Cyber Security Awareness Month - Day 8 ISO 27001

The ISO 27000 series consists of a number of standards that apply to information security.  The main standard that you can actually certify against is ISO 27001. The remaining standards are mainly supporting standards that help you address specific areas of information security.
ISO 27001 is an information security management standard. The main objective of which is to make sure that an organisation has the processes in place to manage information security within the organisation. Unlike the Payment card Industry Data Security Standard (PCI DSS, more on that in a later diary) ISO 27001 is not prescriptive.  It doesn't tell you exactly what to do, it provides high level guidance and you have to work the rest out yourself. This is where the supporting standards come into play.  ISO 27002 for example provides more information on implementing specific controls and provides examples. If you are stuck on how you should be assessing risk, then you need to take a look at ISO 27005 (ISO31000 is also excellent it is the old AS/NZS 4360).

One of the main difficulties of complying with the standard is the first realisation that you are complying with sections 4 through to 8 whereas many people concentrate on the controls in annex A (Annex A BTW is 27002 with less detail provided).  Sections 4 through to 8 outline the system that needs to be in place.  The Plan, Do Check, Act cycle.  The standard is risk based, the idea being that you identify your assets, assess the risk, based on those risks select controls that you are going to implement, monitor how it is all going and then rinse lather and repeat the cycle.  The other key idea is that it is a system for the security of information. So not specifically computer systems, but the information it manages and holds as well as the information used to manage the environment. Many ISO 27001 systems initially concentrate on the technical aspects of IT security, do I have a firewall, do I have AV, do I have processes to manage it, etc.  As the system matures the system tends to go up a level and looks at the processes that are being performed by a group or division and the information they need to successfully do this. For Example, the CISO needs to report on the status of information security in the organisation. What information is needed? They might need stats from various systems, pentest results, vulnerability analysis results, risk assessments, and so on. All are information assets that the CISO needs to do their job. How is that information generated, by whom? How reliable is it? So in ISO 27001 world there are a number of different levels that your system can work at.

Just going back to sections 4 through to 8 for a little bit.  One of the first things you will be doing is to define the scope of the system you are about to implement.  Typically this will be phrased along the lines of "management of information security for system/group/division/product/application/service by responsible group".  Usually it will be a little bit prettier than that, but you get the general idea.  Like a quality system (ISO 9000 series) you define the scope of the environment.  If you have a scope that doesn't include a HR function, then the HR function will become an input into your system, but not part of it.  CYou may have to request them to do certain check prior to hiring, but in my experience those types of processes are usually mature. Good scoping can be your saviour if you are going for certification.

So certify or just comply?  That is one of the main questions we get when talking about 27001. The choice is quite simple.  If you are going to use it as a marketing tool to improve confidence in your organisation's ability to manage information security, then certify.  If you just want to make sure that you are covering the bases that should be covered, then complying but not certifying may be the right choice for you.

Where to start. Well after you have bought your copy of the standard you could perform a gap analysis on what you currently do and what the standard expects to be done.  Be brutally honest.  You can use this mechanism to monitor your progress and show improvement as thing change.  Expect to fail miserably and make sure that management understands this before you start.  You haven't needed to comply with the standard before, therefore there are going to be gaps. If you've never run a 5km race previously, the chances of you finishing it on your first go are pretty slim.  Once you have your gaps you will have a starting place and you can start working on progressing and improving security.

In order to certify you must have what are called the documented processes in place (Sorry I can't really list them as without the standard to provide context they won't make sense).  Without these processes, written down, being followed and maintained, you cannot pass a certification audit. Likewise it will be difficult to pass a certification audit if you do not have an information security policy, change control, Business Continuity Plan, Incident response plan, Acceptable usage policy and more. However what you do or don't have will come out in the gap analysis.

As a management system ISO 27001 is quite reasonable.  If you do it correctly the overhead on your scarce resources won't be too bad.  It makes you document those processes that are actually important to the organisation, which is never a bad idea. It forces you to think about issues that you may not have thought about previously. In fact that probably goes for most standards.The standard forces the engagement of management in information security matters and this often results in better understanding of what you really do and possibly even more funding.  The main thing to remember is don't work for the standard, make the standard work for you. If you are doing it to tick a box, you will likely fail

It is a brief overview of ISO 27001. If you have anything specific, let us know via the comments, or contact form.
Cheers
Mark H

 source: https://isc.sans.edu/diary/Cyber+Security+Awareness+Month+-+Day+8+ISO+27001/14230

Cyber Security Awareness Month - Day 8 ISO 27001

The ISO 27000 series consists of a number of standards that apply to information security.  The main standard that you can actually certify against is ISO 27001. The remaining standards are mainly supporting standards that help you address specific areas of information security.

