ISO 27001 & ISO 22301

I was quite skeptical when I started to read ISO 22313, the guidance standard on business continuity management, but I was proved to be wrong. It can be quite useful as a supplement to ISO 22301 – here’s what I found:

Similarities and differences

If you are familiar with ISO 27001 and ISO 27002 (see ISO 27001 vs. ISO 27002), a very similar relationship exists between ISO 22301 (published in May 2012) and ISO 22313 (published in December 2012): ISO 22301 is the main standard, which defines the framework for business continuity management, whereas ISO 22313 is an auxiliary standard that helps with the ISO 22301 implementation.

The main difference is that ISO 22301 specifies requirements – in other words, you need to comply fully with everything that is written in this standard if you want to get your company certified. This is why this standard uses words like “shall” and “must.” Learn more here: 17 steps for implementing ISO 22301.

As opposed to that, ISO 22313 gives only the guidance, or best practices, on how the requirements from ISO 22301 could be implemented; however, implementation doesn’t have to be done exactly that way. You’ll notice that terminology here is different – “should” and “may” are used. Consequently, a company can be certified only against ISO 22301, not against ISO 22313.

Where is ISO 22313 particularly useful?

My impression is that ISO 22313 is most helpful in these sections, because this is where ISO 22301 is not very detailed:

• Description of strategy options for resources (clauses 8.3.1 and 8.3.2): suggested strategic options for protecting prioritized activities, suggested strategies for resources/activities, suggestion on what can be excluded from the BCMS scope based on cost of mitigation, options to mitigate the impact and duration of an incident, techniques for evaluating business continuity capabilities of suppliers, types of resources an organization should establish, resources strategies for people, what to take into account for procedures of relocation of staff, explanation on when RPO is used, suggested backup types, strategies for worksites, facilities and supplies strategies, strategies for ICT systems, strategies for transportation, suggestion of finance needed during an incident, etc.
• Content of business continuity procedures/plans (clause 8.4): what to include in incident communication procedures, what to include in business continuity procedures, content of business continuity plans, location for incident management team, content of the communication procedure, elements of safety and welfare procedures, list of resources that may be required for the welfare of employees, content of salvage and security procedures, content of procedures for resuming activities, content of ICT continuity procedures, etc.

Here are also a few clauses where ISO 22313 gives useful guidance for implementation:

• 4.2.1 – Figure 4 – examples of interested parties
• 4.2.2 – list of legislation that should be taken into account
• 5.3 – list of items to write in Business continuity policy
• 5.4 – explanation of BCMS roles and responsibilities
• 6.2 – examples of goals for the  BCMS
• 7.1 – BCMS resources that are required
• 7.2 and 7.3 – competence development program, types of trainings, types of teams, what to include in awareness programs, etc.
• 7.5.1 – list of all documentation required by the standard
• 8.1.4 – examples of metrics that may be used for measuring the effectiveness of BCMS
• 8.2.2 – elements of assessing the impact in BIA
• 8.2.2 – explanation of RTO and what it is used for
• 8.2.3 – typical elements to be included in risk assessment
• 8.4.5 – content of assessment procedure for determining the impact and tasks needed
• 8.5.2 – content of exercise program
• 8.5.3 – suggested objectives for the business continuity exercises
• 9.1.2 – checklist of what evaluation of business continuity procedures should verify
• 9.1.2 – content of post-incident review

In any case, unless you are an experienced BCM consultant and/or implementer, I would recommend getting both of these standards. They may be expensive, but return on investment will be quite quick.

Click here to download a free preview of Business Continuity Plan template.

Did you think that the frequency of backup is based on the IT manager’s whims? Or, perhaps, based on the least expensive solution? Well, you are wrong.

Backup policy, or to be precise – the most important part of this policy – how often the backup is to be performed, must be based on analysis. And such analysis must be based on the business value of the data in question.

