ISO 27001: Introduction

The international standard ISO 27001 for information security management systems has replaced the British Standard BS 7799. Information security has always been an international issue, not a purely British one and this evolution in the standard now enables organizations throughout the world to ensure that they are applying information security best practice in their organizations.

Information security is also a management issue, a governance responsibility. The design and implementation of an Information Security Management System (‘ISMS’) is a management role, not a technological one. It requires the full range of managerial skills and attributes, from project management and prioritization through communication, sales skills and motivation to delegation, monitoring and discipline. A good manager who has no technological background or insight can lead a successful ISMS implementation, but without management skills, the most technologically sophisticated information security expert will fail at the task.   

This is particularly so if the organization wants to derive maximum, long term business value from the implementation of an ISMS. Achieving external certification is an admirable (and increasingly necessary) outcome to such a project; achieving the level of information security awareness and good internal practice that enables an organization to safely surf the stormy, cruel seas of the information age requires a level of culture change no less profound than that required to shift from industrial to post-industrial operations.

I know all this because my background is as a general manager, not as a technologist. I came to information security in 1995 because I was concerned about the information security exposures faced by a company of which I was CEO. When you’re the CEO, and you’re interested in it, you can make an ISMS happen – as I’ve proved a number of times. While this book will shorten the learning curve for other CEO’s in my position, it’s really aimed at the manager – often an IT or information security manager – who is charged with tackling an ISO 27001 implementation and who wants a sure route to a positive outcome. It identifies what the experience of many BS7799 implementations has taught me are the nine key steps to ISMS success. The lessons seem to apply in any organization, public sector or private, and anywhere in the world. They start with recognizing the challenges usually faced by anyone concerned to improve their organization’s security posture.

The second biggest challenge that, in my experience, is faced by information security technologists everywhere in the world, is gaining – and keeping – the board’s attention. The biggest challenge is gaining – and keeping – the organization’s interest and application to the project. When boards do finally become aware of their need to act – and to act systematically and comprehensively – against information security threats, they become very interested in hearing from their information security specialists. They even develop an appetite for investing organizational dollars into hardware and software solutions, and to mandate the development of a new ISMS – or the tightening up of an existing one.

Of course, there’s usually no better than a 50:50 chance that the ‘solution’ they want is anything more that the security flavour of the threat month – for instance, anti-virus solution sales increased when Nimda, Code Red and Melissa hit the headlines. Once deployed, any single solution is unlikely to alter the overall security posture of an organization by more than one degree, not least because any effective security solution requires an integrated combination of technology, procedure and user application. And integration of this order requires more than just a knee-jerk reaction to a current threat.

The even greater certainty is that most initiatives to develop an ISMS are likely to be seen as either a current management ‘fad’ or, even worse, as an IT department ‘initiative’. Either branding means the ISMS will be still born. Almost everyone who works in any business believes that management fads just have to be endured until they go away, and that IT department initiatives just create more problems and barriers for people trying to do their everyday work. Scott Adams, the creator of Dilbert, does say after all that most of the ideas for his sketches are sent to him by people who are simply describing their daily working lives.

 An ISMS project does slightly better if it’s seen as having a credible business need: to win an outsourcing contract, for instance, or to comply with a public funding requirement. In fact, such short term justifications for introducing an ISMS, for seeking external certification, infrequently bring the company any real long term benefit, because the project rarely develops the sort of sustained momentum that will drive user awareness and good practice into all the reaches of the organization.

When we first decided to tackle information security in 1995, my organization was required – as a condition of its branding and trading licence – to achieve both ISO9001 certification and Investor in People (IiP) recognition. We intended to sell information security and environmental management services as well and, out of a desire to practice what we preached, as well as from a determination to achieve the identifiable business benefits of tackling all these components of our business, we decided to pursue both BS7799 and ISO14001 at the same time.

