ISO 27001 & BS 25999

Why is it that ISO 27001 and BS 25999-2 put such an emphasis on the control of documents? Both standards define very strictly how the documents must be managed, and require that the organization must have a documented procedure for managing documents – even worse, you won’t get certified unless you have such a procedure.

Documents can be in various forms – paper documents, text or spreadsheet files, video or audio files etc. Not only must an organization manage internal documents (for example, various policies, procedures, project documentation etc.), but also external documents (for example, different types of correspondence, documentation received with equipment etc.). In other words, managing the documents is quite a complex and comprehensive task.

So why is it important to manage those? Well, did you ever find yourself in a situation when you didn’t know where to find some important document? Or you found out that your employees were using a wrong (older) version of a procedure? Or some employees didn’t receive an important procedure at all? Or perhaps it wasn’t clear what was the version of this procedure? Or some confidential document was distributed to wrong people? If you never found yourself in those problematic situations, you probably did experience this one – your procedures are simply not up-to-date.

If you don’t have a systematic approach for managing your documents, you will probably recognize yourself in some of these situations – therefore, ISO 27001 and BS 25999-2 require organizations to introduce such a systematic approach by writing down a procedure for document management.

This procedure must clearly define responsibilities for the documents – who can approve them, how they are distributed and archived, how they are kept up-to-date, which versioning system is in use, how you track changes to documents, what you do with external documents, etc.

Since document management is such an essential thing, be sure that the certification auditor will not only look for such a procedure, but also examine whether your documentation is really managed as you have defined in your document management procedure. Introducing this procedure will probably mean that you will have to change your system for handling documents, that you will have to store documentation on your intranet or implement a more complex document management system, and that you will have to organize the archive for paper documents.

When you start implementing ISO 27001 / BS 25999-2, you start seeing the importance of writing things down, but you also see that those written things must be organized unless you want to lose control over them. The documents are in fact the bloodstream of your management system – take good care of it if you want your system to remain healthy.

If this is the first time you have come across the notion of internal auditor, you are probably puzzled – Why would I need another control? Who is going to pay for it? Who should I employ to do it? It is such a waste of time…

Well, it doesn’t have to be so bad – besides complying with ISO 27001 & BS 25999-2 standards, internal audits could be quite useful for your other business affairs (whether related to information security & business continuity or not).

The point with internal audits is that they should discover problems that would otherwise stay hidden and would therefore harm the business. Let’s be realistic – it is human to make mistakes, so it‘s impossible to have a system with no mistakes; it is however possible to have a system which improves itself and learns from its mistakes. Internal audits are a crucial part of such a system.

There are a few ways to perform internal audit:

a) Employ a full time internal auditor – this is suitable only for larger organizations who would have enough work for such a person (some types of organizations – e.g. banks – are obliged by law to employ such functions)

b) Employ part time internal auditors – this is the most common situation – the organizations use their own employees to perform internal audits alongside their regular job functions. One important thing to pay attention to: in order to avoid conflict of interest (the auditors cannot audit their own work), there should be at least two internal auditors so that one could audit the regular job of the other.

c) Employ internal auditor from outside of the organization – although this is not a person employed in the organization, it is still considered internal audit because the audit is performed by the organization itself, according to its own rules. Usually this is done by a person who is knowledgeable in this field (independent consultant etc.).

However, from my experience as an auditor, the sad truth is that most of the organizations perform internal audits just to satisfy the certification body. The result of such internal audits are a few non-conformities which do not get deep into the real problems of information security management system (ISMS) or business continuity management system (BCMS). This is a waste of time – if the companies have invested time of their internal auditors to perform such jobs, they should gain some benefits out of it.

But how then to approach internal audits in the right way – here are some thoughts:

1. The management should view the internal audit as one of the best tools to improve the system, not only as a means to get certified.
2. The internal auditor should be qualified – this means he/she must have experience in information security, information technology and auditing techniques. It does not mean that the auditor must be an expert in those fields.
3. The internal audit should be performed in a positive way – the aim should be to improve your system, not to blame the employees for their mistakes.

On the positive side, as a certification auditor I did see some organizations performing internal audits in a right way. Although their employees did feel a little uncomfortable about someone checking their activities, very soon they saw the benefits of such approach – problems became transparent, and were resolved rather soon.

You are thinking about implementing the business continuity management/BS 25999-2 standard? But then you hear it will cost you a lot? It probably will cost you, but not necessarily as much as you thought – this you can solve with good business continuity strategy.

Business continuity strategy, as defined in BS 25999-2 standard, is an “approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption”. Therefore, the point is to prepare yourself in the best possible manner to counteract a disaster if such would occur. This preparation can include organizational measures (drawing up plans, making contracts with suppliers/partners, exercising, reviewing, awareness raising, etc.), and measures including investment in equipment, infrastructure etc.

Time is a very important factor in recovery – if you do not recover your business in time, you will probably lose your customers and consequently lose your business as well. So the business continuity strategy must set the recovery time objective (RTO) for each of your critical activities, whereas RTO can be different for each of those.

One important consideration: the shorter the RTO, the bigger the investment you will need – for instance, if you want to recover your data centre in less than one hour, you will have to invest in an alternative location almost the same equipment as in the primary location; on the other hand, if you want to recover your data centre in two weeks, the investment will be much lower because it would be enough to store the backup tapes at the alternative location, allowing you two weeks to obtain the necessary equipment. All this means that your RTO must not be too long, but not too short either.

