control, and governance
Key Strategies for Implementing ISO 27001
Implementing ISO 27001 can be an arduous task. Determining the scope of implementation, as well as the time and effort required for implementation to occur, can help organizations design a more effective IT compliance process.
Chief Technology Officer
Network Intelligence India Pvt. Ltd.
Network Intelligence India Pvt. Ltd.
In 1995, the British Standard Institute (BSI) published British Standard (BS) 7799, a widely adopted set of best practices that help organizations implement effective information security management systems (ISMSs) and establish security controls for specific business areas. In October 2005, the standard was adopted by the International Organization for Standardization (ISO). As a result, implementing BS 7799 — now ISO 27001: 2005 — has become a major focus of attention for European-based companies and those working in the region.
Depending on the organization's size, the nature of its business, and the maturity of its processes, implementing ISO 27001 can involve a substantial investment of resources that requires the commitment of senior management. In addition, because of its emphasis on data security, many internal auditors perceive the standard to be focused solely on technology and often recommend that IT departments comply with the standard's requirements without understanding the amount of time and resources required for compliance. To ensure across-the-board acceptance and success, initial analyses and planning are vital. Because internal auditors are in the perfect position to add value to an organization's IT processes, they can help IT departments prepare the groundwork for an effective and efficient ISO 27001 implementation strategy during the initial planning phase. This will help companies ensure their IT processes are better aligned with the standard's requirements and ensure long-term compliance.
RECOMMENDATIONS FOR EFFECTIVE ISO 27001 COMPLIANCE
Implementing ISO 27001 can take time and consume unforeseen resources, especially if companies don't have an implementation plan early in the compliance process. To enhance compliance efforts, internal auditors can help companies identify their primary business objectives and implementation scope. Auditors should work with IT departments to determine current compliance maturity levels and analyze the compliance process' return on investment. These steps can be conducted by a team of staff members or external consultants who have prior experience implementing the standard. External consultants should work in collaboration with an internal team of representatives from the company's major business units. Below is a description of each recommendation.
Identify Business Objectives
Plans to adopt ISO 27001 must be supported by a concrete business analysis that involves listing the primary business objectives and ensuring a consensus is reached with key stakeholders. Business objectives can be derived from the company's mission, strategic plan, and existing IT goals and may include:
The standard also emphasizes compliance with contractual obligations, which might be considered another key business objective. For instance, for an online banking division, implementing the standard would provide customers and partners greater assurance that risks stemming from the use of information systems are managed properly.
ISO 27001's Scope of Implementation ISO 27001 states that any scope of implementation may cover all or part of an organization. Companies, however, are not required to determine a particular implementation scope. According to the standard's section "B.2.3: Scope of the ISMS," only the processes, business units, and external vendors or contractors falling within the scope of implementation must be specified for certification to occur. The standard also requires companies to list any scope exclusions and the reasons why they were excluded.
Identifying the scope of implementation can save the organization thousands of dollars and time. In many instances, it is not necessary for an organization to adopt companywide implementation of a standard. The scope of compliance can be restricted to a specific division, business unit, type of service, or physical location. In addition, once successful compliance has been achieved for a limited, but relevant scope, it can be expanded to other divisions or locations.
ISO 27001's Scope of Implementation
ISO 27001 states that any scope of implementation may cover all or part of an organization. Companies, however, are not required to determine a particular implementation scope.
According to the standard's section "B.2.3: Scope of the ISMS," only the processes, business units, and external vendors or contractors falling within the scope of implementation must be specified for certification to occur.
The standard also requires companies to list any scope exclusions and the reasons why they were excluded.
Choosing the right scope is one of the most important factors throughout the compliance cycle, because it affects the feasibility and cost of the standard's implementation and the organization's return on investment. As a result, it is important for the selected scope to help achieve the identified business objectives. To do this, the organization may evaluate different scope options and rank them based on how well they fit with each objective.
Organizations also may want to sign memorandums of understanding (MOU) or service level agreements (SLAs) with vendors and partners to implement a form of indirect compliance to the standard. For example, a garment manufacturing company may have a contract with a software provider for application maintenance and upgrades. Therefore, the manufacturing company will not be responsible for the application’s system development life cycle compliance with the standard, as long as it has a relevant MOU or SLA signed with the software vendor.
Finally, the organization's overall scale of operations is an integral parameter needed to determine the compliance process' complexity level. To find out the appropriate scale of operations, organizations need to consider their number of employees, business processes, work locations, and products or services offered.
Determine ISO 27001 Maturity Levels
When assessing the organization’s compliance maturity level, auditors should determine whether or not the implementation team is able to answer the following questions:
Important Points When Using Statements of Applicability (SOAs)
Is there a management review of the risk assessment and risk treatment plans?
Risk assessments and risk treatment plans must be reviewed at planned intervals at least annually as part of the organization's ISMS management review.
Analyze Return on Investment
Based on the groundwork done so far, companies should be able to arrive at approximate time and cost estimates to implement the standard for each of the scope options. Organizations need to keep in mind that the longer it takes to get certified, the greater the consulting costs or internal staff effort. For example, implementation costs become even more critical when implementation is driven by market or customer requirements. Therefore, the longer compliance takes, the longer the organization will have to wait to reach the market with a successful certification.
Implementing ISO 27001 requires careful thought, planning, and coordination to ensure a smooth control adoption. The decision of when and how to implement the standard may be influenced by a number of factors, including different business objectives, existing levels of IT maturity and compliance efforts, user acceptability and awareness, customer requirements or contractual obligations, and the ability of the organization to adapt to change and adhere to internal processes.
To learn more about the standard, the Standards Direct Web site, www.standardsdirect.org/iso27001.htm, covers the latest version of the standard.
K. K. Mookhey is the founder and principal consultant of Network Intelligence India (NII) Pvt. Ltd., an IT security consulting firm located in Mumbai, India, that offers ethical hacking, security auditing, BS 7799, and business continuity management services. Mookhey has worked on research projects for ISACA and has published several articles and white papers. He also has led teams on numerous security audit and implementation assignments and has trained people from the Big Four accounting firms and Fortune 500 companies on IT security issues.
Khushbu Jithra has been part of all information security documentation projects for NII and helps to conduct security research for the organization. In addition, she drafts and reviews commercial proposals and security consulting reports, especially those dealing with penetration testing, vulnerability assessment, ISO 27001, and security audits.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.