BS7799 existed then in only an unaccredited form and it was, essentially, a Code of Practice. There was only one part to it and, while certification was technically not possible, a statement of conformity was. The other standards that we were interested in did all exist but, at that time, it was generally expected that an organization would approach each standard on its own, developing standalone manuals and processes. This was hardly surprising, as it was unusual for any organization to pursue more than one standard at any time!

We made the momentous decision to approach the issue from primarily a business perspective, rather than a quality one. We decided that we wanted to create a single, integrated management system that would work for our business, and that was capable of achieving multiple certifications. While this seemed to go in the face of much of that time’s actual practice around management system implementation, it seemed to be completely in line with the spirit of the standards themselves.

We also decided that we wanted everyone in the organization to take part in the process of creating and developing the integrated management system that we envisioned, because we believed that was the fastest and most certain way of getting them to become real contributors to the project, both in the short and the long term. We used external consultants for part of the ISO 9001 project but there simply no BS7799 expertise available externally.

This lack of BS7799 experts was a minor challenge in comparison to the lack of useful books or tools that we could use. While you can today purchase books such as ISO 27001: a Pocket Guide, back then there were only bookshelves full of thick, technologically-focused books on all sorts of information security issues, but nothing that might tell a business manager how to systematically implement an information security management system. We had no option but to try and work it out for ourselves.

We actually did the job twice, once under the unaccredited scheme and the second time after the standard had become a two parter (the earlier, single part had become a Code of Practice and a new part, a specification for an Information Security Management System, had been introduced) and been accredited. In fact, our accredited audit was also our certification body’s first observed audit for their own UKAS accreditation. While that was an interesting experience, it did mean that our systems had to be particularly robust if they were to stand the simultaneous scrutiny of two levels of external auditors!

We underwent external examination on five separate occasions within a few months and our integrated management system achieved all the required external certifications and recognitions. We did this without anything more than the part time assistance of one ISO9001 consultant and an internal quality management team of one person. Admittedly, the organization was a relatively small one but, although we only employed about 80 people (across three sites), we did also have an associate consultant team that was nearly a hundred strong. And, back then, we probably couldn’t have done something as complex as this in a much larger organization.

The lessons that we learned in our first two implementations, and our experience with BS 7799 implementations – often in very substantial organizations - since then, in both the public and private sectors, has enabled me to crystallize the nine keys to a successful ISMS project. We’ve updated that knowledge and experience preparing our own business for ISO 27001 certification and, in parallel, I’ve also studied the emerging standard closely while writing ISO 27001: a Pocket Guide. The fact is that, properly managed and led, any ISO27001 project can be successful. We’ve proved it.

Over the years, my organization has developed approaches to implementing an ISMS that can help project managers identify and overcome many of the very real problems they face in achieving a successful outcome. We’ve also developed unique tools and techniques that simplify the process and enable organizations to succeed without us – and information security success is, in the long term, not consultant-dependent. It depends on the organization itself; this book describes the key issues, the building blocks of success, and tells you how to tackle them. 

This book refers, in its course, to a number of other books or tools that I have written or that have been produced by my company. In each case where I have made a specific reference, the book or tool is unique and was developed to do the specific job that I describe it as doing. I developed these books and tools because there simply was nothing available on the market that did a comparable job of work.

This book also does not repeat the history of BS799, the story of ISO 27001, the relationship between ISO 27001 and ISO 17799, or some of the more detailed structural issues of ISO 27001, all of which can be found in ISO 27001: a Pocket Guide. Nor does this book provide the sort of detailed, control-by-control project guidance that you will get from IT Governance: a Manager’s Guide to Data Security and BS7799/ISO17799. I recommend that you read and use both these books before and during your ISMS project.

