In this Help Net Security interview, Kiowa Security founder Robin Long shares his insights on the best way to approach implementing the ISO/IEC 27001 information security standard.
Long advises organizations to establish a detailed project roadmap and schedule a certification audit early on. He also recommends choosing an in-house team that includes a leader with ISO 27001 lead implementer qualifications, and in some cases achieving a limited number of “security successes” before embarking on a full implementation. It suggests that the best approach to standards may be to start with priorities. .
Before we get into the questions, some general points about ISO 27001.
1. The document behind ISO/IEC 27001:2022 (“ISO 27001”) is divided into two main parts. One is ISO/IEC 27001 itself, which contains the main guidance, and the other is a “guidance document” called ISO/IEC 27002, which includes the following list: We propose information security controls that can be determined and implemented based on a risk analysis performed according to the requirements of primary documents.
ISO 27001 is also supported by other standards such as ISO/IEC 27000:2018 (IT Security Technologies) and ISO/IEC 27005:2022 (Information Security, Cybersecurity and Privacy Protection).
All of these are developed and maintained by the International Organization for Standardization (ISO), based in Geneva, Switzerland.
2. When seeking certification of conformity to a standard, there are many requirements, but in practice there is a great deal of flexibility in the details. Even the “requirements”, which are the mandatory provisions of the 27001 document, are generally open to a fairly wide interpretation. This makes sense, given that ISO 27001 was developed as a universal system for organizations of all types and sizes that handle sensitive information.
When you look at it that way, it immediately becomes less scary.
3. If you decide to move forward with ISO 27001 implementation, we highly recommend creating a detailed roadmap that defines the goals of what needs to be achieved by which dates in the project timeline (A Gantt chart is good for this. Take a look.) Above! ). This allows you to manage your projects and reduce the risk of going over time and budget. Breaking the project into weekly components makes it less difficult.
4. You also need to define a (small) group of people who will run, maintain, and be responsible for implementing the standard. You could also call this an “ISMS team” (ISMS stands for Information Security Management System, which is another way of saying ISO 27001). Ideally, this team will incorporate expertise and experience in IT, business development, and data protection, and have channels to senior management.
What approach would you recommend for organizations new to ISO 27001's broader controls and requirements, particularly information security management?
As a consultant myself, I recognize that there is a conflict of interest, but I believe it makes sense to engage external advice to assist with ISO 27001 implementation, internal audits, and interactions with certified auditors. I have to say that there is.
One of the primary responsibilities of such advisors is to help understand standards and information security management in general, both at a high and low level. For example, the scope of ISO27002 management is certainly wide-ranging, but a competent consultant will break it down into manageable parts, which he will tackle one by one in a carefully planned order.
Whether you hire a consultant or not, it's also a very good idea to send your ISMS team leader to the ISO2 7001 Lead Implementer (LI) course. These courses usually run for about 3 days and are helpful. ISO 27001 requires organizations to provide evidence of the competency of key project participants, ensuring that a team member's LI qualifications demonstrate an appropriate degree of knowledge and commitment to the standard. be careful.
Implementing ISO 27001 can be resource intensive. Do you have any advice for organizations, especially small and medium-sized enterprises, to effectively allocate resources and budget for ISO 27001 implementation?
It is true that implementing ISO 27001 necessarily consumes resources in terms of money and other assets, especially people's time. The key question is whether the cost of resources is offset by the perceived benefits, and this is primarily about efficiency of allocation. Other methods you can use to optimize this include:
1. As mentioned above, the use of a roadmap that guides the organization through a two-step certification audit process at a granular (weekly) level.
2. Early selection of certification auditors and agreement on a tentative schedule for certification audits. The benefits of doing this include the psychological benefit of having an end date in your diary that helps define the roadmap for your project. Certification audit costs are also an important part of the overall budget and the certification body will provide these estimates at this stage.
Note that in addition to the two initial certification audits, there are two (approximately annual) monitoring audits and a recertification audit after three years. Of course, all of these audits cost money and require budgeting.
3. Be aware of less obvious costs, such as potential fees associated with:
- Legal services related to changes and additions to employment contracts, NDAs, etc.
- Penetration testing/vulnerability scanning as required
- Any software you choose to install (anti-malware, IDS, etc.).
What strategies can be used to convince top management of the need and benefits of ISO 27001 compliance?
Consulting firms prefer to answer this question using a bulleted list on their website.