ISO 27001 is an information security management standard. The main objective of which is to make sure that an organisation has the processes in place to manage information security within the organisation. Unlike the Payment card Industry Data Security Standard (PCI DSS, more on that in a later diary) ISO 27001 is not prescriptive.  It doesn't tell you exactly what to do, it provides high level guidance and you have to work the rest out yourself. This is where the supporting standards come into play.  ISO 27002 for example provides more information on implementing specific controls and provides examples. If you are stuck on how you should be assessing risk, then you need to take a look at ISO 27005 (ISO31000 is also excellent it is the old AS/NZS 4360).

One of the main difficulties of complying with the standard is the first realisation that you are complying with sections 4 through to 8 whereas many people concentrate on the controls in annex A (Annex A BTW is 27002 with less detail provided).  Sections 4 through to 8 outline the system that needs to be in place.  The Plan, Do Check, Act cycle.  The standard is risk based, the idea being that you identify your assets, assess the risk, based on those risks select controls that you are going to implement, monitor how it is all going and then rinse lather and repeat the cycle.  The other key idea is that it is a system for the security of information. So not specifically computer systems, but the information it manages and holds as well as the information used to manage the environment. Many ISO 27001 systems initially concentrate on the technical aspects of IT security, do I have a firewall, do I have AV, do I have processes to manage it, etc.  As the system matures the system tends to go up a level and looks at the processes that are being performed by a group or division and the information they need to successfully do this. For Example, the CISO needs to report on the status of information security in the organisation. What information is needed? They might need stats from various systems, pentest results, vulnerability analysis results, risk assessments, and so on. All are information assets that the CISO needs to do their job. How is that information generated, by whom? How reliable is it? So in ISO 27001 world there are a number of different levels that your system can work at. 

Just going back to sections 4 through to 8 for a little bit.  One of the first things you will be doing is to define the scope of the system you are about to implement.  Typically this will be phrased along the lines of "management of information security for system/group/division/product/application/service by responsible group".  Usually it will be a little bit prettier than that, but you get the general idea.  Like a quality system (ISO 9000 series) you define the scope of the environment.  If you have a scope that doesn't include a HR function, then the HR function will become an input into your system, but not part of it.  CYou may have to request them to do certain check prior to hiring, but in my experience those types of processes are usually mature. Good scoping can be your saviour if you are going for certification.

So certify or just comply?  That is one of the main questions we get when talking about 27001. The choice is quite simple.  If you are going to use it as a marketing tool to improve confidence in your organisation's ability to manage information security, then certify.  If you just want to make sure that you are covering the bases that should be covered, then complying but not certifying may be the right choice for you.  

Where to start. Well after you have bought your copy of the standard you could perform a gap analysis on what you currently do and what the standard expects to be done.  Be brutally honest.  You can use this mechanism to monitor your progress and show improvement as thing change.  Expect to fail miserably and make sure that management understands this before you start.  You haven't needed to comply with the standard before, therefore there are going to be gaps. If you've never run a 5km race previously, the chances of you finishing it on your first go are pretty slim.  Once you have your gaps you will have a starting place and you can start working on progressing and improving security.

In order to certify you must have what are called the documented processes in place (Sorry I can't really list them as without the standard to provide context they won't make sense).  Without these processes, written down, being followed and maintained, you cannot pass a certification audit. Likewise it will be difficult to pass a certification audit if you do not have an information security policy, change control, Business Continuity Plan, Incident response plan, Acceptable usage policy and more. However what you do or don't have will come out in the gap analysis. 

As a management system ISO 27001 is quite reasonable.  If you do it correctly the overhead on your scarce resources won't be too bad.  It makes you document those processes that are actually important to the organisation, which is never a bad idea. It forces you to think about issues that you may not have thought about previously. In fact that probably goes for most standards.The standard forces the engagement of management in information security matters and this often results in better understanding of what you really do and possibly even more funding.  The main thing to remember is don't work for the standard, make the standard work for you. If you are doing it to tick a box, you will likely fail

It is a brief overview of ISO 27001. If you have anything specific, let us know via the comments, or contact form.

Cheers

Mark H

http://isc.sans.edu/diary.html?storyid=14230&rss

ISO 27001: Introduction

The international standard ISO 27001 for information security management systems has replaced the British Standard BS 7799. Information security has always been an international issue, not a purely British one and this evolution in the standard now enables organizations throughout the world to ensure that they are applying information security best practice in their organizations.

