In this blog, we’re going back to basics and looking at some of the fundamentals of information security and ISO 27001, starting with the core ingredient, the information security management system, or ISMS, as it is commonly referred to.
What is an Information Security Management System?
If we could trust people not to mess with our information and systems, then we could do without information security controls; everything from a password to the strongest forms of encryption.
Unfortunately, however, we can’t, and controls are needed so that only authorised people and systems can access specific sets of information, which can be relied upon when required for legitimate purposes.
That may sound simple enough, but there are literally thousands of different information security controls available in the world and no organisation, however large and complex, can use them all.
Many controls also impact productivity, and the natural objective is to select the appropriate controls, but how? On what basis?
We can adopt a fixed set of controls, such as the 133 listed in the Cloud Security Alliance’s Cloud Control Matrix, but these are quite broad control domains, not specific control solutions and, regardless of the framework adopted, implementing all of the controls, or control types, can sometimes amount to fixing a problem that doesn’t exist.
In ISO 27001, Annex A provides a similar list of 114 (93 with ISO 27001:2022) information security controls and requires that some, not necessarily all, of them, are selected and implemented on the basis of whether they are needed to reduce unacceptable risks to an acceptable level.
This is what is referred to as a ‘risk-based approach’. The risk assessment and risk treatment processes required by ISO 27001 are the most important of a broader group of processes and sub-processes designed to ensure that the organisation implements, monitors and maintains the most appropriate set of information security controls.
The other processes required by ISO 27001 are there to ensure that the risk assessment and risk treatment processes are continually effective.
What is ISO 27001?
ISO/IEC 27001:2013 (ISO 27001) is an internationally recognised management system standard, designed to help any organisation continually improve its demonstrable information security capabilities.
Adopting a risk-based approach, the Standard can be applied to any organisation, regardless of its size or its market sector, because information security risks, and the controls designed to prevent those risks materialising, are generic. Threats apply equally to organisations and systems of all sizes, as do the controls intended to prevent those threats from reaching their target.
What is the relevance of confidentiality, integrity and availability (CIA)?
When protecting information assets, we are typically protecting at least one of the three security attributes of confidentiality, integrity and availability or CIA as they are more commonly referred to. Let’s look at each one…
- Confidentiality: That information is protected from unauthorised access by either a user or another system.
- Integrity: That the accuracy and completeness of information is preserved.
- Availability: That legitimate users and systems can access and use information, including the means by which the information is used, or processed when needed.
ISO 27001’s full title is ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements, which is slightly misleading because information security isn’t just about IT.
Information assets include information itself, whether digital, printed or in any other form, such as voice, as well as everything that supports and enables the use of that information and its protection. In fact, less than 40% of controls in Annex A of ISO 27002:2022 are technological, the remainder are organisational, people and physical and often are not under the control of the IT function.
How can an ISMS be integrated into an organisation?
Just like anything else that an organisation doesn’t have, or use, an ISMS is new and will, therefore, feel like a burden to many staff within the organisation as they are required to do new and extra things in order for the ISMS to be successful.
However, the selection, implementation and maintenance of information security controls are often ‘business as usual’ activities and may already be carried out by individuals across the organisation.
These existing activities can form the basis of the risk assessment and treatment processes that are central to the ISMS, with the addition of any missing elements such as documented procedures and monitoring of control performance.
In a similar way, the majority of organisations without a systematic approach to information security do not review policies. Once written, it is assumed that those policies will be fit for purpose indefinitely and review typically happens only when a policy failure occurs. The planned maintenance concept exists in most fields of endeavour and making the move from reactive ‘only when broken’ policy review to proactive ‘planned maintenance’ policy review is very often a relatively small step.
An ISO 27001-conformant ISMS can also be integrated with other ISO-based management systems (such as ISO 22301, business continuity management and ISO 20000, service management) with relative ease, as the majority of the process requirements are either the same or very similar.
Implementing two management systems no longer requires twice the amount of investment; processes such as management review, internal audit and improvement can be made commonplace, capitalising on economies of effort in both design and operation.
What are the benefits of implementing an ISMS, if an organisation is already controlling and protecting its information?
The ‘continual improvement’ model that underpins ISO management system standards means that the assessment and treatment of risks, and the other processes that make sure that those are conducted effectively, are carried out on a reiterative basis, so that as threats and vulnerabilities change, the risk treatment plan is updated regularly, resulting in controls remaining fit for purpose.
In addition, ‘top management’ has regular assurance that all reasonably identifiable information security risks are being appropriately managed. Although many directors may not be aware that they need to know this, they do!
The additional third-party attestation that comes in the form of accredited certification provides further assurance, both internally to top management, and externally to any legitimate interested party.
Increasingly, certification to a recognised framework is becoming the preferred way for organisations to select their suppliers. In the modern digital world, where information underpins virtually everything, buyers need to trust their suppliers and relying on an accredited third-party’s assessment is probably the most reliable way of instilling that trust.
ISO 27001 provides a framework for organisations to control and influence the way information security risks are managed, and how controls are implemented, managed and improved. There are also many reputational, financial, strategic and internal benefits from implementing an ISMS, such as increased customer confidence and perception, greater business opportunities, tender advantages, and improved security awareness and ‘buy-in’ across all levels of the organisation.
With a recognised structure behind the otherwise dull subject of information security, senior managers with other primary interests are more likely to support important contributary activities, such as awareness-raising, competence assessment and policy compliance.
In this blog, we want to dig a bit deeper into the benefits that are gained from implementing the Standard and from achieving certification...
There is some confusion about the difference between having an information security management system (ISMS) which is certified to ISO 27001 and one which is compliant or aligned to the Standard.