I tell you many things on this blog. Where do I find them and where does my competence come from?
It’s an excellent question to which I’m answering today.
I use this opportunity to review some of the published documents and to give you a glance on future evolutions.
This article mainly concerns enterprises, whatever their size and object. Not-for-profit organizations are also concerned. We all, should, however, be kept informed on their existence … that could inspire us.
If the details of these standards go beyond the object of everyone’s security actions, their principles remain valid.
An ISMS is a coherent set of activities aimed to protect information and their treatment (mainly on computers) in an adequate fashion, continually and permanently.
The ISO/IEC 27001 standard (published in 2013) clearly defines this ISMS. A similar standard exists for quality processes and is probably more known: ISO 9001.
What does this standard contain?
The requirements in the standard concern all activities to perform to implement an ISMS and keep it living. You’ll find inside all what I tell you since about one year and a half:
- a study of the internal and external contexts (clauses 4)
- the commitment and leadership of the direction (clause 5)
- a risk assessment and a risk treatment (clause 6)
- the support to the operation of the ISMS: resources, competences, awareness and documentation (clause 7)
- the permanent operation of the ISMS (clause 8)
- the performance evaluation (clause 9)
You must justify (we call that “the Statement of Applicability (SOA)” the selection and the rejection of the controls found in annex A, along with any control you select from another source (I’ll come back to this in another article).
What does the standard ISO 27001 bring?
The main contribution is a coherent structure allowing to actually maintain the newly achieved security status – as long as the willingness and the effort are sustained.
The new imposed structure is identical to all management systems (quality, environment, etc.) allowing their harmonization and their coordinate implementation, using the resources already in place.
It’s on the basis of the requirements of the standard that a certification audit can be performed.
The most important is to create something solid that will hold the distance… the initial effort will be compensated by a regular control and evaluation activity.
The certification has an important cost to cover the implementation – preferably assisted – and the audit. If the certificate can bring you a real return on investment and create trust among your partners and customers, don’t hesitate.
The certificate has a validity of 3 years. It represents a snap shot of your situation when the auditor comes. It provides no warranty if the effort is not sustained.
This standard ISO 27001 would be vain if a series of other standards were not attached to it. I’ll simply list the most useful.
It is the “Code of good practices for information security” that explains each of the controls found in Annex 1 of 27001. It’s a heritage, updated from the original published in England in 1995 (the ‘famous’ BS7799).
It contains a list of 136 controls structured in 15 chapters covering the 8 security domains. For each, the standard describes the objectives and the implementation guidelines.
This standard contains guidelines to implement the ISMS. It explains what it means to be compliant to the requirements and what should be done therefor. Its publication is expected by the end of 2016.
This directive explains how to measure and improve the performance of the ISMS (referring to clause 9). Its publication is also expected by the end of 2016.
This standard describes in details the information security risk management process, the different approaches to assess risks and the options to treat them.
The current version is under revision to align the concepts and terminology to the new version of 27001 and should be published in 2017.
It’s my favourite domain of activity and I’m co-editor of this standard.
It’s a manual aimed to evaluate and audit the 27002 controls. It allows you to see if your controls are, at least, correctly implemented.
For those who want to go further, this standard presents – in SIX pages – the recommendations for the board of trustees (the highest management level of the organization) to ‘govern’ information security.
How do you get them?
These standards – in English and in French for most of them – aren’t for free. Their price varies between 58 and 178 CHF (55 and 170 €).
You can buy them directly on the ISO website, or by your national standardization organization (NBN in Belgium, FNOR in France).
Do you know other references? Would you like I present you these?
See you soon, more secure with your information