Security Management Strategies for the CIOOur organization is looking to gain ISO 27002 certification and I'm trying to take steps that would make this difficult process a little less difficult. There are a ton of security auditing applications out there, but what I am looking for is an application that I can use to define security parameters that I wish to apply, and then utilize that application to not only audit for non-compliance, but also have it make all (or most) of the changes for me. Do you know of any such application? If not, what process can help us?
Requires Free Membership to View
What you are looking for is the holy grail of security auditing tools. While there are, in fact, a variety of auditing tools out there, the ones that can audit and also directly apply changes are point products that are designed to handle specific situations. The tools that give you a solid overview of your security status don't have the ability to make the changes you need. Wrapping the two styles of tools together will go a long way toward enhancing security, but you will still be missing a large (if not the entire) portion of the process and policy space.
Fortunately, there are two tools that you (hopefully) already have at your disposal:
- A spreadsheet -- As you've probably already discovered, ISO 27002 is broken up into 12 main sections. I recommend creating a spreadsheet with at least one worksheet for each section. From there, break down each section into appropriate policies, procedures and controls. There are several organizations that sell pre-made spreadsheets for this purpose, but keep in mind that ISO 27001/2 is flexible, so even with a commercial product, some editing will be necessary to cover your specific situation. Some auditors will also pre-share their own lists; this is something to consider when negotiating during the contract phase. Regardless of how the spreadsheets are generated, they will serve as a basic outline for measuring your current state, as well as your target state for certification.
- Project management skills -- Once you have your spreadsheet, these skills come to bear through the simple -- yet not necessarily easy -- job of prioritizing and implementing the necessary changes to achieve certification. The level of difficulty of prioritization is going to depend heavily on how complete the current information security program is. One way to do this is to take the spreadsheets from above and rate each objective on three metrics:
- % complete
- criticality
- cost to comply
Then add these three numbers together and you'll have some data to compare the tasks to each other. If the company has a more formal risk management process in place, leverage that for the rankings instead.
For more information:
- Learn how to apply ISO 27002 to PCI DSS compliance.
- Is the Orange Book still relevant for assessing security controls? Read more.
This was first published in February 2009
Join the conversationComment
Share
Comments
Results
Contribute to the conversation