ISO 27001 & BS 25999

I have seen quite a lot of smaller companies (up to 50 employees) trying to apply risk assessment tools as part of their ISO 27001 implementation project. The result is that it usually takes too much time and money with too little effect.

First of all, what is actually risk assessment, and what is its purpose? Risk assessment is a process during which an organization should identify information security risks determining their likelihood and impact. Plainly speaking, the organization should recognize all the potential problems with their information, how likely they are to occur and what the consequences might be. The purpose of risk assessment is to find out which controls are needed in order to decrease the risk – selection of controls is called the risk treatment process, and in ISO 27001 they are chosen from Annex A which specifies 133 controls.

Risk assessment is carried out by identifying and evaluating assets, vulnerabilities and threats. An asset is anything that has value to the organization – hardware, software, people, infrastructure, data (in various forms and media), suppliers and partners, etc. A vulnerability is a weakness in an asset, process, control,etc., which could be exploited by a threat; a threat is any cause that can inflict damage on a system or organisation. An example of a vulnerability is the lack of anti-virus software; a related threat is the computer virus.

Knowing all this, if your organization is small, you don’t really need a sophisticated tool to perform the risk assessment. All you need are an Excel spreadsheet, good catalogues of vulnerabilities and threats, and a good risk assessment methodology. The main job is really to evaluate likelihood and impact, and that cannot be done by any tool – it is something your asset owners, with their knowledge of their assets, have to think about.

So, where do you get the catalogues and methodology? If you are using the services of a consultant, he/she should provide those; if not, there are a few free catalogues available on the Internet, you just have to do a search on Google. The methodology is not available for free, but you could use ISO 27005 standard (it describes risk assessment & treatment into detail), or you could use some other websites selling the methodology. All this should take considerably less time and money than buying a risk assessment tool and learning how to use it.

A good methodology should contain a method for identifying assets, threats and vulnerabilities, tables for marking the likelihood and impacts, a method for calculating the risk, and define the acceptable level of risk. Catalogues should contain at least 30 vulnerabilities and 30 threats; some contain even a few hundred of each, but that is probably too much for a small company.

The process is really not complicated – here are the basic steps for assessment & treatment:

1. define and document the methodology (including the catalogues), distribute it to all asset owners in the organization
2. organize interviews with all the asset owners during which they should identify their assets, and related vulnerabilities and threats; in the second step ask them to evaluate the likelihood and impact if particular risks should occur
3. consolidate the data in a single spreadsheet, calculate the risks and indicate which risks are not acceptable
4. for each risk that is not acceptable, choose one or more controls from Annex A of ISO 27001 – calculate what the new level of risk would be after those controls are implemented

To conclude: risk assessment and treatment really are the foundation of information security / ISO 27001, but it does not mean they have to be complicated. You can do it in a simple way, and your common sense is what really counts.

You have been implementing ISO 27001 for quite a long time, invested quite a lot in education, consultancy and implementation of various controls. Now comes the auditor from a certification body – will you pass the certification?

This kind of anxiety is normal – you can never know whether your ISMS (information security management system) has everything the certification body is asking for. But what is it exactly the auditor will be looking for?

First, the auditor will perform the Stage 1 audit, also called the “Document review” – in this audit, the auditor will look for the documented scope, ISMS policy and objectives, description of the risk assessment methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan, procedures for document control, corrective and preventive actions, and for internal audit. You will also have to document some of the controls from Annex A (only if you found them applicable in the Statement of Applicability) – inventory of assets (A.7.1.1), acceptable use of assets (A.7.1.3), roles and responsibilities of employees, contractors and third party users (A.8.1.1), terms and conditions of employment (A.8.1.3), procedures for the operation of information processing facilities (A.10.1.1), access control policy (A.11.1.1), and identification of applicable legislation (A.15.1.1). Also, you will need records of at least one internal audit and management review.

If any of these elements are missing, this means that you are not ready for Stage 2 audit. Of course, you could have many more documents if you find it necessary – the above list is the minimum requirement.

Stage 2 audit is also called the “Main audit”, and it usually follows a few weeks after Stage 1 audit. In this audit the focus will not be on the documentation, but if your organization is really doing what your documentation and ISO 27001 say you have to do. In other words, the auditor will check whether your ISMS has really materialized in your organization, or is it only a dead letter. The auditor will check this through observation, interviewing your employees, but mainly by checking your records. The mandatory records include education, training, skills, experience and qualifications (5.2.2), internal audit (6), management review (7.1), corrective (8.2) and preventive (8.3) actions; however, the auditor will be expecting to see many more records as a result of carrying out your procedures.

Please, be careful here – any experienced auditor will notice right away if any part of your ISMS is artificial, and is being made for the purpose of audit only.

OK, you knew all this, but it still happened – the auditor found major non-conformity and told you that ISO 27001 certificate will not be issued. Is this the end of the world?

Certainly not. The process goes like this – the auditor will state the findings (including the major non-conformity) in the audit report, and give you the deadline until which the non-conformity must be resolved (usually 90 days). Your job is to take appropriate corrective action; but you have to be careful – this action must resolve the cause of the non-conformity, otherwise the auditor might not accept what you have done. Once you are sure the right action is taken, you have to notify the auditor and send him/her the evidence of what you have done. In the majority of cases, if you have done your job thoroughly, the auditor will accept your corrective action and activate the process of issuing the certificate.

There you go – it took some time, but now you are a proud owner of the ISO/IEC 27001 certificate. (Be careful though – the certificate is valid for three years only, and can be suspended during that period if the certification body identifies another major non-conformity on the surveillance visits.)

At first glance, information security and business continuity don’t have much in common – some would add that the only similarity is that they are both about IT.

Information security management is best defined in the International standard ISO/IEC 27001, while business continuity management is defined in the British standard BS 25999-2 – therefore, if we want to compare these two topics, the wisest thing to do is to take a look at what these two standards have to say.

First of all, IT is an important part of both ISO 27001 and BS 25999-2, but by no means are those two standards about IT only – the emphasis is on business processes & assets, and associated risks. It is true that IT is the main tool to process the data, but the fact remains that the biggest risks are connected to both malicious and unintentional activities of people. Therefore, the risks associated with information security or business continuity cannot be resolved by information technology only – it is much more important to define the organization, processes and responsibilities within the organization.

But what is essentially information security? ISO 27001 defines it as “preservation of confidentiality, integrity and availability of information”. On the other hand, BS 25999-2 defines business continuity as “strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level”.

The two don’t seem very much alike. However, there is one thing which makes them very similar – availability. The focus of both information security and business continuity is to keep information available to those who need it – in that respect, Annex A of ISO 27001 offers some controls dedicated solely to business continuity.

Further, both standards require carrying out the risk assessment, in order to identify potential problems related to information; both standards require document management, conducting internal audits, management reviews, and corrective and preventive actions. It means that if you already have documentation for ISO 27001, you can use those same procedures for BS 25999-2 (with only minor adjustments).

What are the differences? The main difference is in the level of detail. ISO 27001 covers a much wider area, and is therefore not very precise when it comes to business continuity; on the other hand, BS 25999-2 describes in detail how to perform business impact analysis, how to define business continuity strategy, or what the contents of business continuity plans shall be etc.

To conclude – the point here is that you can think of business continuity as part of information security. The practical use of it is that when it comes to implementation of business continuity in the context of ISO 27001, it is best to use BS 25999-2 as a guideline.