Alan Calder

October 2005

Publisher’s Note: this is an excerpt from the introduction to Nine Steps to Success: an ISO 27001 Implementation Overview, published by IT Governance Publishing in October 2005, with ISBN 1-905356-10-2. The book itself can be ordered online at www.itgovernance.co.uk or simply by clicking on the link embedded in the book title

Four key benefits of ISO 27001 implementation

Four key benefits of ISO 27001 implementation

'By 'Dejan Kosutic on July 21, 2010

5Share

Have you ever tried to convince your management to fund the implementation of information security? If you have, you probably know how it feels – they will ask you how much it costs, and if it sounds too expensive they will say no.

Actually, you shouldn’t blame them – after all, their ultimate responsibility is profitability of the company. That means, their every decision is based on the balance between investment and benefit, or to put it in management’s language – ROI (return on investment).

This means you have to do your homework first before trying to propose such an investment – think carefully how to present the benefits, using language the management will understand and will endorse.

I’ll try to help you – the benefits of information security, especially the implementation of ISO 27001 are numerous. But in my experience, the following four are the most important:

1. Compliance

It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way.

2. Marketing edge

In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information.

3. Lowering the expenses

Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.

The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.

4. Putting your business in order

This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc.

ISO 27001 is particularly good in sorting these things out – it will force you to define very precisely both the responsibilities and duties, and therefore strengthen your internal organization.

To conclude – ISO 27001 could bring in many benefits besides being just another certificate on your wall. In most cases, if you present those benefits in a clear way, the management will start listening to you.

sumber: http://blog.iso27001standard.com/2010/07/21/four-key-benefits-of-iso-27001-implementation/?utm_source=infusionsoft&utm_medium=follow-up-sequence&utm_campaign=how-to-launch-project

How much does ISO 27001 implementation cost?

How much does ISO 27001 implementation cost?

'By 'Dejan Kosutic on February 08, 2011

3Share

This is usually one of the first questions I receive from the potential client. To their disappointment, I cannot give them the exact figure right away – here is why.
First of all, the total cost of implementation will depend on the size of your organization (or the size of the business unit(s) that will be included in the ISO 27001 scope), the level of criticality of information (for instance, information in banks is considered more critical and demands a higher level of protection), the technology the organization is using (for instance, the data centers tend to have higher costs because of their complex systems), and the legislation requirements (usually the financial and government sectors are heavily regulated with regards to information security).
Second, you won’t be able to calculate the exact costs before you know which level of protection you need – first you have to perform risk assessment, because such analysis will tell you which security measures are required.
When you know the results of risk assessment, you will have to take into account the following costs:

1. The cost of literature and training

Implementation of ISO 27001 requires changes in your organization, and requires new skills. You can prepare your employees by buying various books on the subject and/or sending them to courses (in-person or online) – the duration of these courses varies from 1 to 5 days (read How to learn about ISO 27001 and BS 25999-2).

And don’t forget to buy the ISO 27001 standard itself – too often I run across companies implementing the standard without actually seeing it.

2. The cost of external assistance
Unfortunately, training your employees is not enough. If you don’t have a project manager with deep experience in ISO 27001 implementation, you’ll need someone who does have such knowledge – you can either hire a consultant or get some online alternative (this is what we do at Information Security & Business Continuity Academy).
The greatest value of someone with experience helping you with this kind of project is that you won’t end up in dead end streets – spending months and months doing activities that are not really necessary or developing tons of documentation not required by the standard. And that really costs.

However, be careful here – do not expect the consultant to do the whole implementation for you – ISO 27001 can be implemented by your employees only.

3. The cost of technology
It might seem funny, but most companies I’ve worked with did not need a big investment in hardware, software or anything similar – all these things already existed. The biggest challenge was usually how to use existing technology in a more secure way.
However, you do need to plan such investment if it proves to be necessary.

4. The cost of employees’ time
The standard isn’t going to implement itself, neither can it be implemented by a consultant only (f you hire one). Your employees have to spend some time figuring out where the risks are, how to improve existing procedures and policies or implement new ones, they have to take some time to train themselves for new responsibilities and for adapting to new rules.