Information security is also a management issue, a governance responsibility. The design and implementation of an Information Security Management System (‘ISMS’) is a management role, not a technological one. It requires the full range of managerial skills and attributes, from project management and prioritization through communication, sales skills and motivation to delegation, monitoring and discipline. A good manager who has no technological background or insight can lead a successful ISMS implementation, but without management skills, the most technologically sophisticated information security expert will fail at the task.   

This is particularly so if the organization wants to derive maximum, long term business value from the implementation of an ISMS. Achieving external certification is an admirable (and increasingly necessary) outcome to such a project; achieving the level of information security awareness and good internal practice that enables an organization to safely surf the stormy, cruel seas of the information age requires a level of culture change no less profound than that required to shift from industrial to post-industrial operations.

I know all this because my background is as a general manager, not as a technologist. I came to information security in 1995 because I was concerned about the information security exposures faced by a company of which I was CEO. When you’re the CEO, and you’re interested in it, you can make an ISMS happen – as I’ve proved a number of times. While this book will shorten the learning curve for other CEO’s in my position, it’s really aimed at the manager – often an IT or information security manager – who is charged with tackling an ISO 27001 implementation and who wants a sure route to a positive outcome. It identifies what the experience of many BS7799 implementations has taught me are the nine key steps to ISMS success. The lessons seem to apply in any organization, public sector or private, and anywhere in the world. They start with recognizing the challenges usually faced by anyone concerned to improve their organization’s security posture.

The second biggest challenge that, in my experience, is faced by information security technologists everywhere in the world, is gaining – and keeping – the board’s attention. The biggest challenge is gaining – and keeping – the organization’s interest and application to the project. When boards do finally become aware of their need to act – and to act systematically and comprehensively – against information security threats, they become very interested in hearing from their information security specialists. They even develop an appetite for investing organizational dollars into hardware and software solutions, and to mandate the development of a new ISMS – or the tightening up of an existing one.

Of course, there’s usually no better than a 50:50 chance that the ‘solution’ they want is anything more that the security flavour of the threat month – for instance, anti-virus solution sales increased when Nimda, Code Red and Melissa hit the headlines. Once deployed, any single solution is unlikely to alter the overall security posture of an organization by more than one degree, not least because any effective security solution requires an integrated combination of technology, procedure and user application. And integration of this order requires more than just a knee-jerk reaction to a current threat.

The even greater certainty is that most initiatives to develop an ISMS are likely to be seen as either a current management ‘fad’ or, even worse, as an IT department ‘initiative’. Either branding means the ISMS will be still born. Almost everyone who works in any business believes that management fads just have to be endured until they go away, and that IT department initiatives just create more problems and barriers for people trying to do their everyday work. Scott Adams, the creator of Dilbert, does say after all that most of the ideas for his sketches are sent to him by people who are simply describing their daily working lives.

 An ISMS project does slightly better if it’s seen as having a credible business need: to win an outsourcing contract, for instance, or to comply with a public funding requirement. In fact, such short term justifications for introducing an ISMS, for seeking external certification, infrequently bring the company any real long term benefit, because the project rarely develops the sort of sustained momentum that will drive user awareness and good practice into all the reaches of the organization.

When we first decided to tackle information security in 1995, my organization was required – as a condition of its branding and trading licence – to achieve both ISO9001 certification and Investor in People (IiP) recognition. We intended to sell information security and environmental management services as well and, out of a desire to practice what we preached, as well as from a determination to achieve the identifiable business benefits of tackling all these components of our business, we decided to pursue both BS7799 and ISO14001 at the same time.

BS7799 existed then in only an unaccredited form and it was, essentially, a Code of Practice. There was only one part to it and, while certification was technically not possible, a statement of conformity was. The other standards that we were interested in did all exist but, at that time, it was generally expected that an organization would approach each standard on its own, developing standalone manuals and processes. This was hardly surprising, as it was unusual for any organization to pursue more than one standard at any time!

We made the momentous decision to approach the issue from primarily a business perspective, rather than a quality one. We decided that we wanted to create a single, integrated management system that would work for our business, and that was capable of achieving multiple certifications. While this seemed to go in the face of much of that time’s actual practice around management system implementation, it seemed to be completely in line with the spirit of the standards themselves.

We also decided that we wanted everyone in the organization to take part in the process of creating and developing the integrated management system that we envisioned, because we believed that was the fastest and most certain way of getting them to become real contributors to the project, both in the short and the long term. We used external consultants for part of the ISO 9001 project but there simply no BS7799 expertise available externally.