Once the RTO is set, you will still need to make some investment; however, with a good business continuity strategy you will be able to decrease that investment, while still being able to recover your critical activities within the recovery time objective. Here are some examples:

• you might not need your own data centre at an alternative location – in most countries you can rent such a location from a specialized company, which means you don’t need to invest in infrastructure, maybe not even in equipment or software,
• you might not need offices at an alternative location – employees who do not have to meet customers face-to-face can work from their homes,
• you might not need an alternative location at all if you have other business units at different locations which could take over the critical activities affected by the disaster,
• you might not need to purchase equipment in advance if you can find the supplier that could guarantee the delivery of equipment within your RTO,
• etc.

In all these examples you will need to increase your organizational capabilities, but if you want to save some money, it sure is something worth thinking about.

You have already implemented ISO 9001? You have heard that ISO 27001 might be a good idea? But how can something that has to do with quality help you implement information security?

It can, more than you may think. ISO 9001 specifies how the quality management systems (QMS) must look like, while ISO/IEC 27001 specifies the information security management systems (ISMS). Therefore, the “management systems” part is the same – so what is it actually?

The philosophy of management systems has grown from the theory developed by W. Edwards Deming during the second half of 20th century, and is based on the Plan-Do-Check-Act cycle. Basically, this cycle consists of the following: in the Plan phase you have to plan what you want to achieve with the management system, in the Do phase you implement it, in the Check phase you constantly monitor whether you have achieved what you planned, and in the Act phase you make improvements, i.e. fill the gap between what you have planned and what you have achieved.

Although this cycle was invented with quality management in mind, it was established as a foundation for all other management systems – information security (ISO/IEC 27001), environment (ISO 14001), business continuity (BS 25999-2), etc. It means that some of the elements you have implemented for the quality management system according to ISO 9001 you can use for the information security management system as well – here is the list:

• Document management – the procedure used for document management in QMS can be used for the same purpose in ISMS, with only minor adjustments
• Internal audit – the same procedure can be used for both QMS and ISMS, although the internal audit itself would usually be done by different people since it is not very likely that one person would have deep enough knowledge of both information security and quality
• Corrective and preventive actions – the procedure used for QMS can be used for the same purpose in ISMS, although it is likely that different persons will be solving issues related to QMS or ISMS
• Human resources management – the same cycle of HR planning, training and evaluation is used for both management systems; naturally, the difference is in the profile of needed skills and knowledge
• Management review – the principles for management review are the same for both management systems; although it would not be recommendable to perform both reviews in parallel, management will already be accustomed to making decisions in QMS, so they will have better understanding of how to make decisions in the context of ISMS
• Setting the business goals and tracking whether they have been achieved – the same mechanism is laid down in both standards, so management will be used to such systematic planning

Therefore, if you have already implemented ISO 9001, you will have an easier job implementing ISO 27001 (and vice versa) – you could save up to 30% of time. Further, you will have cheaper certification audits since certification bodies are offering the so called “integrated audits”, which means they will do both ISO 9001 and ISO 27001 in the same audit, charging you a smaller fee compared to separated audits.

If your QMS is functioning well, you will find your ISMS project developing rather smoothly – management will have better understanding of potential business benefits, while all organizational units will be accustomed to the necessity of defining precise procedures, responsibilities and documentation.

Having a QMS indeed provides very good foundation for information security – if you already have ISO 9001, do give a serious thought to ISO 27001.

One would think that these two terms are synonyms – after all, isn’t information security all about computers?

Not really. The basic point is this – you might have perfect IT security measures, but only one malicious act done by, for instance, administrator can bring the whole IT system down. This risk has nothing to do with computers, it has to do with people, processes, supervision, etc.

Further, important information might not even be in digital form, it can also be in paper form – for instance, an important contract signed with the largest client, personal notes made by the managing director, or printed administrator passwords stored in a safe.

Therefore, I always like to say to my clients – IT security is 50% of information security, because information security also comprises physical security, human resources management, legal protection, organization, processes etc. The purpose of information security is to build a system which takes into account all possible risks to the security of information (IT or non-IT related), and implement comprehensive controls which reduce all kinds of unacceptable risks.

This integrated approach to the security of information is best defined in ISO 27001, the leading international standard for information security management. In short, it requires risk assessment to be done on all organization’s assets – including hardware, software, documentation, people, suppliers, partners etc., and to choose applicable controls for decreasing those risks.

ISO 27001 offers 133 controls in its Annex A – I have performed a brief analysis of the controls, and the results are the following:

• IT related controls : 46%
• controls related to organization / documentation: 30%
• physical security controls: 9%
• legal protection: 6%
• controls related to relationship with suppliers and buyers: 5%
• human resources management controls: 4%

What does all this mean in terms of information security / ISO 27001 implementation? This kind of project should not be viewed as an IT project, because as such it is likely that not all parts of the organization would be willing to participate in it. It should be viewed as an enterprise-wide project, where relevant people from all business units should take part – top management, IT personnel, legal experts, human resource managers, physical security staff, the business side of the organization etc. Without such an approach you will end up working on IT security, and that will not protect you from the biggest risks.