmark this very website and call back every so often to see what's new. Another option is to Google ISO 27001 news or related terms. Professional information security-related organisations such as ISSA and ISACA often carry content on ISO27k. There are a few ISO27k groups on LinkeDin and other social media, of variable quality. Unfortunately most of them (other than the ISO27k Forum) are infested with spammers and well-meaning but inept commentators. Previous Up Next

FAQ answers and pragmatic tips on implementing the ISO27k standards as a means to improve security, manage information risks, make the organisation more resilient .... oh and perhaps be certified if you like (it's optional). Previous Up Next Implementation How do we engage our management? Brainstorm with your team to come up with ideas along these lines, then select the few that you are actually going to pursue this month or next. Focus! Learn as you go! Start by raising management's awareness. Collaborate with internal contacts, especially in risk management, legal/compliance and IT departments, and demonstrate how the ISMS supports business strategies. Secure adequate resources by working with finance and understanding business priorities. Map management relationships to tailor communication and identify blockers. Engage your team, use metrics to show progress, and resolve existing security issues. Provide regular briefings and workshops, address audit findings, and expand the security awareness program to the rest of the organisation. Consider calling in external experts for events and consultation, but manage their engagements carefully to avoid becoming unduly dependent (a risk!). Should we aim for conformity, certification, compliance or what? Stopping short begs obvious questions: why don’t you have the certificate? What are you hiding? Yes! Implementation: indicates you are making progress … but how much? How much further to go? Why would you not go the whole hog i.e. certification of your ISMS? Conformity: means using the ISO27k standards sensibly but, without assurance, that’s still just a claim, an assertion. Certification: formal certification by a properly-accredited conformity assessment and certification body verifies that the ISMS fulfils all the mandatory ISO/IEC 27001 requirements. Their accreditation gives the certificate meaning and value for others. Compliance: satisfying applicable mandatory legal, regulatory or contractual obligations is non-negotiable. The ISMS can help achieve that in specific areas but is not its prime focus. The key benefit of an ISMS arises through reducing the number and severity of security incidents, getting a grip on the organisation's information risks. Noncompliance with, say, privacy laws is the kind of business risk that management needs to tackle, head-on. How long will it take to implement ISO 27001? Check out the implementation project estimator - a simple spreadsheet tool provided in the ISO27k Toolkit. The timeline varies greatly according to factors such as: Management support : senior and middle management buy-in is crucial. Start here or regret it later. Team expertise : experience and project management skills matter, particularly for the ISMS implementation project manager/team leader and their boss. Security maturity : affects both the starting point and the rate of progress. Is continual improvement a thing in your organisation, or just a dream? Risk profile : a community college faces markedly different challenges to a missile silo. Compliance and conformity : experiences and challenges make a difference. Cross-functional support : genuine collaboration and support from IT, HR, legal, operations and other departments can move things apace – or cause logjams if missing. Strategic alignment : how well does the ISMS fit business objectives and strategies? Obstacles : internal or external resistance or barriers will s l o w things down. Resource availability : funding, personnel, priorities, commitment and attention all matter. ISMS scope : is the implementation enterprise-wide or just a small part? Do we need a CISO? Competent, experienced, trustworthy information security professionals are hard to come by. A significant ISMS implementation is a fabulous learning and career development opportunity if only you can find someone suitable and willing to give it a go ... with oodles of support. Not necessary a C hief I nformation S ecurity O fficer as such. Although ISO/IEC 27001 doesn't literally demand it, a manager or leader is indispensible if your ISMS is to achieve anything truly meaningful and valuable for the business, in a reasonable yet realistic timeframe. Here are the personal qualities, qualifications and experience ideally required: Personal integrity, high ethical standards, beyond reproach, entirely trustworthy; Clear passion and enthusiasm for information risk and security management; Professional technical/technological background e.g. IT, engineering; Project and personnel management experience; Excellent communication and strong negotiation skills; Business management experience & expertise e.g. budgeting and financial management, planning and prioritising, spotting and responding appropriately to risks and opportunities; Technology audit skills, awareness or