Home Resources Blog August 2016

Dispelling the Myths of ISO 27001

18 August 2016
The information below will help to dispel the myths of ISO 27001, provide tips on making a business case for implementing an Information Security Management System (ISMS).

The common misconception about BS ISO/IEC 27001:2013 (ISO 27001) is that it is a standard focused on the IT function of an organisation. 

Another myth, is that Information Security is just about preventing lost/stolen data, when in fact the three main principles of ISO 27001 are confidentiality, integrity and availability (CIA) of both vital corporate and customer information. 

The information below will help to dispel the myths of ISO 27001, provide tips on making a business case for implementing an Information Security Management System (ISMS), combined with sharing experience of working with organisations of all sizes, cultures and sectors.  It also explains Blackmores’ 10 steps to implementing ISO 27001.

Protecting your assets

Information is an asset that, like other important business assets, is essential to an organisation’s business and consequently it needs to be suitably protected.  Both physical security and personnel security controls need to be put in place, not just IT security controls.  Examples of non IT related controls include:

  • Review of suppliers and third parties with access to information assets to ensure confidentiality has been included in contracts/agreements, and/or Non-disclosure Agreements (NDA) have been signed.
  • Introducing a process for screening new staff, and a leavers process to ensure personnel security controls are in place to prevent valuable assets i.e. list of clients from being stolen.
  • Attention to maintaining physical security of the building and secure areas.
  • Consideration for a ‘Clear Desk’ policy for confidential documents (out of office hours).
  • Consideration of expanding the current Business Continuity Plan to include continuity scenarios that are not solely related to DR/ relocation of premises (e.g. loss of key suppliers/clients, significant information leakage/security incident etc.).

Many organisations are pushing security controls down their supply chain to prevent a weak link that could jeopardise the safe handling of valuable client data and products.  It is simply not good enough to pay lip service to an Information Security Policy (as some organisations have done in the past), and as a result, stakeholders have come to demand robust controls to protect their data and information assets throughout the entire business operations.

What is Information Security?

Information Security is the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities.

Information can be printed or written on paper, stored electronically, transmitted by mail and electronic means, or spoken in conversation.  In today's competitive business environment, such information is constantly under threat from many sources. These can be internal, external, accidental, or malicious. With the increased use of new technology to store, transmit, and retrieve information, we have all opened ourselves up to increased numbers and types of threats.

What is an Information Security Management System?

Information security is achieved by implementing a suitable set of controls including policies, procedures, and software/hardware functions. These controls need to be established, implemented, monitored, reviewed, and improved where necessary to ensure that your organisation’s risks are reduced and business objectives are met. This should be done in conjunction with other business management processes and standards i.e. ISO 9001.

ISO 27001 benefits – Making a case

We all know that it is not a case of ‘if’ your organisation will be affected by a security breach, it is only a question of ‘when’.  However, if this isn’t a strong enough business case for the board, then there are many other commercial benefits to be derived from having a certified ISMS in place, including:

Credibility, trust and confidence
Customers can feel confident of your commitment to keeping their information safe.

Cost Savings
The cost of a single information security breach can often be in excess of £100,000. Registration reduces the risk of such cost being incurred.  Reducing your organisation’s risk could also lead to a reduction in insurance costs.

Compliance
There are a growing number of laws relating to the (mis)use of information. Registration helps to show the authorities that you comply with all the relevant laws and regulations.

Commitment
Registration helps to ensure and demonstrate commitment at all levels of the company.

Minimises risk
To minimise business damage by preventing and minimising the impact of security incidents, and to maximise business investments and opportunities. 

Leading edge 
Your organisation will be able to demonstrate its commitment to information security to stakeholders which will help to retain your existing clients and win new business.

Blackmores’ 10 steps to implementing ISO 27001

1. Conduct a Gap Analysis and define the scope of your ISMS
Identify the strengths and weaknesses of your current operations in order to identify implementation requirements, timescales and the resources required.  It is important to be realistic when defining the scope of certification.  The scope can be defined by sites, functions, products and services.

2. Establish your Information Security Team (IST)
The IST should ideally include a representative from business functions such as IT, HR, Facilities/Office Management and Contracts/Finance.  These representatives will understand where the weak spots are i.e. lack of back-ups, security awareness training, NDA’s, and will be an integral part of the development of your ISMS.  They will also act as your security ‘eyes and ears’ when it comes to communicating and complying with the ISMS.  The IST should be empowered the take responsibility of their own functions within the business which is critical to the success of the project. 

