The international
standard ISO 27001 for information security management systems has replaced the
British Standard BS 7799. Information security has always been an international
issue, not a purely British one and this evolution in the standard now enables
organizations throughout the world to ensure that they are applying information
security best practice in their organizations.
Information security
is also a management issue, a governance responsibility. The design and
implementation of an Information Security Management System (‘ISMS’) is a
management role, not a technological one. It requires the full range of
managerial skills and attributes, from project management and prioritization
through communication, sales skills and motivation to delegation, monitoring
and discipline. A good manager who has no technological background or insight
can lead a successful ISMS implementation, but without management skills, the
most technologically sophisticated information security expert will fail at the
task.
This is particularly
so if the organization wants to derive maximum, long term business value from
the implementation of an ISMS. Achieving external certification is an admirable
(and increasingly necessary) outcome to such a project; achieving the level of
information security awareness and good internal practice that enables an
organization to safely surf the stormy, cruel seas of the information age
requires a level of culture change no less profound than that required to shift
from industrial to post-industrial operations.
I know all this
because my background is as a general manager, not as a technologist. I came to
information security in 1995 because I was concerned about the information
security exposures faced by a company of which I was CEO. When you’re the CEO,
and you’re interested in it, you can make an ISMS happen – as I’ve proved a number of times. While this book will shorten the
learning curve for other CEO’s in my position, it’s really aimed at the manager
– often an IT or information security manager – who is charged with tackling an
ISO 27001 implementation and who wants a sure route to a positive outcome. It
identifies what the experience of many BS7799 implementations has taught me are
the nine key steps to ISMS success. The lessons seem to apply in any
organization, public sector or private, and anywhere in the world. They start
with recognizing the challenges usually faced by anyone concerned to improve
their organization’s security posture.
The second biggest
challenge that, in my experience, is faced by information security
technologists everywhere in the world, is gaining – and keeping – the board’s
attention. The biggest challenge is gaining – and keeping – the organization’s interest and application to the project. When boards
do finally become aware of their need to act – and to act systematically
and comprehensively – against information security threats, they become very
interested in hearing from their information security specialists. They
even develop an appetite for investing organizational dollars into hardware and
software solutions, and to mandate the development of a new ISMS – or the
tightening up of an existing one.
Of course, there’s
usually no better than a 50:50 chance that the ‘solution’ they want is anything
more that the security flavour of the threat month – for instance, anti-virus
solution sales increased when Nimda, Code Red and Melissa hit the headlines.
Once deployed, any single solution is unlikely to alter the overall security
posture of an organization by more than one degree, not least because any
effective security solution requires an integrated combination of technology,
procedure and user application. And integration of this order requires more
than just a knee-jerk reaction to a current threat.
The even greater certainty is that most initiatives to develop an ISMS
are likely to be seen as either a current management ‘fad’ or, even worse, as
an IT department ‘initiative’. Either
branding means the ISMS will be still born. Almost everyone who works in any
business believes that management fads just have to be endured until they go
away, and that IT department initiatives just create more problems and barriers
for people trying to do their everyday work. Scott Adams, the creator of
Dilbert, does say after all that most of the ideas for his sketches are sent to
him by people who are simply describing their daily working lives.
An ISMS project does slightly better if it’s
seen as having a credible business need: to win an outsourcing contract, for
instance, or to comply with a public funding requirement. In fact, such short
term justifications for introducing an ISMS, for seeking external
certification, infrequently bring the company any real long term benefit,
because the project rarely develops the sort of sustained momentum that will
drive user awareness and good practice into all the reaches of the
organization.
When we first decided
to tackle information security in 1995, my organization was required – as a
condition of its branding and trading licence – to achieve both ISO9001
certification and Investor in People (IiP) recognition. We intended to sell
information security and environmental management services as well and, out of
a desire to practice what we preached, as well as from a determination to
achieve the identifiable business benefits of tackling all these components of
our business, we decided to pursue both BS7799 and ISO14001 at the same time.