Recovery Point Objective (RPO) / Maximum Data Loss

This analysis is emphasized in ISO 22301, the leading business continuity standard. It specifies that Recovery Point Objective and Maximum Data Loss have the same meaning: “Point to which information used by an activity must be restored to enable the activity to operate on resumption.” This is basically the answer to the question How much data can you afford to lose?

The easiest way to perform this kind of analysis is during the business impact analysis (BIA), because that is when you have to complete all these interviews/questionnaires, so a couple more questions won’t disturb anyone. (Read also: Five Tips for Successful Business Impact Analysis.)

Best practice for BIA

When performing the BIA, you have to ask your respondents to list all their databases, applications and files, but also all services (e.g. email), etc., and for each of them separately to state the acceptable limit up to which you can afford to lose the data. Usually, this limit is displayed in number of hours, but sometimes it can also be in number of transactions or records.

The main criteria while doing the analysis must be the damage of any potential data loss to the company – in terms of money or other impacts like legal, reputation, etc. Also, while doing such analysis it is important not to be distracted by the fact that you already have the backup. The question is – if your existing backup fails, how much data can you really afford to lose?

The result is RPO/Maximum Data Loss – in some cases it will be 24 hours (the data you created in the last 24 hours), in others, perhaps 2 hours, but sometimes you won’t be able to afford the loss of a single bit of information – this is where RPO is zero.

Implications for backup frequency

Let’s take two examples from a bank – in the first example, in the loan application process, the bank can probably afford to lose 24 hours of data, because it won’t be very difficult to recreate the data by asking potential clients to send that information again. However, in the case of payment processing, the banks typically cannot afford to lose a single transaction – this is because of the huge volume of transactions and the inability to track back who has given which payment order if all the data is lost.

The conclusions here are actually very simple – if the analysis shows that the RPO/Maximum Data Loss is 24 hours, then you have to perform backup at least once a day; if the RPO is 2 hours, then backup has to be done at least every two hours; if RPO is zero, then you need to have a mirrored site with replication of data in real time.

But, as always, there is also the question of price – someone may say that doing the backup every 2 hours is too expensive. While this may really be so, the real question is what would be the damage to the whole business if you really lose all this data.

Click here to download a free preview of Business Impact Analysis Questionnaire template.

Many companies don’t realize this, but setting the ISO 27001 project properly at the beginning of the implementation is one of the most important elements if you want to implement ISMS in an acceptable time and budget.

Don’t try this without management support

Management commitment must come before anything else – if your top executives don’t see real benefit in increasing the level of security by setting clear rules, you would better invest your energy in something else.

But this cannot happen in a short time, let alone in one meeting with a PowerPoint presentation. This is a process where you need to play an active role – first you need to recognize the applicable benefits for your business, and then consistently push this message toward the decision makers. See also: Four key benefits of ISO 27001 implementation.

Get the knowledge

Unless you’ve already implemented ISO 27001 a couple of times, you’ll need to learn how it is done. ISO 27001 implementation is way too complex to understand only by reading the standard.

In essence, you have three options:

a) With your own employees only – in this case, you have to train yourself and your colleagues so that you get all the required knowledge for the implementation. This is the best option if you don’t want outsiders in your company, and if you want the highest learning curve for your employees. Sending your employees for trainings, and getting some other tools (e.g. templates, tutorials) will drastically decrease the implementation time.

b) Combination of your employees & outside help – this where you choose to implement the standard yourself (by performing all the analysis, interviews, writing the documentation, etc.), but an outside expert (e.g. a consultant) is leading you step by step in the whole process. This is a good option if you want to learn a lot about the implementation and have someone make sure you don’t do anything wrong in the process.

c) Consultant is doing most of the job – this is the option where you hire a consultant to do the whole job. This should be the quickest option for implementing the standard, and requires the least amount of effort. Read also 5 criteria for choosing an ISO 22301 / ISO 27001 consultant.

How to choose a project manager

Of course, the ISO 27001 implementation should be structured as a project – without defining exactly who is responsible for what, and in which time frame, chances are good that your implementation would never finish.