experience; Hands-on experience with an ISMS or similar structured approach, preferably at management level but operational experience is a start; Process- and quality-oriented, highly organised, structured and self-motivated - “driven” even; Pragmatic, adaptable, resilient and responds well to stress; Solid knowledge of the ISO27k standards, plus other standards, methods, laws, regulations etc .; Experience with training and awareness, security administration, security architecture, physical security, risk management, compliance, conformity etc. - more than cybersecurity! An SME may have little option but to settle for a part-timer, preferably a suitable manager but a contractor, consultant or fractional CISO may suffice, at least for now - especially if the asignment explicitly includes mentoring an insider to step into their shoes. To whom should our CISO/ISMS leader report? Working with HR, help senior management understand the issues, and negotiate the role, goals/objectives, seniority, reporting lines etc. to suit your organisational context. This is patently a corporate governance matter. They should preferably be part of the C-suite or executive team, at the highest level of management. Information security is a strategic, organisation-wide, business concern, not just a technology issue. Reporting to a lower-level function such as the Head of IT limits their scope, influence, independence and capability to manage the organisation's information risks. Senior management is accountable for sound risk management, including information risk and security management. Delegating this important task to too junior a level would be irresponsible. Must we involve the business or can we keep the ISMS within IT? Rather than deliberately restricting the ISMS scope, consider a “pilot implementation”. If successful, build on the pilot by expanding the scope wherever it makes the most sense for the business. ISO27k is about information security management systems . While IT or cybersecurity is essential, ISO27k covers risks to all forms of information including non-digital assets such as trade secrets. Aside from the challenge of securing technologies, implementing an ISMS is tricky due to: Complexity : information security incidents can affect everyone who uses, depends upon information or has an interest in its protection and exploitation. That includes business partners, customers and other stakeholders such as staff and managers, owners and regulatory authorities, using all manner of information in myriad ways. Dynamics : ever-changing risks require agile responses. Serious incidents can blow up seemingly out of nowhere, dramatically changing the situation ... while we cannot afford to ignore more gradual, evolutionary changes such as ever-increasing automation. Whereas it may be possible to narrow the scope, that reduces the benefits of an enterprise-wide ISMS and creates security issues at the scope boundary, meaning additional hidden costs e.g. incorporating explicit security requirements in Service Level Agreements and contracts, along with assurance measures. ISMS scope? What's that? How do we define it? Collaborate with business colleagues on this, particularly supportive senior managers. If you don't have any of those, yet, work on raising management's awareness and understanding first. Short answer: see ISO/IEC 27001 Clause 4.3 plus the rest of Clause 4. Scoping the ISMS appropriately is an important strategic decision for the organisation that should be made by senior managers. To help them decide, research and lay-out a strategy, business case or proposal: Explain the ISMS's business value (benefits less costs); Discuss the strategic objectives in busines terms; Address management's concerns about necessity, alternative approaches or options (including the do-nothing straw-man), resourcing, priorities and hidden benefits (e.g. assurance, compliance, efficiency); Consider aspects such as competitive advantage, implementation risks, required skills and resources, and the timeline (e.g . maturation through continual improvement over a number of years). Define the ISMS's boundaries (which parts of the organization are included or excluded) and applicability (what it protects, usually just 'information'), perhaps discussing, comparing and choosing between a set of scope options. Ideally, outline the costs and benefits over the entire lifecycle of the ISMS, several years at least, to enable their pros and cons to be assessed realistically. Must we risk assess all our information assets? From the conformity and business perspectives, it is perfectly acceptable to move ahead with an inventory that is “good enough for now” since the ISMS incorporates the review and update processes as part of continuous improvement. Aside from being largely pointless, it is literally impossible to risk-analyse everything in depth ... so consider instead a multi-phase process: Focus on the information assets clearly within scope of the ISMS. You defined the scope for a reason, and this is part of it. Undertake a broad but shallow (high-level) risk assessment to categorise your most valuable in-scope information assets (the crown jewels), distinguishing those that deserve more in-depth risk analysis from those that will be adequately covered