There is a belief that you have to have superior security to be ISO 27001 certified. That’s not what its all about. Certain methods and processes do indeed have to be in place to ensure you have effective security, and to ensure that management is held to accountability with, and awareness of, all shortcomings. But this does not mean superior security. In fact the emphasis on security is secondary to the processes you have in place, processes which ensure that you know the security requirements and the current security situation in the organization.
Security experts often make a mistake in engaging to provide ISO 27001 consulting. Security experts are quite rightly very expensive, and very good at security. However, ISO 27001 is about processes and management systems, not the technical aspects of security. In practice, your in-house security and IT personnel are often all the expertise you need from a security point of view. Not only are security experts very expensive but they have very limited experience of ISO management systems and even if they have “done this a few times” they are not management system experts and are not likely to provide an ideal solutions. A costly mistake.
The ISO 27001 Standard
ISO 27001 is a management system standard. It requires you to set up a system in your organization for managing security. In itself it does not require any aspect of actual security to be applied. Management can absolutely accept their current security position without buying any new equipment or adopting any new processes. Instead it requires systems to ensure that security issues and risks are identified and treated to an acceptable level of risk. A level that you decide. It requires the system to be comprehensive and address all areas of the organization. It requires specific systems for identifying, reporting and managing security events and incidents and also defining, planning, testing and managing appropriate mitigation and continuity strategies to ensure ongoing continuation of the organization’s business in a secure manner. It requires appropriate communication and appropriate deference to legal and regulatory requirements.
All in all it is a defined, effective and repeatable process and system, integrated into the established business management system, that ensure security is addressed to an appropriate level and that management are aware of and accountable for it.
ISO 27002 – a different ISO
Unlike other ISO standards, ISO 27001 is accompanied by ISO 27002 which provides specific technical topics for security. ISO 27002 provides a comprehensive checklist of security controls that “may” be applied. The organization is asked to review the list and determine the applicability of the controls and to decide, considering any security risks that have been identified, if any actions are necessary.
Although ISO 27002 is not mandatory, some controls are also specified in 27001 which makes them effectively mandatory. Training and awareness and management of security incidents are examples of where the organization will need to apply the controls. Management of information security in the development of software will only be applicable if you develop software. It is stated that the list may not be comprehensive, that you may identify other controls that are relevant. However, it is very comprehensive and a great start to ensure you have a thorough review of security in the organization. In practice this is where you have a possible need for security expertize. Again, probability is that your in house IT professionals have enough understanding of the situation to determine the applicability and the appropriately define the level of and treatment of current risks.
ISO 27001 requires you to think about your assets and what security issues might affect them (risks). ISO 27002 includes a comprehensive list of security controls that organizations might consider to apply. Together they doubly ensure a great review of security.