Is ISO 27001 worth it?
I took the Certified ISO 27001 Practitioner course last week, studying the requirements and principles of ISO/IEC 27001:2013, and the issues and challenges involved in implementing an information security management system. Achieving certification before doing the course helped me get more out of it, and a better appreciation of just how effective this standard is, regardless of the size of your organisation.
It’s not a scout badge
Some organisations (or rather, some senior staff within those organisations) see the standard as some kind of scout badge, an award which makes all the things secure. It doesn’t, it just enables you to implement an Information Security Management System (ISMS) which, if you run and maintain it effectively, will identify and manage information security risks.
There are any number of ways you can be certified, and still fail;
- You define a scope which excludes important and/or vulnerable assets, which are then disclosed or damaged in a breach.
- You don’t maintain the systems or processes which formed part of the ISMS, which then leads to increased information security risk, and potentially a breach.
- You fail to identify the correct controls from Annex A to manage your information security risk, which leads to a breach.
The point of the standard is not to guarantee security (nothing can do that). It’s to give you a management system which helps you reduce your organisation’s information security risk, and provides you with the corresponding evidence should it be required.
Scope is everything
The reason for adopting the standard (either aligning with the standard, which is self-declared, or being certified, which is validated by independent audit) will probably influence or dictate your scope. A requirement from a key customer, advantage over a competitor, and regulatory compliance may all inform, if not dictate your scope. However, be very careful to balance those external drivers with your organisations priorities and capabilities, because scope is the fundamental base upon which the entire ISMS is based. Define it too broadly and you’ll struggle to ever get to certification; too narrow and it won’t be very useful in protecting your organisations’ information assets.
Get the scope right, and the rest will follow. Having defined your scope, you can define your information security policy, roles and responsibilities, risk assessment, risk treatment, and statement of applicability. Or, to try and summarise an ISMS in simple steps;
What (are we securing?) > Why (are we securing it?) > Who (is responsible?) > Which (risks are we treating?) > How (do we treat them?).
What makes the standard so effective is that it is proportionate, through the scope (which focuses your effort where it’s needed) and the risk assessment and treatment (where your risk appetite is your choice). The result, you only spend your resources on managing risks which matter to your organisation.
There’s a lot of use of ‘relevant’, ‘appropriate’, and ‘necessary’ in the standard, which stresses the importance of your ISMS being suitable for your organisation, rather than something externally imposed with no context. I particularly like the note about documented information;
“The extent of documented information for an information security management system can differ from one organisation to another due to:
1) the size of organisation and its type of activities, processes, products and services;
2) the complexity of processes and their interactions; and
3) the competence of persons“
To me that reflects the tone of the standard generally, and it’s one of the reasons I like it.
If people struggle to get their head around the standard, and the concept of an ISMS, it’s fundamentally a three step process;
- Identify risks
- Implement controls to reduce risk to acceptable residual levels
- Review, Repeat & Continually Improve.
Some of this is already done in an ad-hoc way in almost every organisation. Someone already thought “We might get infected by malware, get an anti-virus product installed on every PC and laptop”. What this management system does is give you a more reliable, consistent and effective way to identify and manage those risks.
Audit and review to learn
Developing an ISMS will take time (be warned it will probably be months, not weeks!) but eventually you’ll reach a point where you think “I think we’re ready for certification”. If you haven’t already conducted at least two internal audits, you’re probably not ready. Ideally, you should audit a significant chunk of your ISMS, and certainly the most critical risk treatment plans. Don’t see internal audits as a box ticking exercise to keep someone else happy, it’s an effective way to check your own work, and learn from any mistakes made.
Management Review is also a key learning tool, in that it keeps top management informed about the progress being made, but can also highlight flaws in your systems, including lack of awareness amongst staff (at any level), or issues with the suitability of the system to your organisation. I’d recommend you’ve had at least two of these reviews before you engage a certification body.
Expect to fail, that’s OK
Your first effort at this will not be your best, expect to find flaws and make mistakes. The point of a good management system is that it is effectively a self-healing system, designed to detect and resolve problems through performance evaluation, internal audit, management review, and even security events and incidents.
The satisfaction I’ve personally experienced has been seeing the ISMS which we originally setup over a year ago survive staff turnover (including the primary architect of its first iteration), organisational change, the continual pressure of business as usual, and still continually improve, and still help us demonstrably reduce our information security risk.
No matter how small your organisation, or how big, I think this standard is your best approach to consistently reducing information security risk, and being able to demonstrate that diligence. If a breach comes (and it’s probably when), and insurers or regulatory bodies get involved, being able to prove that you have been diligent may make the biggest difference of all!