As a quick opening statement I would like to offer, recently a question had been posed by a client who had made a move to a new company after leading an ISO 27001 implementation in their prior one. The question was, should they use ISO 27001 or the relatively new US Cyber Security Framework going forward? Because of the nature of this article, I elected to inject my response to this question in this article which was under development at the time, in case others are pondering the same question.
To this end, if you are like most people looking for ISO 27001 training, you know just how many companies have jumped into this market and are trying to capture a piece of the action. Your challenge is to figure out exactly which ones are offering a strong and perhaps more importantly, the right value proposition. There are some that are offering templates as part of their package offering, others delivering in less time minimizing your out of office time, etc. So how do you know what are the most important things to look for when choosing a training provider? That is what this article is going to help you figure out, in addition to having a better understanding of the value proposition of using the ISO 27001 framework a a foundation for your information security program.
Background - The ISO 27001 Value Proposition
Despite the US federal government's efforts to develop and promote a national cyber security framework, the fastest growth and widest deployment we have seen as it relates to information security frameworks has to be the ISO 27001 standard. Notwithstanding this, NIST did a great job framing the issue, and showing alignment for existing frameworks and standards. So why is ISO 27001 so popular and deserving of attention?
In short, it:
is internationally focused, not nationally. For many multinational companies as well as their suppliers, they need focus that has and will be accepted by a wider geographically based stakeholder audience. ISO standards are developed and endorsed by national representative bodies in each of the 164 member countries around the world, which includes ANSI as the US' representative;
has been around since 1990, making it the oldest public information security framework. Originally developed by a group of companies and transitioned to first become known as British Standard 7799 in 1995. In January of 2000, the ISO standards body first published it as a ISO standard under the name ISO 17799, and in 2005 after the release of an updated version, the standard was renamed ISO 27001. Due to its wide acceptance and high visibility attributed to major data breaches around the world, it receives a lot of constant care and attention through the ISO updating process. The most recent version was publish in 2013, which companies under formal certification are currently transitioning to;
is a holistic framework that focuses from the top down, meaning it requires participating organization to get to know and understand the business the security program is being designed to support. Mandates a compulsory and thorough analysis of all legal and regulatory drivers for the business, from which the organization's information security governance shall be built upon;
is a framework which an organization can apply for and receive independent 3rd party certification to, as a means to demonstrate due diligence and fulfillment of a baseline set of controls. In addition, customers of an organization can not only mandate certification, but require the service provider provide a copy of their "Statement of Applicability" (SoA), revealing which controls within the framework are within and out of scope;
allows an organization to create a customized information security management system (ISMS) to meet the needs of the business by designing the scope as open or restrictive as necessary, based on geographic, organizational and technological boundaries.
You may have read an article in the WSJ or elsewhere talking about the US Cyber Security Framework and the notion that those who follow it are more likely to be recognized as having fulfilled their duty of care, but the reality is, when you align with a standard that is accepted in 164 countries around the world, I think you might already be there! It's important not got get caught up in the hype and to understand the issue. Now, before going any further I want to assert that I am not an attorney, and the following is not offered or represented in anyway as legal advise. Furthermore, anyone requiring a full legal understanding of this issue, should consulting with a technically competent authority on the matter such as an attorney. So now that my disclaimer is on the table, to make sure you don't get caught up in the hype, you must understand the issues. First and foremost, when someone starts to talk about "duty of care," "due diligence," and so on, it is important to know from what basis are we talking. This was a pivotal issue I struggled to understand for myself when working with US based clients. Specifically on one occasion, I had use a phrase that many long standing information security professionals have spoken and written about in articles for magazines, blogs and others. This phrase was "due diligence." Leveraging this phrase set me on a journey, which involved a conversation with a number of attorneys before identifying the root source of this terminology., American Jurisprudence 2d (135). Now it doesn't end up the way you think. It was my expectation that I was going to find something that directly used the words in the heading of a legal reference, and this is probably why it took awhile to bring the research to closure. Another thing that surprised me, was the fact that most could not directly point to any one reference in law that answered my question. So what does 2d (135) say? First and foremost, the heading relates to officer's negligence and the reference to due diligence was nested inside when you start to understand the full meaning of the reference. Specifically, I was advised in layman's terms that this section required that if an officer of an organization could see the potential for harm, the officer and the organization they served had a duty under the law of torts to implement something that would prevent such harm from manifesting and adversely affecting the organization and its stakeholders. Furthermore, the measure for the preventive action taken to mitigate the potential harm, must be consistent with what a reasonable person ought to have done having known the potential for such harm, which is referred to as the "reasonable person test."