by baseline or general information security controls; Conduct more detailed risk analysis on individual higher-risk assets or groups of related assets to tease out the specific security concerns and hence control requirements. Document 'everything important' including management's criteria and decisions about the categorisation. Avoid analysis paralysis by remembering that information is a fluid asset, continually in flux. Even if you were theoretically able to cover absolutely everything today, the position would be slightly different tomorrow and substantially different within a few weeks, months or years. Don't forget the variety of information assets worth protecting: some workers' business or technical knowledge and expertise, for instance, is invaluable, perhaps irreplaceable: isn't that a risk? Is control [X] mandatory? Joking aside, this FAQ betrays a lack of understanding of the ISO27k way . Information security requirements are risk and context-dependent, hence the control requirements are determined by the organisation’s management examining its risks as best it can, determining its best options for dealing with whatever risks it identifies, and making investment decisions. Before this FAQ was published, this question was so frequent that, to save time and effort, we invite you to select one of the following answers: Yes, you need X because it is a basic security control that everyone needs. You'd be silly/negligent/risking the farm not to have it. No, X is not needed because we don't have it, therefore we consider it neither good practice nor best practice nor recommended. That depends - I'm a consultant with lots of letters after my name but you'd have to pay me $$$$ to answer your question. No, X is unnecessary because it is more costly than the incidents it prevents. Unless we are really unlucky anyway. Do ya feel lucky, punk? You tell me: have you assessed the information risks and identified a troubling risk that control X might mitigate? Have you decided that it would be better to implement X than some other risk treatment (avoid the risk, share the risk, accept the risk)? Is X the most cost-effective control in this situation? Does X adequately mitigate the risk and, ideally, others too yet without making the situation worse through additional complexity, procurement/management costs or whatever? Is X feasible? Yes because NIST/COBIT/SOX/NIS2/DORA/a little bird says so. Yes No Yes because it is “mandatory”, according to [name some authority figure here]. No because it is “optional” and/or was not explicitly listed in black and white as absolutely mandatory by [name some authority figure here too] Yes because it's the law [in country Y]. Only if your policies, plans, strategies, technical architecture, or internal standards say so. Yes if there is a positive R eturn O n S ecurity I nvestment, no if the ROSI is negative or if someone has seeded “reasonable doubt” or if there is something sexier on management's agenda this afternoon. Yes, absolutely - I am a vendor selling X. X is all you need. X is better than sliced bread. I'd sell both my kidneys to buy X ... Yes because we will get a bad audit report and/or grief from HQ if we do not have X. Yes because I've hears rumours that certification auditors expect or insist on it. Yes if X is one of several administrative, governance, management, process or assurance control requirements specified in the main body clauses. Aha! Yes if your management has determined that X is 'necessary', and you'll be sanctioned severely if you dare to countermand the edict, policy, instruction, demand or whatever it is. Not necessarily now but it will definitely be required in the future. Trust me. No because we cannot afford it at the moment. No because if you have it, then we have to have it too, else we will appear behind the times and that is BAD. Yes because we have it and you are Behind The Times. Do you even have to ask? Doh! OK OK enough already. While there may be an element of truth in all of them, the most correct, appropriate and sound answer is (arguably) #5. You will no doubt have spotted that it is the longest answer ... which poses a load more questions. The ISMS specified in ISO/IEC 27001 allows management to decide which information security controls are necessary for the organisation, based on their assessment of the information risks. If they have done the analysis, understood the risks and made a management decision, it is their right. However, any competent ISMS auditor would probably be concerned at the nature of the risk analysis that led to the decision to exclude commonplace controls, and would want to explore the documentation. The Annex A controls are confusing. Any advice? Unless you are a wizard, get professional help with the ISMS implementation program management, planning and execution. Information security controls are not entirely self-evident and mistakes can be costly, terminal maybe. ISO/IEC 27002 expands on the succinct control summaries in ISO/IEC 27001 Annex A with about a page of explanation and guidance per information security control. To be honest, even '27002 is succinct and leaves a lot unsaid, so to fill in the gaps we recommend asking Google, the ISO27k Forum, competent peers, perhaps even a trustworthy AI LLM (good luck finding one of those!). Consult specialists within or available to your organisation: most people are flattered simply to be asked their professional opinion. Furthermore, it pays to re-use (or at least check out) existing approaches, processes, tools, forms etc . where possible if information security is to become truly embedded in the corporate culture. Do we need all the Annex A controls? Take care when determining which information security controls are 'necessary' to mitigate unacceptable information risks in scope of the ISMS. As information security professionals, we tend to want to include and manage all the security controls, but management is likely to be most concerned about a smaller subset, implying a focus that can help prioritise whatever elements are most important to the business. Probably not. While demonstrable conformity with all the main body text of ‘27001 (the bits concerning the management system) is mandatory for certification, the controls in annex A are discretionary. Organisations choose whichever of those security controls they deem relevant and necessary to mitigate their information risks. Additional or alternative controls may be appropriate, perhaps those from other standards, laws, regulations and good practices. It’s a flexible approach that caters for quite different organisations and risks. Strictly speaking, certification does not even depend on the organisation fully implementing all the security controls that it has selected, so long as the management system satisfies the requirements of ISO/IEC 27001 . It is presumed that a compliant ISMS will successfully ensure that the information risks are in hand and will be treated due course, and indeed this is in the organisation's interests, regardless of certification, since failing to do so implies a failure to mitigate unacceptable risks – a governance issue. However, ISO/IEC 27001 clause 4.4 prompts certification auditors to check that the ISMS is in fact operational, not merely a paper tiger. Do we need any Annex A controls? Remember: the primary purpose of implementing an ISMS is to support or enable achievement of business objectives relating to the protection and exploitation of valuable information. Conformity and certification are subsidiary concerns. Maybe not, depending on precisely what you mean by 'Annex A controls'. Various information security controls (such as backups) are almost universally applicable: it would be very unusual (but not inconceivable) for management to determine that backups are unnecessary ... but they may well decide that the precise control wording in Annex A is not quite right. A.8.13 in "Information backup" says "Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. " It's reasonably obvious what that control wording is getting at but, studying it intently, word-by-word, like a lawyer, jobsworth auditor or anally-retentive infosec consultant, there are a number of concerns e.g .: 'Backup copies' is plural. A single backup copy may be adequate for some readily-replaced or recreated information. In fact, some information is ephemeral or of negligible value, with no need for backups at all. A.8.13, as literally worded, doesn't allow for such situations. 'Information' is an imprecise term. 'Software' is merely an example of a type of information, and 'systems' hints at computer systems and data, implying an IT or technology context ... but what about other forms of information, such as knowledge and intellectual property: must those also be backed up? What about information services and sources: do those need backups too? If so, how? What is the exact meaning of 'maintained' in A.8.13? What about 'tested'? These are also imprecise, vague terms. Might a certification auditor doggedly insist on seeing details about backup testing, test reports etc. if this control is identified as necessary in the organisation's SoA? 'The agreed topic-specific policy on backup' begs further questions about what it means to 'agree' a policy, what 'topic-specific' means, plus the origin and content of such a policy. Yes, that's a peculiar and unhelpful take on a commonplace control but it illustrates the problem of describing information security in a generic standard, since so many details are context- or implementation-specific. Management might therefore decide to rewrite the control wording to suit the organisation's particular situation, perhaps restructuring and simplifying the control statement, elaborating on certain aspects (such as applicability) or clarifying it to allow for necessary variations in practice, replacing A.8.13 with one or more 'custom controls'. Although not explicitly stated as such, this is perfectly acceptable, in accord with ISO/IEC 27001 Clause 8 and a reasonable, sensible interpretation of the standard. But why stop there? Management can legitimately determine that every Annex A control, as literally worded in the standard , is 'unnecessary', instead slecting a full set of custom controls that truly reflect the organisation's actual information risks and security requirements. That said, don't be surprised if certification auditors spot the lack of such commonplace controls as backups from the SoA and ask pointed questions about ensuring the availability of information! How