The most natural person to lead the project should be a person who is in charge of information security in your company – there are different titles for this job: Chief Information Security Officer (CISO), Information Security Officer (ISO), Security Manager, etc. See also: Chief Information Security Officer (CISO) – where does he belong in an org chart?

Some larger companies have corporate rules/structures for managing projects, so in such case a professional project manager would lead the project, whereas an information security expert would be a member of the project team.

Project phases

Normally, you should divide your project into two phases:

1. Analysis and planning – this is where you need to define the objectives of your project, analyze the existing situation, and determine what needs to be done. In other words, you need to complete all the steps from the Plan phase (clause 4.2.1 of the standard) including setting up the ISMS scope, ISMS Policy and objectives, performing risk assessment and treatment, and producing the Statement of Applicability.
2. Implementation of safeguards – unfortunately, you cannot know which security controls you need to implement before you finish the previous phase in the project. So the detailed implementation roadmap will be known only after the first phase is finished – basically, in the implementation phase you need to implement all the policies, procedures, technology, and other things that will help your information become safer.

And when you implement all the controls you have planned for, your project is finished. But remember – this is when the most important (and most difficult) job begins – including your security activities in day-to-day operations.

Click here to download a free preview of  ISO 27001 Project Plan template.

It’s actually funny, but it is rather difficult to find a list of all mandatory documents required by ISO 27001 anywhere on the Internet – this problem came to my attention when one of the readers of my blog told me he had to read several of my articles to assemble this list.

Anyway, a complete list of mandatory documents has two parts: the first part is related to documents which are required in the main part of the standard (clauses 4 to 8), and the second part is related to Annex A.

Mandatory documents required in the main part of ISO 27001

The first part is rather straightforward – most of required documents are listed in clause 4.3.1:

• ISMS scope
• ISMS policy and objectives
• Risk assessment methodology
• Risk assessment report
• Statement of Applicability
• Risk treatment plan
• Description on how to measure effectiveness of controls
• Procedure for document management
• Controls for record management
• Procedure for internal audit
• Procedure for corrective action
• Procedure for preventive action

Records required by the main part of the standard are as follows:

• Records related to effectiveness and/or performance of the ISMS
• Records of management decisions
• Records of significant security incidents
• Records of training, skills, experience and qualifications
• Results of internal audit
• Results of management review
• Results of corrective actions
• Results of preventive actions

Documents for Annex A

This is where it gets confusing – ISO 27001 doesn’t require all the controls from Annex A to be implemented, and it doesn’t clearly indicate how each control should be documented. To learn how to determine which controls to implement, read this article: ISO 27001 risk assessment & treatment – 6 basic steps.

The documents that are mandatory in Annex A (providing that the control is applicable) are the following:

• Information security policy
• Inventory of assets
• Rules for acceptable use of assets
• Definition of roles and responsibilities
• Operating procedures for information technology and communications management
• Access control policy
• List of relevant statutory, regulatory and contractual requirements
• Records provided by third parties
• Logs recording user activities, exceptions, events, etc.

And, here are the documents that are quite commonly used when implementing controls from Annex A, although they are not mandatory:

• Classification policy
• Change management policy
• Backup policy
• Disposal and destruction policy
• Information exchange policy
• Password policy
• Clear desk and clear screen policy
• Policy on use of network services
• Mobile computing and teleworking policy
• BYOD – Bring your own device policy
• Incident management procedure

Which documents do you think should be used in ISO 27001 implementation?

Click here to download a white paper Checklist of ISO 27001 Mandatory Documentation with more detailed information on the most common ways for structuring and implementing mandatory documents and records.

If you’re implementing ISO 27001 or ISO 22301 for the first time, you’re probably considering hiring a consultant to help you. But, which consultant should you hire, what are the potential problems, and how much should you pay?

The purpose of an ISO 22301/ISO 27001 consultant

A consultant should shorten your implementation time – he should provide you all the know-how for the implementation, and help you avoid numerous pitfalls during the project. He should lead you step by step throughout your project, and give you a precise idea of what the certification auditors will be looking for.

