Computer Weekly - March 2007

ISO 27001: GET YOUR SECURITY UP TO STANDARD

What do Camelot, Misys, Nokia and HBOS have in common?  They are some of the firms leading the charge to get their infosecurity externally certified, says Alan Calder of IT Governance.

Over the past few years we have seen infosecurity finally break down the boardroom door and get the senior attention it demands.  Corporate governance has been the key factor in changing attitudes, as directors have found themselves held to account under the Combined Code, Turnbull Report, SOX and various other regulations.  However, while infosec compliance has now seeped into the executive consciousness, few firms have yet had their security independently certified.  However, this is set to change, as according to Ernst & Young’s latest Global Information Security Survey certification is fast moving up the management agenda.  So what should be the focus of attention at this point and what does it take to get the ‘badge on the wall’?

Two relatively arcane terms are about to enter the general management lexicon, just as ISO 9001 did a decade ago.  An ‘ISMS’ is an Information Security Management System, the policies and procedures that enable management to put its arms around the entire infosecurity challenge, from technological defences through to staff training and internal communication.  Meanwhile, ‘ISO 27001’ provides the blueprints for an ISMS that follows global best practice and is the standard to which over 3,000 firms around the world have already been independently certified. Those already certified in the UK include Camelot, Misys, Nokia, The Co-operative Bank, COLT, Serious Fraud Office and Halifax Bank of Scotland, and many more are sure to follow. 

The attractions of a best practice ISMS are manifold, but three stand out in particular.  It provides a comprehensive tool to enable an organisation to manage its vulnerabilities, and is effectively a director’s ticket to a good night’s rest.  It also provides a simple means for businesses to satisfy the ever-growing, and frequently overlapping, web of regulatory compliance demands that they now face.  Lastly, when ISO certified, an organisation proves to its customers, investors, regulators and other audiences that its infosecurity is coherently managed in line with best practice; with more and more business conducted electronically, and suppliers already being prioritised according to their security measures, ISO 27001 certification will increasingly become a passport to winning extra business.

Like anything worth having, building an ISMS and becoming ISO certified entail some work, although rather less than some organisations may fear.  It is a business change project, so the first golden rule is to ensure that it has the clear backing of senior management.  Another key requirement is for a project manager with the right aptitudes – generally, sound project management skills and a feel for the corporate strategy are of greater importance than a detailed grounding in IT.  Throw in a project team that has been specifically trained for its task, a sound project methodology and an effective risk assessment tool, such as the new vsRisk, which is specifically designed for ISO27001, and you have all the vital ingredients for an ISMS that can withstand the scrutiny of auditors.  With appropriate preparation, this can all be developed in-house in as little as 18 months. 

A common misconception is that this must entail significant cost.  In fact, a well-managed ISO 27001 project should find economies within the organisation, freeing up money currently spent on unnecessary controls for more useful investment elsewhere.  Furthermore, by taking advantage of available management guides and a ‘do it yourself’ ISO 27001 toolkit, the project costs can be easily contained, making certification one of the best investments a business can make.

However, to tap its true potential, an ISMS must become part of the organisation’s central nervous system; there is no point in getting certified and then going back to your old ways again afterwards.  To help management in this task we are shortly to see the development of a new generation of compliance tools that will automate much of the ISMS process.  At the Infosecurity Europe show, IT Governance and Gael software will launch the world’s first ISO 27001 compliance management system, and doubtless more will follow, enabling organisations to simplify the maintenance of best practice and thereby ensure the long term security of their information assets.

Alan Calder is author of a range of ISO 27001 compliance guides and is CEO of IT Governance Limited (www.itgovernance.co.uk), the world’s most comprehensive publisher and distributor of books, tools, information and advice on governance, risk and compliance.