can the ISMS Implementation Project Manager ensure success? Learn from other initiatives, both internal and external to your organisation and whether entirely successful or not. Seek out and adopt good ideas from all quarters. We can’t guarantee success but here are some trade secrets from the little black books typically maintained by experienced ISMS PMs: Become familiar with the business you serve. Get to know the department heads and the challenges they face. Try to see information risks and controls from their business perspectives, and look hard for situations in which strong, reliable information security is taken for granted or presents opportunities for new business activities that would otherwise be too risky. Cultivate business champions for information security in key areas, for example by talking to Sales people on how they win business and what would help them be more successful, asking the R&D boffins about the importance of keeping research secrets from commercial rivals, and checking how Finance department identifies and satisfies the accounting and tax obligations. Make friends with colleagues in related functions such as Risk Management, Legal/Compliance, Internal Audit, Site Security/Facilities and IT. Make time to explain to them how an ISMS will support what they do (which means exploring points of common interest), and garner their explicit support for the implementation project. Such people are often influential with senior management as well as their respective teams. Present ISO27k as a practical solution to current and future business problems rather than an academic set of controls. Solutions are more palatable than controls. Focus on the business outcomes of the ISMS rather than the ISMS itself. Continue to sell the ISMS as a solution to business needs and encourage other managers involved with security to adopt a similar business-focused attitude. Seek out and exploit strategic alignments. Remember that if the business is to adopt ISO27k and take on board a culture change, it should be perceived as empowering and enabling not restrictive and disabling. Tone down the technobabble and learn business-speak. Remember, IT is only part of the ISMS albeit an important one. Make a special effort to reach out to, inform and engage senior management up to board level: their understanding and support for the ISMS will facilitate the numerous changes necessary to business processes and systems as they are secured, and conversely their active or passive resistance will make your job much harder. Consider starting your management-level security awareness activities early in the ISMS implementation - even before your project is proposed and approved. Celebrate successes. Take every opportunity to write-up and share situations in which information security helps the organisation mitigate risks. Case studies and direct quotations from managers or staff who appreciate the value of the ISMS all help to spread the word: security is as much about saying “Yes!” as “No!” Oh boy! Isn't there just a simple checklist? There are a handful of published security guidelines, advisories or standards for S mall to M edium-sized E nterprises, offering simplified guidance and, often, checklists ... but even they need to be interpreted and applied sensibly in any given SME. Read the "Adaptive SME Security" paper in the ISO27k Toolkit for more. Not really, at least not within ISO27k. It's just not that easy. Protecting valuable information is a complex challenge, given that there are so many factors to take into consideration e.g .: Numerous possible threats, vulnerabilities and impacts; A large number and variety of information assets to protect; Questions about the meaning of 'protection' e.g. to what extent? How much assurance is appropriate? Who actually determines what protection is needed anyway, and how? Finite resources and other priorities and objectives, aside from infosec; Dynamics: nothing much stays still for long in this field. An effective ISO/IEC 27001 ISMS using a comprehensive suite of controls drawn from Annex A, ISO/IEC 27002 and other sources or security standards such as NIST SP 800-53, should satisfy and in fact exceed conformity expectations or compliance obligations, while simultaneously generating additional business benefits by satisfying the organisation's specific business requirements. So, wise up! Take a step back to consider the broader business context within which information security exists, and the myriad issues at stake. Think about the practicalities of attempting to identify and protect all your information assets against all significant security risks. If you examine the costs and benefits honestly, investing in an ISO27k-style ISMS or a similar 'framework' is an effective way to deal with this. You can limit the effort by deliberately restricting the scope, reducing the problem space somewhat. That may give you the chance to establish and gain experience with the management system ... but it also limits the potential benefits and is not necessarily the best long-term solution. You can also be smart about designing and implementing the ISMS to align closely with and support business objectives, especially concerning the organisation's information risks. Previous Up Next