5. The cost of certification

If you want to obtain public proof that you have complied with ISO 27001, the certification body will have to do a certification audit – the cost will depend on the number of man days they will spend doing the job, ranging from under 10 man days for smaller companies up to a few dozen man days for larger organizations. The cost of man day depends on the local market.
You have to be very careful not to underestimate the true cost of ISO 27001 project – if you do, your management will start looking at your project in a negative light. On the other hand, forecasting all costs correctly will show your level of professionalism; and don’t forget – you always have to present both the cost and the benefits – read Four key benefits of ISO 27001 implementation.
You can also check out our video tutorial How To Set Up ISO 27001 Project – Writing the Project Plan which explains how to plan the ISO 27001 project (commercially sold video).

Myths Surrounding ISO27001 Information Security

This week I am carrying the series of myths forward and this time surrounding Information Security (ISO27001).

1. Information Security is for big companies
   
   False Most small companies (and individuals) are targeted at
   some time.


2. My computer has virus control software so I am safe.
   
   False Anti-Virus software is only one area of protection.


3. I have turned off the Microsoft Automatic Update to protect my computer.
   
   False Auto-update provides security patches to help protect your computer.


4. I always tear up sensitive paper information before putting it in the dustbin to
   protect myself.
   
   False tearing up paper is never as secure as shredding.


5. Cutting a credit card in half makes it useless to a thief.
   
   False Shred any non required credit cards as a thief can copy the detail and your signature.


6. Email is a secure method of communication.
   
   False Unless you encrypt your email, it is visible.


7. I can't remember complex passwords so I use my dog's name, but that is secure.
   
   False A hacker will run a dictionary test to find easy passwords like this.


8. My company insists on 8 digit passwords so I have to write them down – but this is safe.
   
   False Writing down passwords is a bad idea and is full of risk.


9. In my company we all share a generic password but this is secure.
   
   False If there is s problem with a generic password is it almost impossible to find out who is responsible.


10. When we get new computers we always format the old hard disks to ensure they cannot be hacked.
    
    False Hard disks should be physically destroyed otherwise data can be recovered, sometimes by simply un-formatting.

Source: http://blog.quality-matters.com/2007/10/myths-surrounding-iso27001-information.html

The Nature and Disclosure of Fees Paid to Auditors

The Nature and Disclosure of Fees Paid to Auditors
An Analysis Before and After the Sarbanes-Oxley Act

By Ariel Markelevich, Charles A. Barragato, and Rani Hoitash

NOVEMBER 2005, SPECIAL ISSUE - The issues surrounding auditor independence and investor confidence in the financial statements of public companies have been widely debated. Much of the discussion has been fueled by the dramatic changes in the accounting profession since the 1990s. Many accounting firms (including some of the largest in the world) merged and transformed themselves into multispecialty organizations.

In the wake of accounting firms’ transformation, regulators became increasingly concerned about the interplay between auditor independence and the provision of nonaudit services (NAS) to audit clients. In his highly publicized testimony before the U.S. Senate on September 28, 2000, then–SEC chairman Arthur Levitt expressed his concern that “as auditing becomes an ever-smaller portion of a firm’s business with an audit client, it becomes harder to assume that the auditor will challenge management when he or she should, if to do so might jeopardize a lucrative consulting contract for the auditor’s firm.” This view, coupled with Enron’s failure, WorldCom’s malfeasance, and the collapse of Arthur Andersen, led to the eventual passage of the Sarbanes-Oxley Act of 2002 (SOA).

The analysis that follows focuses on the market for audit and nonaudit services by examining fees paid to auditors during the period 2000 to 2003. This timeframe is of particular interest because this period saw sweeping changes in auditors’ business, regulatory, and professional environment.