This lack of BS7799 experts was a minor challenge in comparison to the lack of useful books or tools that we could use. While you can today purchase books such as ISO 27001: a Pocket Guide, back then there were only bookshelves full of thick, technologically-focused books on all sorts of information security issues, but nothing that might tell a business manager how to systematically implement an information security management system. We had no option but to try and work it out for ourselves.

We actually did the job twice, once under the unaccredited scheme and the second time after the standard had become a two parter (the earlier, single part had become a Code of Practice and a new part, a specification for an Information Security Management System, had been introduced) and been accredited. In fact, our accredited audit was also our certification body’s first observed audit for their own UKAS accreditation. While that was an interesting experience, it did mean that our systems had to be particularly robust if they were to stand the simultaneous scrutiny of two levels of external auditors!

We underwent external examination on five separate occasions within a few months and our integrated management system achieved all the required external certifications and recognitions. We did this without anything more than the part time assistance of one ISO9001 consultant and an internal quality management team of one person. Admittedly, the organization was a relatively small one but, although we only employed about 80 people (across three sites), we did also have an associate consultant team that was nearly a hundred strong. And, back then, we probably couldn’t have done something as complex as this in a much larger organization.

The lessons that we learned in our first two implementations, and our experience with BS 7799 implementations – often in very substantial organizations - since then, in both the public and private sectors, has enabled me to crystallize the nine keys to a successful ISMS project. We’ve updated that knowledge and experience preparing our own business for ISO 27001 certification and, in parallel, I’ve also studied the emerging standard closely while writing ISO 27001: a Pocket Guide. The fact is that, properly managed and led, any ISO27001 project can be successful. We’ve proved it.

Over the years, my organization has developed approaches to implementing an ISMS that can help project managers identify and overcome many of the very real problems they face in achieving a successful outcome. We’ve also developed unique tools and techniques that simplify the process and enable organizations to succeed without us – and information security success is, in the long term, not consultant-dependent. It depends on the organization itself; this book describes the key issues, the building blocks of success, and tells you how to tackle them. 

This book refers, in its course, to a number of other books or tools that I have written or that have been produced by my company. In each case where I have made a specific reference, the book or tool is unique and was developed to do the specific job that I describe it as doing. I developed these books and tools because there simply was nothing available on the market that did a comparable job of work.

This book also does not repeat the history of BS799, the story of ISO 27001, the relationship between ISO 27001 and ISO 17799, or some of the more detailed structural issues of ISO 27001, all of which can be found in ISO 27001: a Pocket Guide. Nor does this book provide the sort of detailed, control-by-control project guidance that you will get from IT Governance: a Manager’s Guide to Data Security and BS7799/ISO17799. I recommend that you read and use both these books before and during your ISMS project.

Alan Calder

October 2005

Publisher’s Note: this is an excerpt from the introduction to Nine Steps to Success: an ISO 27001 Implementation Overview, published by IT Governance Publishing in October 2005, with ISBN 1-905356-10-2. The book itself can be ordered online at www.itgovernance.co.uk or simply by clicking on the link embedded in the book title

Four key benefits of ISO 27001 implementation

Four key benefits of ISO 27001 implementation

'By 'Dejan Kosutic on July 21, 2010

5Share

Have you ever tried to convince your management to fund the implementation of information security? If you have, you probably know how it feels – they will ask you how much it costs, and if it sounds too expensive they will say no.

Actually, you shouldn’t blame them – after all, their ultimate responsibility is profitability of the company. That means, their every decision is based on the balance between investment and benefit, or to put it in management’s language – ROI (return on investment).

This means you have to do your homework first before trying to propose such an investment – think carefully how to present the benefits, using language the management will understand and will endorse.

I’ll try to help you – the benefits of information security, especially the implementation of ISO 27001 are numerous. But in my experience, the following four are the most important:

1. Compliance

It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way.

2. Marketing edge

In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information.

3. Lowering the expenses

Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.

The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.

4. Putting your business in order

This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc.

ISO 27001 is particularly good in sorting these things out – it will force you to define very precisely both the responsibilities and duties, and therefore strengthen your internal organization.

To conclude – ISO 27001 could bring in many benefits besides being just another certificate on your wall. In most cases, if you present those benefits in a clear way, the management will start listening to you.

sumber: http://blog.iso27001standard.com/2010/07/21/four-key-benefits-of-iso-27001-implementation/?utm_source=infusionsoft&utm_medium=follow-up-sequence&utm_campaign=how-to-launch-project

How much does ISO 27001 implementation cost?

How much does ISO 27001 implementation cost?

