ISO 27001 Certification

ISO 27001 Certification, Is It Really Worth It?

For the last decade, ISO 27001 certification has been the de facto standard for security programs across the globe. The only problem is, few organisations can be bothered with it. In the years of its existence, I have been asked about implementing a total of twice.

Why?

The reasons are numerous, and vary from organisation to organisation. However, they most often fall within these categories. The client has:

  1. never actually heard of it;
  2. doesn’t care about cybersecurity;
  3. thinks it’s too difficult;
  4. thinks it’s too expensive; and
  5. cannot see a return on investment (ROI).

But the biggest reason I have not been involved in ISO that much?… The Payment Card Industry Data Security Standard (PCI DSS). Which coincidentally, began at almost the same time.

All by itself, PCI has sucked the security budgets out of enough organisations that there was little left for anything else. And if I’m honest, because of PCI, I haven’t had to go looking for any other work.

Think about that for just a minute…

A very basic, controls-only standard, related to a single form of data, that’s not even a law has driven enough business my way that I have not had to worry about diversifying.

And frankly, I still don’t, but with what’s going on here in the EU, we are all going to need something better. From the General Data Protection Regulation (GDPR) to the Payment Services Directive (PSD2), the regulatory landscape is finally making real security a necessity.

It follows therefore that organisations will begin looking to ISO for options.

And that’s really the point, can the ISO standards actually help, or is the 2700X series just a bunch of meaningless paperwork? At first glance, it certainly looks that way, and few organisations choose to go any further. And the ones that do, get so lost in the paperwork that they forget why they are doing it. It’s only when the framework is fully customised and implemented, that you see its true and significant benefits.

However, before you look to ISO, you absolutely MUST do your homework! You have to know exactly what an Information Security Management System (ISMS) is, why you’re doing it, and how you’re going to keep it going. If you can’t answer those questions, don’t start, because you will never cross the finish line.

The biggest killers of ISO certification projects, are, in this order:

  1. Grossly underestimating the level of effort;
  2. Doing it just to land a big contract (or for marketing purposes);
  3. Tying the certification to an overly aggressive deadline;
  4. Ignoring the expert help; and
  5. Having no business goals in mind.

These are usually exacerbated by not getting senior leadership support, and then failing to tailor ISO to your needs. So what organisations end up with 99 times out of 100 is a stalled project and an external consultant taking all the blame.

ISO 27001 certification is bloody difficult…

…just accept that from the beginning. It requires commitment from every aspect of your organisation, and will only be effective if you enable the culture shift necessary to embrace it properly.

Strangely enough though, it actually looks fairly simple, as the ISO 27001 standard itself is only 30-odd pages long and only 114 controls. However, for every 1 of those controls, there are an average of 4 additional aspect to consider from the NINETY-odd page ISO 27002. Then, if that’s not enough, you must show some kind of evidence that you actually doing what you say you are!

For example, the very first ISO 27001 control is “A.5.1.1 – Policies for information security – A set of policies for information security shall be defined and approved“. Sounds simple enough until you realise that there are a minimum of 19 suggested ‘Implementation Guidance’ factors behind it.

From requiring that Information Security Policies address; “business strategy” and “regulation, legislation and contract“, to the suggested ‘examples’ of “policy topics”, A.5.1.1 becomes a project all by itself. Then, assuming you get all this paperwork together, you have to ensure that the policies are; “communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to the intended reader, e.g. in the context of an “information security awareness, education and training programme” (see 7.2.2).” Finally, you then need to provide some ‘record’ that this is all implemented , or that you have a risk treatment plan in place that shows you’re going to get it implemented …how …and when.

There are 114 of these, and even if you decide a few of them are not relevant to you, you must fully justify their EXclusion.

Not trying to put you off, the implementation of an appropriate ISMS is one of the best things you can do for your business as a whole. Just make sure you start out the project for the right reasons, with the right support, and the right goals in mind. And for GOD’S sake, get an expert in for a day FIRST to show all major stakeholders what to expect BEFORE you commit to the full project!

I see ISO 27001 certification becoming a must-have for almost any business, but only if it’s done properly.

[If you liked this article, please share! Want more like it, subscribe!]

Plan > Do > Check > Act

Security Core Concept 3: Security Management Systems

If Governance (Core Concept 4) is the most ‘diversely interpreted’ of the 6 Core Concepts, Information Security Management Systems (ISMS) is the most widely MIS-interpreted and mis-understood.

As the de facto standard for ‘security frameworks’ , ISO 27001 is designed to; “…provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS.”. Or more simply; It’s how you keep your security program in place, relevant, and appropriate to your business.

ISMS can be summarised by the old ‘Plan > Do > Check > Act (PDCA)’ cycle:

Risk_Management_Elements

  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls;
  • The Do phase involves implementing and operating the controls;
  • The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS;
  • In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

We already covered the Plan in Core Concept 1, and Do in Core Concept 2, so this; Core Concept 3, is a continuation of the security life cycle development.

With reference to a misquoted cliché; “You can’t manage what you can’t measure.”, the Check phase is designed to ensure that the controls you put in place to mitigate the risks detailed in the Risk Assessment (RA), are actually working. For example; your RA calls for segmentation between trusted and untrusted segments. Are the rules now in place to effect the segmentation? Is there any negative impact on performance? Are the firewall logs part of the established monitoring processes? Is the asset management system updated with all relevant detail? And so on…

If the answer to all of your success metrics above is positive, you must prepare to perform the cycle all over again at a time specified by your Governance Committee (usually annually at the very least). If the answer is no to ANY of the agreed metrics, you must go back and determine if the impact of the short-fall is sufficiently material to warrant major adjustment; e.g. fix it NOW, or no action at this time, or anything in between. This is the Act part of the ISMS.

As you can see, this is not actually that complicated. ‘ISO certification’ would be relatively easy if you were performing the first 3 Core Concepts correctly. However, because you can perform ISO certification of any aspect of your business, it is fairly meaningless unless you cover your entire infrastructure. Basically, unless you have a real business need to be ISO ‘certified’, don’t bother, just follow the Core Concepts.

While this Core Concept would SEEM to be the easiest (after all, it’s just determining if something is working or not), it’s the one that gets most ignored. It seems that most organisations lose interest after ‘fixing the problem’, so the additional expense of seeing if the controls actually worked gets put on hold. That ‘hold’ turns into forever, and continuous improvement is nothing more than a pipe-dream.

This is almost the same as doing nothing at all. Because not only do you not know if you are more secure than before, even if you WERE for while, you would soon fall back into your old ways. The entire investment is lost. In fact, it’s worse, because now you’ve wasted all that time and money as well.

Ensuring your ISMS is maintained is a critical function of the Governance Committee, along with Change Control, so we’ll tackle that in the next blog in the series; Security Core Concept 4: Governance & Change Control.

ISMS is where the rubber meets the road in terms of your corporate policies, standards, and procedures. These are the true baseline from which to measure the success of your security program. This is why they are one of The 4 Foundations of Security, and must receive the attention they deserve.

[If you liked this article, please share! Want more like it, subscribe!]