Regulatory Background

In recent years, the SEC and Congress have promulgated a variety of rules that are grounded in the notion that auditor independence is vital to the production of high-quality audits and that fees paid to auditors for both audit and nonaudit services may impair such independence. In November 2000, the SEC issued a directive requiring public companies to disclose audit and audit-related fees paid to their outside auditors. These disclosure rules became effective for proxy statements filed after February 5, 2001 (SEC Final Rule S7-13-00). Following SOA, the SEC expanded (and in some instances redefined) these disclosure requirements, and now requires that fees paid to auditors be broken down into the following categories: 1) audit fees; 2) audit-related fees; 3) tax fees; and 4) all other fees. One of the more significant changes under the expanded guidelines is a change in how audit fees are defined. The initial rule adopted by the SEC (for proxies filed in 2000) required that companies disclose fees paid for audits and quarterly reviews in the “audit fees” category. The expanded rule requires companies to include any fees for services performed to fulfill the accountant’s responsibility under GAAS. Additionally, audit firms are now prohibited from providing such services as financial information system implementation and design, internal auditing, and a number of other services.

Data and Results

The study comprised a sample consisting of 2,507 public companies that have disclosed audit fee information from 2000 to 2003, as reported in the Standard & Poor’s Audit Fee Database. Starting in 2003, companies were required to report fees paid to their auditors under the new disclosure rule. The new rule also mandated that companies present their fiscal 2002 fees under the new rule for comparison purposes. Consequently, the sample consists of fees reported under the old rules for 2000 and 2001, and fees reported under the new rule for 2002 and 2003. The descriptive statistics for the additional fee categories are limited to 2002 and 2003.

Analysis

Exhibit 1 presents the full sample descriptive statistics for fees paid for audit and nonaudit services during the period under study. For ease of exposition, and to mitigate the impact of extreme observations, the discussion focuses on median fees (illustrated in Figure 1).

As noted in Exhibit 1, total fees increased from $602,369 in 2000 to $683,618 in 2003, an increase of roughly 13%. In contrast to the changes in the definition of audit fees and nonaudit fees (as described above), the definition of total fees remained consistent over time. Some critics contend that large fees paid to auditors make auditors more economically dependent on their clients, possibly creating a relationship in which the auditor becomes reluctant to make appropriate inquiries during the audit for fear of losing highly profitable fees. Overall, there has been a slight increase in total fees from 2000 to 2003. Such a modest change in total fees over the sample period makes it difficult to make reasonable inferences concerning the assertion that auditors can become economically dependent upon clients, or how SOA may have affected this.

Audit fees increased almost 80%, from $239,000 in 2000 to $430,000 in 2003. This increase is substantial and is likely attributable to a number of factors, including: 1) increased risk of litigation; 2) changes in the scope and complexity of audit engagements; 3) transition from the Big Five to the Big Four marketplace (the demise of Arthur Andersen); 4) reactions to new regulatory restrictions forbidding auditors from rendering certain nonaudit services; and 5) the changing definition of the audit fees category (the revised SEC disclosure requirement). Additional analyses address the potential impact of the new definition of audit fees; because fees paid by companies in 2002 were reported under both the old and new rules, there is a unique opportunity to study the effects of this reclassification. As a result of the reclassification, median audit fees increased by about 10%, while nonaudit fees decreased by a similar amount. This suggests that any change above 10% results from actual variations in the services provided by auditors (or the fees charged), rather than from the change in classification.

The median fees paid for nonaudit services declined from $312,741 in 2000 to $211,200 in 2003, a decline of 32%. In 2003, nonaudit services accounted for roughly 31% of total fees, compared to almost 52% in 2000. If the relation between auditor independence and the provision of nonaudit services to audit clients is problematic, as the SEC and Congress have argued, then the reduction in the ratio of nonaudit services to total fees should help limit auditor-independence violations.

Tax fees represent the largest category of the nonaudit fee composite. Median tax fees declined by 8%, from $102,000 in 2002 to $93,448 in 2003. Median audit-related fees increased 26% over the same period, from $40,140 in 2002 to $50,500 in 2003.

