If you’re not already acquainted with the standard, you’re probably wondering if this is an industry buzz word or just another fad.
There is growing interest and focus on ISO 27001 in North America, historically driven out of Europe and most recently the US financial sector with a rippling effect into its wide web of service providers. You’re probably also wondering, with industry based legislation around privacy and security like HIPAA, GLBA / FFIEC Guidelines, PIPEDA, etc. why do we even need something like this? The short answer is yes.
Most of the legislative and contractual requirements many companies are compelled to comply with are specifically and only a set of controls to satisfy. Conversely, with ISO 27001, while it does mandate certain controls, it has mandatory requirements for information security program management and leadership involvement as mandatory activity.
This article has been developed based on the most frequently asked questions we receive.
ISO 27001 Background Information
ISO 27001 is a standard for the practice of Information Security Management intended for commercial businesses, which can also be used by government organization who do not already have a governing framework to guide the design, implementation and maintenance requirements for their security program.
It has its root dating back to 1990 when a group of companies and public sector individuals and organizations came together and developed the first version of the Code of Practice for Information Security Management. It was first published in 1995 by the British Standards Institute as a commissioned standard entitled BS 7799.
It was not until the year 2000 when ISO adopted it under the title ISO 17799. Since then there have been two revisions, both of which included substantial modifications. The first was in 2005 when it was first renamed as ISO 27001 and then revised and republished in 2013, the version we use today.
So What’s the Value Proposition?
It doesn’t matter whether you’re buying running shoes, a new car, or adopting a standard to follow within your organization; it must afford the right value proposition in order to make sense to invest in. ISO 27001 is no different in this respect, and without question, it has demonstrated great value in every implementation we have seen. But if you’re organization has not adopted it yet, and you are in the process of developing the business case for leadership approval, how do you qualify the value to the organization? Unfortunately, the correct answer and the one you will hear from most consultancies you talk with is, it depends. It is also important to note that some of these things are appropriate to value statements for the Information Security Department and IT while others are more appropriate as organizational-wide. What is meant by that is that it will truly vary greatly from one company to the next. Here are some examples of the value an ISMS could offer your organization:
Active involvement, commitment and oversight of the Information Security Program by the leadership of the organization;
Securing and maintaining a qualified understanding of legal and regulatory requirements;
Establishing and maintaining a comprehensive information security governance framework;
Establishing a competitive advantage;
Establishing a market differentiator;
Enhancing the institutional customer experience;
Added customer value;
Strengthening customer retention;
Establishment of evidence towards satisfying organizational due diligence expectations;
Reduce customer audit burden upon the organization; and
How Much Does it Cost?
There are many factors that will drive the cost of compliance and subsequent certification to the standard, some examples of which are:
The maturity of an organization’s existing information security program;
The size and geographic diversity of the organization;
The size of the organization’s technology footprint;
The availability of existing staff to evaluate and implement technology, as well as develop the required policies, operational processes and procedures;
The scope the organization defines for the ISMS;
The knowledge and expertise of the internal staff to develop and implement a comprehensive information security program; and
How long Will it Take to Implement and Get the Organization Certified?
We should probably start this part of the conversation with, completing the implementation and getting certified are two very different goals, and should be structured and measured accordingly.
Similar to our discussion on “cost” offered above, many of the same factors will come into play, so I’m not going to repeat them here.
When you sit down and have a conversation with your organization’s leadership for their support and sponsorship of an ISO 27001 based information security management system (ISMS - aka security program), they will undoubtedly ask two questions; what is it going to cost, and how long will it take? The reality is, you don’t know what you don’t know. Until you have performed your gap assessment followed by an implementation impact assessment on your gaps, you just won’t have an answer for either of those questions. We’ll be diving into the topic of the gap assessment in a follow-up article later in the year. The implementation impact assessment is an exercise you will go through collaboratively with the organization’s control owners. During this, they will be focused on qualifying the implications relative to people, process and technology needed to comply, in terms of hours to complete an activity, use of internal versus external resources, the cost of personnel, the cost of software, hardware and maintenance, etc.