However, in almost all cases, only one factor is important. It's a commercial factor. This means that potential key clients or partners that require certification to the standard have been identified. Organizations operating in sensitive sectors (finance, critical infrastructure, healthcare, etc.) have already learned or are learning this and don't need to be told it. If they don’t know, please tell them!
Other reasons that I think are completely legitimate and reliable are:
- Perceiving an organization's improved level of information security provides assurance to stakeholders other than clients (e.g. investors, senior management, regulators, suppliers) regarding the information security risks to the organization. Masu.
- Implementing ISO 27001 will help small and medium-sized businesses expand their business. For example, it can help you develop sound HR policies that include procedures for business continuity, disaster recovery, change management, and several other areas.
- Note that ISO 27001 is by no means just about personal data, but also covers other types of sensitive information, especially intellectual property or “IP” (including trade secrets and source code). For many technology startups, these are key business assets and must be well protected.
Risk management and performance evaluation are important and challenging aspects of ISO 27001. How should organizations approach these elements to ensure an effective information security management system (ISMS)?
These are certainly the core areas of ISO 27001. Important things to remember regarding risk assessment include:
- Really need to at least try to figure it out all Information security risks (internal and external) that the organization faces or may face. This is best done by brainstorming in a group centered around the ISMS team.
ISO 27001 is basically divided into: “What information security risks do we face? How can we best manage them?”
- Note that just as sometimes the chicken comes before the egg, what should happen in this case is to identify the risks first. after that Select controls to help manage those risks.
Not all controls need to be applied. Almost all organizations legitimately exclude some controls in their applicability statements. For example, a company with all employees working remotely simply does not have all the risks that could benefit from mitigation through physical controls.
When it comes to performance evaluation, you primarily need to consider the relevant provisions and controls and agree on how well your organization is doing a good job in meeting the relevant requirements. What you choose to monitor, measure, and evaluate depends on the type and size of your organization and your business goals. These are essentially information security key performance indicators (KPIs) and may include supplier ratings and documented events, incidents, and vulnerabilities.
What unique challenges do organizations face when implementing ISO 27001, especially for cloud solutions like Microsoft 365, and how can they be addressed?
The switch to remote working and the use of cloud resources has been highly disruptive to ISO 27001. The 2022 version has been slightly adjusted (by changing controls) to reflect changes in working conditions. However, there is still significant focus on traditional physical workplaces, networks, and pre-SaaS style suppliers.
The big switch from locally downloaded software to cloud services means that you need to take advantage of the flexibility of ISO 27001 and interpret 27002 controls in a corresponding way. For example:
- Think less about networking and more about securely configuring your cloud resources.
- Focuses on aspects of “supplier relationship” management related to SaaS suppliers.
- If cloud resources are critical to the processing and storage of sensitive data in your business, you should be aware that new Control 5.23 (Information Security for the Use of Cloud Services) is equally critical to your business and should be approached carefully and rigorously. please remember. That almost certainly applies to you – and there are plenty of them out there.
- Business continuity/disaster recovery for organizations with employees working remotely using cloud services is primarily concerned with how the relevant cloud provider manages backups, storage/compute redundancy, etc. Please note that
ISO 27001 requires a commitment to continuous improvement. How should organizations approach this, especially when it comes to incident management and response?
This is the mysterious section of Article 10 (Improvement) that organizations often struggle with (the second part is about dealing with nonconformities and is more clear about what needs to be done).
The best approach seems to be to ask the question, “How can we make our ISMS better?” At regular ISMS management meetings, we will come up with some examples of how this can be achieved and report on the progress we have observed in the right direction. This means that by the time of your first follow-up (monitoring) audit, you should be able to present a list of some potential improvements and how they are being achieved.
I would like to conclude by saying that there is nothing preventing organizations from implementing ISO 27001, or even partially implementing it, without obtaining certification. Many companies like the concept of ISO 27001, but aren't ready to fully commit. In that case, the following implementation model is highly recommended:
1. Determine which areas of information security are a priority for your organization in terms of incremental security enhancements, required resources (money, time, personnel), and ease of implementation. You could call these “low-hanging fruit” if you like. Possible examples include access control, human resources security, and endpoint security.
2. Follow the related 27002 controls and run them one by one.
3. Once you have covered the highest priority areas, start working on lower priority levels.
4. After doing this for a few months, you may find that ISO 27001 is not as daunting and you are ready to tackle it. keep it up!
