Achieving compliance with ISO 27001 and 27002 standards is a daunting process. It can take months and require extensive resources. As a result, it is indeed a major business decision whether to launch such a project.
Before committing to the process, it's critical to know not only why the standards can help an enterprise, but also how to ensure an organization has the prerequisites in place to achieve compliance with the standards. In this tip, we'll offer a brief breakdown of ISO 27001 and 27002 as well as key considerations for organizations that are deciding whether to pursue either certification.
ISO 27001/27002: The basics
ISO 27001 and 27002 are two complimentary standards for information security systems and processes, with 27001 focusing on management and 27002 providing the necessary controls to make 27001 possible. Both certifications focus on performing risk assessments and then making the appropriate changes to policies, processes (ISO 27001) and controls (ISO 27002).
ISO 27001 and 27002 standards have been popular for quite a while in Europe, particularly with financial institutions. They just started becoming popular here in the U.S., especially among companies that do a lot of business overseas, where customers expect compliance with the standards. The perception is that only highly mature organizations are capable of achieving ISO compliance, thus making it a competitive advantage among its security conscious customers. Also, given the difficulty of becoming certified, continuing compliance with the standard may save time and money on customer mandated audits or reviews; these audits could be replaced by providing the documentation establishing compliance, much like a SAS70 is used today.
ISO 27001/27002: Key considerations
There are five important questions to ask that will help an organization decide whether to pursue ISO 27001 or ISO 27002 compliance. They are:
- What will it cost the enterprise to achieve compliance, in both hard and soft currency? For example, consider dollars spent on new tools and consultants, as well as the cost of not doing other projects, and time lost performing processes you wouldn't normally do.
- Will achieving compliance give the enterprise a significant competitive edge over its peers? (i.e., "We're more secure than they are."). How much new or retained business can you associate with being ISO compliant?
- Does the enterprise need to achieve certification because its competitors have already done so in order to remain competitive? (i.e., "We're just as secure as they are.") In other words, how much business is the enterprise losing because its peers are compliant and it's not? This is particularly necessary for those going into business in the EU, since non-compliance often means that potential customers will not even start a conversation with your enterprise.
- Will achieving and maintaining certification save money, time and effort in the long run by aiding other compliance efforts? (i.e., "Hey auditors, we're ISO 27001/27002 certified, so you know we already have specific controls in place.") What is the organization spending now on audits for other certifications and regulations and how much of that will go away if the organization can demonstrate ISO compliance.
- Do enough customers require the certification in order to do business with us? Essentially, what percentage of the enterprise's customers who are asking us for ISO certification can be deprioritized before losing their business damages the bottom line?
All five of these questions are business questions and have nothing to do with physical controls, technical controls, policies, processes and procedures. In fact, you as the security manager or CISO can only answer question one and, depending on your scope of responsibility, possibly part of question four. So it will be necessary to gather the information on question one, then approach the appropriate people to get answers for numbers two through five.
Getting these answers will require talking to many people and groups -- sales, marketing and audit departments, the CFO, the CIO and quite likely the CEO -- until you have enough data to make a recommendation to the executive group as a whole. If the answer to question one is outstripped enough by the answers to questions two through five, then the executives will likely approve the project.
If an ISO 27001 or ISO 27002 certification project is approved, beyond having copies of the standards, there are two things are useful when getting the project started. One is finding a project manager with past experience implementing ISO standards (an important cost to consider for question one above). The other is converting the assorted requirements into a spreadsheet, then mapping existing policies, procedures and controls as best as possible to the ISO standards.
At this point, you will have a general list of what fits the ISO requirements and what is missing. To assist in this process, there are a number of organizations, such as UnifiedCompliance.com, which have pre-built spreadsheets of this nature. You can use these spreadsheets as a starting point for a risk assessment, which will help you prioritize the necessary changes to your environment. This doesn't have to be a rigorous assessment using OCTAVE or FAIR; an ad hoc process can also work if you have the right subject matter experts available. What precisely will need to be changed will of course vary heavily from organization to organization.
Once the appropriate changes have been made, document what you've done for each control and why (this is known as a "statement of applicability"). With this step completed, hire an independent, authorized third-party auditor. That person (more likely a team of people) will come in and assess the organization and either grant certification or make recommendations for what needs changing.
While the road to ISO certification standard compliance can be a long one involving many steps, the payoff can be worthwhile not only in augmenting security processes and controls, but also by opening doors to business opportunities in new markets and raising customer confidence.
About the author:
David Mortman is a Contributing Analyst with Securosis, Inc., as well as CSO-in-Residence for Echelon One, where he is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.
This was first published in December 2009