So where does that leave you with the question, how much is it going to cost? It will probably help you recognize what you need to do to answer that questions for your organization. No two organizations are the same.
Some examples of a couple of global companies with a limited geographic and organizational ISMS scope, and 2500 employees it came in at around $7 to $10MM. Conversely, a large financial services company landed in around $60MM.
Another factor to consider is the depth of implementation. Am I doing the absolute minimum necessary or am I in a situation I know I will only have one shot at getting it in, with little tolerance for ongoing upgrading. If I know, it is now or never, then one might probably shoot for more than minimum necessary, which will cost you more in time and money.
Lastly, you are going to have to keep in mind when mapping out the activities through to a certification audit; the controls must be in place for a minimum of 90 days before the certification auditors can come in and test the controls. For those of you who are preparing to go down the road of certification to meet a customer contract and have an established deadline in a contract, it is best to reverse engineer to layout your plan as offered below. To help situations when time is stressed by a deadline, it is important to note that there is nothing precluding the Internal Audit and the Management Review from happening during the 90-day window after controls are implemented.
High-level activities for planning purposes, in reverse order:
The customer driven contractual deadline;
Allocate 30 days from the end of the audit for the certification authority’s review, certification decision and issuance of the certification to your organization
As an estimate, allocate eight (8) weeks from the commencement of the certification audit, for it to complete and have the lead auditor issue their report and certification recommendation to the certification authority;
Time required to perform the Management Review;
The time required to perform an internal audit of all controls within the scope for the management systems;
Lapsed time qualified by the implementation impact assessment for the implementation activities. Many companies typically spend 12 to 18+ months on implementation;
Allocate approximately 4 (four) to 8 (eight) weeks required to perform the Implementation impact assessment, collate the data and develop a risk treatment plan as well as present it for approval to the leadership;
Allocated approximately 4 (four) to 8 (eight) weeks for the gap assessment;
Perform the risk assessment - allocate approximately 8 (eight) to 12 (twelve) weeks for the risk assessment, which includes the asset inventory, review of the Annex A control to define inclusion or exclusion from the scope, documenting the Statement of Applicability and performing the risk assessment itself;
Allocated approximately 12 to 16 weeks to establish the context of the organization, document the business case for the ISMS, create the program charter, establish the ISMS Steering and Operational Committees (including documenting their charter and kick-off meetings), define the scope of the ISMS, and other foundational work.
Please note, the above is not intended to be used as a project plan outline, but rather a tool to help people who have been charged with the responsibility of establishing an ISMS in their organization perform a high-level scheduling assessment.
Can an organization get certified to ISO 27001?
The short answer is, yes absolutely. I should qualify here that only to ISO 27001, not ISO 27002.
What is the difference between ISO 27001, 27002, and 27003?
On many occasions, we find ourselves faced with clients and their internal staff with misconceptions regarding the role of the three principal documents in the ISO 27000 family. Specifically ISO 27001, 27002, and 27003. To help clarify the differences, we would like to offer the following:
ISO 27001 – is the official information security management system standard, and the only one an organization can get certified too. This document incorporates a list of specific management and technical controls the organization must prescribe to, implement and maintain. It prescribes you what you have to do to declare compliance with the standard.
ISO 27002 – is the official guide on how to comply with the control found in the ISO 27001 standard. This is a great tool for use by individual with a strong understanding of information security controls. It should be noted that ISO 27002 only offered guidance on the controls offered at Annex A of the standard, and not for any of the activities under the management clauses 4 (four) through 10 (ten). It serves as a guide to help you understand what you might do to achieve compliance with the controls under the standard;
ISO 27003 – is the official guide for ISO 27001 ISMS managers to understand the end-to-end process of planning and implementing an ISMS in an organization. It tells you how to plan the overall implementation of an ISMS. I like to refer to it as a project manager’s playbook.