ISO 27001
What is ISO 27001:2013?
The ISO 27001 standard provides a framework for an Information Security Management System (ISMS). This enables to continue the business activities with confidentiality, integrity and availability of information as well as to be consistent with legal compliance.
Why ISO 27001:2013?
Security
of information should be the top most priority for any organization. With the
current threats for growing cyber related crimes, it is essential to any
organization to secure its information. Information is an asset which has value
to organization and thus need to be suitably protected.
Information
may include the current business plan, future plans, intellectual property,
employee records, customer details, business partners’ records and financial
records of your business. It may also include trade secrets that should not go
to the hands of external parties.
Information
may not only steal, but also it can be lost due to system failures. The
consequences of misuse of information may lead to damage of reputation of your
organization and certain information being irreplaceable will be a great loss
to your business proceeds.
As ISO
27001:2013 standard is the internationally recognized best practice framework
for an ISMS, it not only a certification to put technical measures in place,
but also it ensures business controls and the management processes are in position;
and adequate information security threats and opportunities you have identified
and evaluated in your risk assessment.
This standard can be independently certified to cover people, processes and technology. It is applicable to all organizations irrespective of their size, type and nature. In brief, ISO 27001 is an excellent method for a central approach to ISMS that can be built on easily as the future business compliance demands.
BENEFITS OF IMPLEMENTATION IF ISO 27001:2013
·
The benefits of obtaining certification against
the ISO/IEC 27001:2013 standard is numerous. General to all businesses and
industries.
·
Increased data security.
·
Improved business functioning by assisting to identify
and document processes
·
Improved staff security awareness through
requiring regular awareness training
·
Increased ability to comply with the GDPR
·
Competitive advantage and business
differentiator, as many third parties now prefer partners with ISO/IEC 27001:2013
certification
·
Enhanced reputation, as ISO/IEC 27001:2013
certification is widely recognized
·
Businesses with specific requirements
·
Meet requirements to do business with third
parties, as organizations in some industries require their partners to be
certified
·
Assist in meeting industry and regulatory
requirements – many specific industries have enhanced regulatory requirements,
and ISO/IEC 27001:2013 certification meets many of these requirements
·
Show compliance with third-party audit
requirements, thus minimizing audits – holding ISO/IEC: 27001:2013 certifications
usually reduce the requirements and/or frequency of third-party audits, thus
freeing up business resources.
IMPORTANT
CONSIDERATIONS
When
looking to implement an ISO/IEC:27001:2013 ISMS, there are some important
considerations you need to be aware of before starting the process.
An
ISMS is not an IT or technical system, it is first and foremost a business
system. There are certainly many technological elements within an ISMS, and IT
involvement will be required, but the implementation and direction of the ISMS
must come from senior management. From planning, creation, implementation,
operation, and continual improvement, the ISMS must be lead from the top.
It is
vitally important to understand that in order for an ISMS to be effective and
complement your organisation, it has to be created FOR the business, BY the
business. This is not to say that outside assistance should not be sought; in
fact, it will almost certainly be required. Rather, this means that the risks
and controls identified, as well as the policies, procedures and workflows
written for the ISMS must have direct input from stakeholders within the
company. If this is not done from the start, the resulting ISMS will likely not
fit your organisation’s culture, and will not be accepted and embraced by
employees.
For
most companies, the process of implementing an ISMS will involve changes across
the entire business. This requires an element of change management, and it is
important to involve all employees in the development of the ISMS, and not just
management and consultants.
Another
important consideration when embarking on the journey of implementing an ISMS
is the time commitment that will be required. On average, companies will need
between 8-12 months to create and implement a basic ISMS, that will meet the
requirements of the Standard for certification. However, this is just the
beginning of the time commitment –
operating
and improving the ISMS on a daily basis will, depending on the organisation
size and the complexity of the ISMS, require approximately a quarter of an
average employee’s time.
You
must be able to show evidence of to the auditor(s) for any process or procedure
that you document. For example, where your Awareness Policy states that you
conduct staff awareness training annually, you need to maintain records of this
as well as evidence of its effectiveness. Simply sending staff a quarterly
email with a link to a presentation will not be sufficient.
1.
Compliance
It
might seem odd to list this as the first benefit, but it often shows the
quickest “return on investment” – if an organization must comply to various
regulations regarding data protection, privacy and IT governance (particularly
if it is a financial, health or government organization), then ISO 27001 can
bring in the methodology which enables to do it in the most efficient way.
2.