3. Establish timescales and arrange your ISO 27001 Assessment
Your assessment date will give you a target, and as such your project plan should work backwards from this date.  Allow a minimum of six months from the Gap Analysis to the assessment. Typically, an SME should allow three months for the creation and implementation of the ISMS, and three months for employees to use the system and gather evidence of conformity to the standard’s requirements.  Larger organisations may take twelve months to be fully compliant to ISO 27001 if multiple sites are involved.

It is recommended that a UKAS accredited certification body i.e. NQA are used for the formal certification of the system. Your Certification Body should be engaged at the earliest opportunity to ensure availability of external assessors to achieve the preferred timescales for certification.

4. Conduct a Risk Assessment
The Risk Assessment acts as the catalyst to identifying the risks, threats and current controls within your business. This then leads you to reviewing the controls in ‘Annex A’ of the Standard so that you can link your risks with these controls i.e. encryption of data, clear desk policy, password management. 

Throughout the duration of the project, the Risk Assessment will be a ‘live’ document that you will update as controls are implemented and risks are mitigated.  Thus, by the time of your assessment the overall ‘risk rating’ (level of risk your company is exposed to) in theory will have reduced significantly.

Your risk assessment methodology should typically include:

  • Develop criteria for accepting risks and identify acceptable levels of risk.
  • Identity the assets within the scope of the ISMS and the owners of these assets.
  • Identify the threats to those assets.
  • Identify the vulnerabilities that might be exploited by the threats
  • Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
  • Assess the business impacts upon the company that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets.
  • Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented.
  • Estimate the levels of risk.
  • Determine whether the risks are acceptable or require treatment using the criteria for accepting risks that has been establish.

5. Creation of the Statement of Applicability

Prepare a Statement of Applicability to include:

  • The control objectives and controls selected (form ‘Annex A’ in ISO 27001) and the reasons for their selection.
  • The exclusion of any controls and the justification for their exclusion.

6. Creation of the Information Security Policy and objectives
Now that the risks and controls have been identified, it is important that the Information Policy reflects the level of commitment from the leadership i.e. CEO, to internal and external stakeholders.  The policy statement only needs to be one A4 page and can be printed and displayed for all visitors and employees to view.

The objectives should be part of the organisation’s overall business strategy. Approximately six key objectives are recommended to further improve information security over the next 1 – 3 years.  An assessor will expect these objectives to be SMART – Specific, Measurable, Achievable, Realistic and Time-bound.

The objectives should also take into consideration the context of the organisation by reviewing the company’s internal and external issues, alongside the risks and opportunities associated with its interested parties.

7. Creation of ISMS documents
This includes any additional operational controls i.e. HR, building, supply chain and IT, together with documents such as the Access Control Policy.  A legal register is not stipulated as a requirement in ISO 27001:2013, however it is good practice to identify all the applicable statutory, regulatory and contractual requirements associated with Information Security, and a Legal Register is a useful repository to capture and monitor compliance with these requirements.

8. ISMS Approval and launch
The IST and company Leadership Team need to review the ISMS and verify that they are happy with the content prior to the ISMS being launched company-wide.  The ISMS can be made available on your company server, WIKI, intranet, SharePoint or even as a hard copy manual.  The communication of ISMS’s vary from company to company, however ensuring that all employees have access to the relevant information is vital.

All employees need to be made aware if the ISMS and the controls that are relevant to them in the workplace i.e. how to report a security incident, information classification, password management and visitor access. This can be achieved through internal training on the ISMS.  Remember to update training records to demonstrate to your assessor that employees have attended this training.

9. ISMS Compliance
Now that the ISMS has been communicated, the company needs to verify that the system is effective.  Otherwise, it has all been a waste of time.  Employee engagement and understanding is essential, therefore the ISMS needs to made accessible and simple to use.

To verify compliance, you need to create an Audit Plan that will cover all elements of ISO 27001 and conduct scheduled internal audits.  It is a UKAS requirement that the system has been in place for three months, so your internal audits should ideally be spread over this period.

The ISMS is of course still in its infancy, so inevitably further opportunities for improvement are likely to be identified.  This simply demonstrates that you have a system in place for continual improvement.

10. ISMS Management Review
The final stage is to chair a Management Review Meeting with the IST/Leadership Team.  The purpose of this meeting is to review the effectiveness of the ISMS to date prior to the external assessment i.e. status of security incidents, objectives, changes to the ISMS.  Thus, giving the IST time to deal with any outstanding matters leading up to the assessment.

This article has been authored by Melanie Blackmore at Blackmores (UK) Ltd for use on the NQA Certification Ltd website. Blackmore (UK) Ltd is listed as a trusted and valued consultancy organization on NQA’s Associate Consultant Register. To find out more please click here.