Martin Smith highlights some of the key differences in the new 27001 standard, and considers some of the benefits and associated challenges in adopting the standard. Introduction British Standard BS 7799 (Parts 1 and 2) has been internationally recognised as best practice in the field of information security management for a number of years. It has been revised several times since its inception in 1995 in terms of both structure and content and, in 2000, Part 1 became an international standard (ISO 17799).
Part 2 is now also an international standard, re-numbered as ISO 27001, part of the evolving ISO 27000 series. ISO 27001 was released in October 2005, and has immediately become one of the best selling and most popular standards.
Changes to the standard
The first point to underline is that the new international standard is not significantly different from the British version of the standard; it was not the intention of the International Standards Organisation (ISO) to contradict or drastically change what had gone before, or to impose unnecessary extra work on organisations already using it. All international and national standards are subjected to a periodic review process. The review cycle for the transition from BS7799 to ISO 27001 saw some 4,000 comments submitted by national standards organisations. As part of this feedback it was determined that the standard needed a refresh and additional clarity to help its successful adoption as the internationally recognised best practice.
As a result a number of structural changes have been made to 27001, such as the creation of a new section on incident management using controls previously found in the personnel section. There are now a total of 133 controls in eleven sections. There are eight new control objectives, five consolidated or combined controls, 17 new controls to cover additional issues and nine deleted controls.
The most significant change is the new requirement for the measurement of the effectiveness of the controls (or groups of controls) to be implemented. The rationale being that you cannot properly manage what you cannot measure, and there is limited benefit in implementing something whose usefulness you cannot measure.
The management processes implemented for ISO 27001 are based on the Deming cycle of continuous improvement: Plan-Do-Check-Act. Measuring effectiveness is a critical element of improving information security management, and hence realising business benefit and flexibility in a changing environment.
While this may be relatively straightforward for the more technical controls, such as the time taken to deploy upgrades and patches to servers, or to update anti-virus profiles on user desktops, it will be more challenging for other controls such as measuring the overall effectiveness of the ISMS or how to measure compliance with relevant legislation. Helpfully this difficulty has been recognised by the ISO and this stipulation will be supported by a further new guidance standard on ISMS measurement (ISO 27004), although this is still only in the early stages of drafting.
In many cases the new standard is more explicitly stating what should already be in place in organisations claiming compliance with the standard, for example, the need for senior management commitment. Another difference is a greater focus on security within third party contracts and how that service delivery is monitored, managed and change controlled.
This implicitly links the standard to ISO 20000 (formerly BS 15000) for IT Service Management; many organisations are looking to implement the two standards as part of the same overall strategy. The terminology used in the new standard has also changed slightly; it has become 'internationalised' so it is no longer UK-specific.
Probably the most widely different interpretations are in relation to national legislation. It is also designed to be compatible with other standards, notably ISO Guide 73, on risk management terminology and ISO 15000/ISO 20000.
The future of 27001
For organisations already compliant or certified to BS7799 there should not be any major issues becoming compliant or certified with 27001. Any existing certifications will convert to the new standard as part of the normal cycle of audits and in collaboration with accredited certification companies. Accredited audit bodies are already certifying to 27001 and will not issue certificates to BS7799 after April 2006.
All existing certifications will need to be transferred by April 2007. The standard previously came in two parts: BS7799 Part 1 (also known as ISO17799), which provides detailed guidance on implementing the controls and BS7799 Part 2, which included the specifications for implementing the Information Security Management System (ISMS).
Part 2 also included the full set of controls listed in Annex A. There has now been a conscious effort on the part of the ISO to extend and develop the two parts of the standard into a 'family' or series of linked standards, each providing additional guidance on successful implementation. The following supplementary standards are either planned or already being drafted:
ISO 27000: Principles and Definition;
ISO 27003: Implementation Guidelines;
ISO 27004: ISMS Measurement;
ISO 27005: Risk Management.
It should be noted that only 27001 can be formally certified against. Subsequent numbers in the series can be used for further guidance standards. Challenges and benefits For organisations not yet compliant with the standard there will be a certain amount of work to be undertaken, largely dependent on what is already in place in terms of information security management and security controls. Some elements of the standard will require a significant input of resources in order for compliance requirements to be met; typically these are aspects of the Information Security Management System (ISMS) rather than individual controls.
For example, defining security responsibilities within an organisation, implementing a Security Forum, carrying out a formal risk assessment or conducting internal security audits can all be major overheads if such management controls are not already in place. Organisations need to consider carefully how these will be resourced. There are, however, significant benefits to implementing the requirements of the standard.
Security controls in place should be based on risk justified metrics, leading to increased visibility of the risk, improved risk management and a reduction in overall operational risk. The instigation of internationally recognised good practice in information security will be of benefit to any organisation. Increasingly, assurance to third parties and trading partners is required, and often stipulated in formal contracts, Operational Level Agreements or Service Level Agreements.
This is particularly common where commercial outsourcing companies are providing services, often relating to IT, to public sector organisations. We live in an increasingly regulated world, we are required to comply with legislation emanating from the UK, European Union, the United States or anywhere that business is conducted; with the penalties for breaches similarly increasing.
Most notably this is happening in the financial sector where there is an increased focus on compliance with regulations such as BASEL II, FSA requirements and SOX legislation. ISO 27001 is relevant to much of these obligations as it specifically requires organisations to take information security management seriously and to maintain evidence of this.
The new Turnbull guidance (October 2005), for companies listed on the London Stock Exchange, stresses that 'a sound system of internal control contributes to safeguarding the shareholders' investment and the company's assets.'
ISO 27001 forms a key element of an organisation's internal control systems and can be mapped to the requirements of Turnbull, which states that, 'since profits are, in part, the reward for successful risk-taking in business, the purpose of internal control is to help manage and control risk appropriately rather than to eliminate it.' Turnbull's guidance is recognised by the Cabinet Office as 'best-practice' to be implemented across UK Government.
There should also be a direct benefit in the reduction of costly security incidents such as viruses, equipment failures, thefts and loss of data. Increased staff and management awareness of security should help these to be handled more efficiently and ultimately reduced in number. It is a key concept within 27001 that the management of security is constantly monitored and improved.
Conclusions
The changes to the standard, notably its adaptation to a version that is acceptable internationally, has undoubtedly led to its wider acceptance. There are now over 2,000 BS7799/27001 certificates issued worldwide, and the trend is for this to increase sharply both in number and diversity of organisations, and in the geographical spread of the standard.
Certificates can now be found in almost 60 countries, including over 30 in the United States where take up was previously almost non-existent. Japan remains the country with the most certificates at around 1,200, followed by the UK with 219. All sectors are well represented including financial, manufacturing, IT, health, public sector and telecoms.
On top of these, there are thousands more organisations that are compliant but not yet formally certified. Similarly, its alignment with other series of standards, including the more generally known ISO 9000 series for quality management, has led to it being viewed as part of an organisation's wider strategy to implement best practices, rather than being seen in isolation.
Many organisations will already have had a sight of BS7799, whether it has been formally implemented or not, and the transition to 27001 should not deter any existing or potential users interested in the standard. It should provide assurance for an organisation, both to itself and its external partners and competitors that information security is taken seriously.
The author Martin Smith is a senior consultant with Insight Consulting, where he heads up the ISO 27001 team.
0 comments:
Post a Comment