Marketing edge
In a
market which is more and more competitive, it is sometimes very difficult to
find something that will differentiate you in the eyes of your customers. ISO
27001 could be indeed a unique selling point, especially if you handle clients’
sensitive information.
3.
Lowering the expenses
Information
security is usually considered as a cost with no obvious financial gain.
However, there is financial gain if you lower your expenses caused by
incidents. You probably do have interruption in service, or occasional data
leakage, or disgruntled employees. Or disgruntled former employees.
The
truth is, there is still no methodology and/or technology to calculate how much
money you could save if you prevented such incidents. But it always sounds good
if you bring such cases to management’s attention.
4.
Putting your business in order
This
one is probably the most underrated – if you are a company which has been
growing sharply for the last few years, you might experience problems like –
who has to decide what, who is responsible for certain information assets, who
has to authorize access to information systems etc.
ISO
27001 is particularly good in sorting these things out – it will force you to
define very precisely both the responsibilities and duties, and therefore
strengthen your internal organization
Drawbacks/Problems
when a company try to implement the ISO standard in your organization.
Weakness
1 – It’s a security management system of your own specification.
To use
a metaphor, ISO 27001 allows businesses to set its own high-jump bar, document
how tall it is and what it is made of, how they intend to jump over it … and
then they jump over it. The certification body simply declares that they have
successfully performed a high-jump over a bar of their own design. The design
and height of the bar does not have to be published or released to partners.
Weakness
2 – Scoping
Organisations
can scope the standard to their entire business, a specific business unit,
process or site. Take the example of a well-known online American bank that
scoped ISO 27001 purely to their marketing department.
One of
the challenges of the standard is the logo and branding associated with
certification does not identify the scope, for obvious practical reasons,
possible misleading the customer in thinking the organisation rather a specific
part of the organisation is entirely compliant.
A
clear statement of scope, identifying precisely what business functions are
included, is only available by viewing the actual awarded certificate, which is
usually closely guarded by the company.
Weakness
3 – Industry Take-up and Understanding
The
wide scale adoption and alignment of both the public and private sector to
ISO 27001 has been exceptional to say the least. ISO 27001 is seen
internationally as the information security management standard.
Actual
certification of organisations against ISO 27001 however has been slow. At the
last count there were only 550 companies in the UK that have registered for
certification. Compare that to a whopping 4061 in Japan. The reasons for this
slow taken I believe to be due to two main reasons 1) misunderstanding of what the
standard is, and 2) percieved high project cost. These two are strongly
interlinked.
Misunderstanding
– ISO 27001 is still seen, wrongly, as technical security standard. I often hear
organizations say that “we align ourselves with 27001 but the standard is too
high to go for certification”. Organizations see it as both technically and
procedurally challenging, adding additional overhead to their business. My
experience has been that they are usually close if not operating to the 27001
specification, what their lacking is a few pieces of documentation to square
the circle.
Cost –
ISO 27001 is still seen, again wrongly, as an expensive standard to adhere too,
requiring gucci technology and highly documented processes. This is also
exacerbated by over eager implementors who typically (although not always) over
specify\interpret the requirements of the standard. Registering and maintaining
ISO 27001 can cost an organisation as little as £750 a year. Compare that to the
WTE required in meeting with and responding to customer audits and it’s a small
outlay.
Weakness
4 – Business to Business
While
ISO 27001 can obviously give business-to-business relationships a competitive
advantage, it is unlikely to influence business to consumer relationships.
Consumers see through the logo, if they see it at all, as just a marketing
gimmick.
A
prime example of “transparent logo” syndrome can be found with the Investor in
People certification. Over 25,000 organisations have Investor in People status
and yet the awareness and understanding of what this means to the prospective
employee is extremely limited.
Weakness
5 – Is it truly and independent assessment?
Recently
the monopoly of the ‘Big Four’ audit firms (PwC, Deloitte, E&Y & KMPG)
which dominate 97% of FTSE 350 came under scrutiny. This is mainly due to their
‘disconcertingly complacent’ in their role in the financial crisis.
This
appears to be history repeating itself. The collapse of Enron, the largest
bankruptcy in U.S. history at that time, and Arthur Andersen, Enron’s auditing
firm, on trial on charges of obstruction of justice for shredding Enron
documents, provides a sound example of the inherent weakness in trusted third
party audit.
The
audited are also the paying customers, this may risk undermining the
‘independency’ of the assessment.
Negative
Impacts
· Sometimes it think as an over work to the
staff.
· As it is a standard there are, people might
think it is a bother to do.