BS7799 existed then in
only an unaccredited form and it was, essentially, a Code of Practice. There
was only one part to it and, while certification was technically not possible,
a statement of conformity was. The other standards that we were interested in
did all exist but, at that time, it was generally expected that an organization
would approach each standard on its own, developing standalone manuals and
processes. This was hardly surprising, as it was unusual for any organization
to pursue more than one standard at any time!
We made the momentous decision to approach the issue from primarily
a business perspective, rather than a quality one. We decided that we wanted to
create a single, integrated management system that would work for our business,
and that was capable of achieving multiple certifications. While this seemed to
go in the face of much of that time’s actual practice around management system
implementation, it seemed to be completely in line with the spirit of the
standards themselves.
We also decided that we wanted everyone
in the organization to take part in the process of creating and developing the
integrated management system that we envisioned, because we believed that was
the fastest and most certain way of getting them to become real contributors to
the project, both in the short and the long term. We used external consultants
for part of the ISO 9001 project but there simply no BS7799 expertise available
externally.
This lack of BS7799 experts was a minor
challenge in comparison to the lack of useful books or tools that we could use.
While you can today purchase books such as ISO 27001: a Pocket Guide,
back then there were only bookshelves full of thick, technologically-focused
books on all sorts of information security issues, but nothing that might tell
a business manager how to systematically implement an information security
management system. We had no option but to try and work it out for ourselves.
We actually did the job twice, once
under the unaccredited scheme and the second time after the standard had become
a two parter (the earlier, single part had become a Code of Practice and a new
part, a specification for an Information Security Management System, had been
introduced) and been accredited. In fact, our accredited audit was also our
certification body’s first observed audit for their own UKAS accreditation.
While that was an interesting experience, it did mean that our systems had to
be particularly robust if they were to stand the simultaneous scrutiny of two
levels of external auditors!
We underwent external examination on
five separate occasions within a few months and our integrated management
system achieved all the required external certifications and recognitions. We
did this without anything more than the part time assistance of one ISO9001
consultant and an internal quality management team of one person. Admittedly,
the organization was a relatively small one but, although we only employed
about 80 people (across three sites), we did also have an associate consultant
team that was nearly a hundred strong. And, back then, we probably couldn’t
have done something as complex as this in a much larger organization.
The lessons that we learned in our
first two implementations, and our experience with BS 7799 implementations –
often in very substantial organizations - since then, in both the public and
private sectors, has enabled me to crystallize the nine keys to a successful
ISMS project. We’ve updated that knowledge and experience preparing our own
business for ISO 27001 certification and, in parallel, I’ve also studied the
emerging standard closely while writing ISO 27001: a Pocket Guide.
The fact is that, properly managed and led, any ISO27001 project can be
successful. We’ve proved it.
Over the years, my
organization has developed approaches to implementing an ISMS that can help
project managers identify and overcome many of the very real problems they face
in achieving a successful outcome. We’ve also developed unique tools and techniques
that simplify the process and enable organizations to succeed without us – and
information security success is, in the long term, not consultant-dependent. It
depends on the organization itself; this book describes the key issues, the
building blocks of success, and tells you how to tackle them.
This book refers, in
its course, to a number of other books or tools that I have written or that
have been produced by my company. In each case where I have made a specific
reference, the book or tool is unique and was developed to do the specific job
that I describe it as doing. I developed these books and tools because there
simply was nothing available on the market that did a comparable job of work.
This book also does
not repeat the history of BS799, the story of ISO 27001, the relationship
between ISO 27001 and ISO 17799, or some of the more detailed structural issues
of ISO 27001, all of which can be found in ISO 27001: a Pocket Guide.
Nor does this book provide the sort of detailed, control-by-control project
guidance that you will get from IT Governance: a Manager’s
Guide to Data Security and BS7799/ISO17799. I recommend that you read and
use both these books before and during your ISMS project.
Alan Calder
October 2005
0 comments:
Post a Comment