In March 2007, Forrester Research interviewed 10 chief information security officers (CISOs) from various industries. Each of their security programs were at various levels of maturity. Although the officers' individual responses varied based on their environments, their overall goals and challenges were quite similar. Adopting a more strategic security approach was by far the most common issue on the minds of CISOs.
CISOs have been striving for visibility within their organizations, and they are finally starting to get it. Their increased importance to the business, however, is new territory for CISOs, and many are having a hard time aligning technology priorities with business ones. On top of that, regulatory compliance has frustrated many CISOs; lately, they have been spending a lot more time arguing over the minutia of regulations instead of working to secure the enterprise.
To relieve some of this pain, many information security leaders are turning to a principles-based framework. Such security guidelines can not only help them address multiple regulations simultaneously, but they can also provide CISOs with a more comprehensive grasp of the security universe for which they are responsible.
ISO 17799 seems to be the framework of choice for CISOs across the globe. The standard (ISO 17799) and its accompanying certification (ISO 27001) provide a comprehensive set of requirements for the implementation of security controls that can be customized to the needs of individual organizations. Many organizations choose to go for the formal certification, but a majority of them do not. They still plan to use the standard as the basic building block of their security program. "I am not planning to pursue the formal certification," said one chief information security officer from a large financial services company, "but I still want to use the framework to assess my security controls and develop priorities for my organization."
ISO certification does not always go smoothly. Many security professionals think that they can use a framework to develop their organizations' security strategy, but they soon find out that the process is more complicated than they anticipated. A certification standard like ISO 17799 has to be customized to an organization's individual requirements and objectives. Think of it as the framing of a house: with the framing, you can see what the house looks like, including all of its rooms. But it is still up to you to customize it by putting in the drywall, carpeting, plumbing and woodwork.
Still, taking the time to make ISO 17799 a part of an enterprise's security management strategy is a worthwhile effort. It has become the industry's most common security framework because it is:
- Globally adopted. While other security standards, like the Information Security Forum's Standard of Good Practice, may offer guidance that is just as relevant or perhaps even more so, they have not been as widely adopted or supported as 17799. With ISO 17799's 2005 revisions, many concerns about the standard have been laid to rest. While there is always room for improvement, Forrester fully expects 17799 to continue to be the leader in security standards/frameworks for information security management.
- Comprehensive. While other standards like the Payment Card Industry (PCI) Data Security Standard or Europe's Data Protection Act may focus on individual geographies or industries, ISO 17799 has been cleverly crafted to work well across industries and geographies. Additionally, the standard also addresses areas that are typically not considered information security responsibilities. The standard, for example, addresses issues such as physical security, business continuity and assets management. The CISO may not be directly responsible for these realms, but he or she still has to make sure that adequate controls exist in those areas.
- Aligned with other frameworks and mapped to regulations. Since the ISO organization comprises more than 100 international standards bodies, ISO has consciously made this standard consistent with most of the other global information security audit and control standards. Many of them already map to the ISO standard or can be easily mapped. Therefore, this standard can be the common framework that links to all other standards, regulatory requirements and corporate governance initiatives. And developing a certification plan that leverages an organization's many security governance initiatives can substantially reduce effort and lead time. If an organization is required to comply with regulations such as the Basel banking standard or those of the Sarbanes-Oxley Act of 2002, proving compliance will just be a matter of mapping the regulatory requirements to the ISO controls.
While pursuing the certification is a valuable initiative, it requires a significant amount of effort and a long-term commitment from management. It is not a one-time project, but an ongoing process. The certification effort is doomed for failure unless:
- A business case is developed. ISO standard compliance is not required by a law or a regulation -- it's voluntary. Before embarking on the certification trail, organizations must carefully evaluate the costs and benefits of having it. If the overhead of obtaining the certification outweighs the potential benefits to the organization, then it may not make sense to go after it, though using the standard as a framework can still be valuable.
- Management is forced to take an active role. The requirements of this standard not only make management accountable, but also ensure that they stay involved in the risk management process. If an organization creates controls that are not enforced, or performs a risk assessment without properly responding, management will be held liable. Hence, management should help create realistic controls and make sure that risk assessments are addressed in a timely fashion.
- The security scope is carefully defined. The scope should identify not only the exclusions, but also the inclusions. ISO 27001 provides the controls required to address generic information security risks. It may not contain controls that address all of the threats faced by your organization; only a careful risk assessment can identify these inclusions. Conversely, not all controls may apply to an organization. It's important, however, to determine each guideline's applicability and document what is left behind.
- Measurement metrics are defined. The standard mandates the development and maintenance of information security controls, but appropriate measurements for each control are what make these controls effective. The remote access policy, for example, may stipulate that no remote administration will be performed for critical systems, but it's important to translate the policy into quantifiable metrics: How many people tried to access critical systems? How many succeeded? Were there any exceptions granted? What percentage of remote access users have access to these systems?
- A realistic certification timeline is set. Getting certified as quickly as possible should not be the goal. Develop a certification plan based on the company's culture and maturity. Organizations should initially define a narrow scope and expand to other areas of the organization over time.
It's clear that ISO 17799 certification can be a long process requiring an organization-wide commitment. However, if executed properly, it can successfully help bridge the gap between an organization's technological and business needs, as well as improve security management and make future compliance processes easier.
About the author
Khalid Kark, CISSP, CISM, is a senior analyst with Forrester Research in Cambridge, Mass., where he covers security strategy, including communication strategies, security organization, and the role of information security in corporate governance.