'By 'Dejan Kosutic on February 08, 2011

3Share

This is usually one of the first questions I receive from the potential client. To their disappointment, I cannot give them the exact figure right away – here is why.
First of all, the total cost of implementation will depend on the size of your organization (or the size of the business unit(s) that will be included in the ISO 27001 scope), the level of criticality of information (for instance, information in banks is considered more critical and demands a higher level of protection), the technology the organization is using (for instance, the data centers tend to have higher costs because of their complex systems), and the legislation requirements (usually the financial and government sectors are heavily regulated with regards to information security).
Second, you won’t be able to calculate the exact costs before you know which level of protection you need – first you have to perform risk assessment, because such analysis will tell you which security measures are required.
When you know the results of risk assessment, you will have to take into account the following costs:

1. The cost of literature and training

Implementation of ISO 27001 requires changes in your organization, and requires new skills. You can prepare your employees by buying various books on the subject and/or sending them to courses (in-person or online) – the duration of these courses varies from 1 to 5 days (read How to learn about ISO 27001 and BS 25999-2).

And don’t forget to buy the ISO 27001 standard itself – too often I run across companies implementing the standard without actually seeing it.

2. The cost of external assistance
Unfortunately, training your employees is not enough. If you don’t have a project manager with deep experience in ISO 27001 implementation, you’ll need someone who does have such knowledge – you can either hire a consultant or get some online alternative (this is what we do at Information Security & Business Continuity Academy).
The greatest value of someone with experience helping you with this kind of project is that you won’t end up in dead end streets – spending months and months doing activities that are not really necessary or developing tons of documentation not required by the standard. And that really costs.

However, be careful here – do not expect the consultant to do the whole implementation for you – ISO 27001 can be implemented by your employees only.

3. The cost of technology
It might seem funny, but most companies I’ve worked with did not need a big investment in hardware, software or anything similar – all these things already existed. The biggest challenge was usually how to use existing technology in a more secure way.
However, you do need to plan such investment if it proves to be necessary.

4. The cost of employees’ time
The standard isn’t going to implement itself, neither can it be implemented by a consultant only (f you hire one). Your employees have to spend some time figuring out where the risks are, how to improve existing procedures and policies or implement new ones, they have to take some time to train themselves for new responsibilities and for adapting to new rules.

5. The cost of certification

If you want to obtain public proof that you have complied with ISO 27001, the certification body will have to do a certification audit – the cost will depend on the number of man days they will spend doing the job, ranging from under 10 man days for smaller companies up to a few dozen man days for larger organizations. The cost of man day depends on the local market.
You have to be very careful not to underestimate the true cost of ISO 27001 project – if you do, your management will start looking at your project in a negative light. On the other hand, forecasting all costs correctly will show your level of professionalism; and don’t forget – you always have to present both the cost and the benefits – read Four key benefits of ISO 27001 implementation.
You can also check out our video tutorial How To Set Up ISO 27001 Project – Writing the Project Plan which explains how to plan the ISO 27001 project (commercially sold video).

Myths Surrounding ISO27001 Information Security

This week I am carrying the series of myths forward and this time surrounding Information Security (ISO27001).

1. Information Security is for big companies
   
   False Most small companies (and individuals) are targeted at
   some time.


2. My computer has virus control software so I am safe.
   
   False Anti-Virus software is only one area of protection.


3. I have turned off the Microsoft Automatic Update to protect my computer.
   
   False Auto-update provides security patches to help protect your computer.


4. I always tear up sensitive paper information before putting it in the dustbin to
   protect myself.
   
   False tearing up paper is never as secure as shredding.


5. Cutting a credit card in half makes it useless to a thief.
   
   False Shred any non required credit cards as a thief can copy the detail and your signature.


6. Email is a secure method of communication.
   
   False Unless you encrypt your email, it is visible.


7. I can't remember complex passwords so I use my dog's name, but that is secure.
   
   False A hacker will run a dictionary test to find easy passwords like this.


8. My company insists on 8 digit passwords so I have to write them down – but this is safe.
   
   False Writing down passwords is a bad idea and is full of risk.


9. In my company we all share a generic password but this is secure.
   
   False If there is s problem with a generic password is it almost impossible to find out who is responsible.


10. When we get new computers we always format the old hard disks to ensure they cannot be hacked.
    
    False Hard disks should be physically destroyed otherwise data can be recovered, sometimes by simply un-formatting.

Source: http://blog.quality-matters.com/2007/10/myths-surrounding-iso27001-information.html

ISO 27001 Information Security Management from Michael Brophy

About ISO 27001 Information Security Management from Michael Brophy of Certification Europe.