If your arrangement includes on-site consulting, a consultant can make all the necessary analysis, recommend the best solutions, write the documentation, train your employees, etc. In other words, he can take part of the workload off of your staff.

Potential problems with consultants

However, hiring a consultant carries some risks, too:

• The consultant will be able to see your most critical information, including the areas where you are most vulnerable.
• If a consultant is selling some software or some other solutions, you can expect he will use knowledge of your company to convince that his solution is just what you need. (He might even offer you lower consulting price with this goal in mind.)
• If a consultant is doing all the analysis and documentation writing by himself (with no interference of your employees), two things will probably happen: (1) the documentation will not reflect the real needs of your company, and (2) once the consultant is gone, your employees won’t know how to maintain the documentation – both of these have the same result: the documentation won’t really be useful in daily operations, and employees will probably reject it.
• There are many people claiming to be consultants, but in fact they know very little about this job. In most countries, there is no license needed for doing this job, so practically anyone can declare he or she is a consultant.

Thinking about it, a question arises whether you need a consultant at all – read more about it here: Do you really need a consultant for ISO 27001 / BS 25999 implementation?

If you do decide to hire a consultant, make sure you address all the above-mentioned issues in the project plan, and address them specifically (and in writing) within your contract agreement.

Criteria for choosing a consultant

So, based on all these issues, which criteria should you use?

1) Experience & skills. Do your research, not only about the consulting company, but also about the person who would do the consulting job – does she have certificates like ISO 27001 Lead Auditor Course, or ISO 27001 Lead Implementer Course (same for ISO 22301)? How many jobs has she performed; how long has she been in this business? Which kind of companies did she work for? E.g. if she did only banks, she is hardly the right choice for an IT company.

2) Reputation. By far, the best thing is to call the clients the consultant claims she has worked with – very often you’ll be surprised that the job she was working on was far smaller in scope than you were led to believe, and sometimes the customers won’t speak favorably about the service they received. Also, if a consultant has published some books or articles on a subject, or if she is a frequent speaker at conferences, chances are you’ll make a good choice.

3) Customized service. Avoid the “copy-paste” consultants – they will bring you finished templates and contribute nothing to them. (You would be better off doing the implementation by yourself with our Documentation Toolkit.) Actually, you’ll learn quite a lot about the willingness of a consultant to tailor the service for your specific needs during the negotiation period. If you feel she is not adaptable enough, or you don’t like her communication style, walk away from this deal.

4) Language. Choosing a consultant that doesn’t speak your local language (or speaks it poorly) probably leads to disaster. Don’t expect that a translator will help you with this problem – the job of a consultant is to understand all the nuances of your operations, and that cannot be done via a third person.

5) Conflict of interest. Hire a consultant who sells only this – consulting services. Avoid those who offer other security or IT solutions, unless you want to be an upsell target.

Pricing

There is a good reason why I didn’t write that price should be one of your criteria – many times I’ve seen companies choose the least expensive consultant, only to find out later that was actually the most expensive option. The cheapest consultants usually don’t have enough work to do, so this is why they offer the lowest prices – they want to survive in the market. But, the important question here is – why don’t they have enough work? Because they’re new to this market, and don’t have enough experience? Or because they have a not-so-good reputation, so many clients are avoiding them? Think about this when you’re making your decision.

Of course price is important, but you have to calculate the total price of the project – and usually the price premium of a good consultant will be far less than the savings such consultant will bring you.

This being said, although a consulting price is usually based on man/days, it is far better to agree on a total price for the whole project – this way the risk is on the consultant, not you. If a consultant claims he cannot anticipate the amount of work needed, let him do a pre-agreement analysis – if he cannot estimate the amount of work, maybe he doesn’t have enough experience.

And remember – the ultimate purpose of a consultant is to save your time.

Click here to see a description of ISO 27001 & ISO 22301 Premium Documentation Toolkit.