Analysis by Audit Firm Size

Category 1 includes only the Big Five (Arthur Andersen, Deloitte, Ernst & Young, KPMG, and PwC), category 2 consists of the two largest second-tier firms (BDO Seidman and Grant Thornton), and category 3 contains all other auditing firms.

Descriptive statistics for fees paid to the Big Five are presented in Exhibit 2A. Total fees behavior is similar to that in Exhibit 1 for the whole sample. Median total fees increased by 20%, from $678,000 to $812,000, during the same period. Median audit fees grew substantially, from $264,000 in 2000 to $503,000 in 2003, roughly 91%. Correspondingly, median nonaudit fees decreased approximately 27%, from $364,550 in 2000 to $266,348 in 2003.

Exhibit 2B presents the results for category 2, second-tier firms. The median total fees increased by 33%, from $218,713 in 2000 to $291,450 in 2003. Median audit fees increased from $138,950 in 2000 to $197,900 in 2003, roughly 42%. Median nonaudit fees decreased by 19%, from $80,674 in 2000 to $65,350 in 2003.

Results for the third group, small audit firms, are presented in Exhibit 2C. Median total fees increased from $298,207 in 2000 to $308,919 in 2003, an increase of 4%. Consistent with the trend in the previous two categories, median audit fees increased by roughly 40%, from $149,875 in 2000 to $210,488 in 2003, while median nonaudit fees decreased by 17%, from $114,000 in 2000 to $95,138 in 2003.

Changes in Market Share

Exhibit 3 presents market share data by audit firm category in terms of the total fees received by audit firms and the total number of clients they serve.

Although there is little change in the percentage of total fees received by each of the three auditor groups from 2000 to 2003, it is interesting that the Big Five collected just under 92% of the fees in both years. With respect to changes in the aggregated fees between 2000 and 2003, second-tier firms increased collections from their audit clients by just over 44%. Conversely, the Big Five firms and small firms experienced a decline in total collections of roughly 13%.

The Big Five lost 86 clients (a 4% decrease) to the second-tier (36 clients, a 58% increase) and small firm groups (50 clients, a 15% increase). These results suggest that although both the second-tier and small firms gained clients, the majority of Arthur Andersen’s clients were retained by the remaining Big Four.

Implications

Audit fees increased substantially between 2000 and 2003, with the Big Five experiencing the greatest percentage increase, accompanied by a large decline in nonaudit fees for firms of all sizes. These results are not caused by the changes in the definitions of audit and nonaudit fee classifications but rather by changes in the services provided by auditors, or the fees charged for those services. The net effect of these changes may appear relatively modest given that several of the Big Five spun off their consulting practices during or just prior to the period in question and that SOA now limits the types of consulting services that can be offered to audit clients.

Small audit firms appear to have been more negatively affected during the study period, as evidenced by their relatively flat total fees from 2000 to 2003, as compared to a 20% and 33% increase for Big Five and second-tier firms, respectively. Using total fees as a barometer, second-tier firms experienced a substantial increase in market share from 2000 to 2003, with both the Big Five and small firms giving up ground.

Although the full regulatory impact of SOA remains to be seen, to the extent that Congress and the SEC are correct that the relation between auditor independence and the provision of nonaudit services to audit clients is problematic, then the expanded fee disclosures and restrictions on consulting services should reduce auditor-independence violations. On the other hand, if auditor-independence violations stem more from auditors’ dependency on the total fees received from audit clients, then the relatively small reduction in total fees documented from 2000 to 2003 may require refocusing on other aspects of the auditor-independence issue.

---

Ariel Markelevich, PhD, is an assistant professor at Long Island University–C.W. Post Campus, Brookville, N.Y.
Charles A. Barragato, PhD, CPA, CFE, is a professor at Long Island University–C.W. Post Campus.
Rani Hoitash, PhD, is an assistant professor at the Sawyer School of Management, Suffolk University, Boston, Mass.