ISO 27001 & BS 25999

This is probably the second most common question I hear about ISO 27001 and BS 25999 (the first one is How much does it cost?). Well, the answer is not really encouraging – most of the people I speak to expect it to be a few months. But this is not realistic – the reality is closer to one year.

Of course, you can always produce 50 documents in a matter of days claiming you are compliant with ISO 27001, but this is not what I’m writing here about. I’m writing about the implementation that makes sense, i.e. that produces results – a lower number of incidents, higher efficiency, cost savings etc.

Time needed for ‘Plan’ and ‘Do’ phases

Your main implementation effort will be spent on the Plan and Do phases, i.e. the first two mandatory phases in which the risk assessment/business impact analysis is being done and in which all the controls (including business continuity plans) are being implemented.

The duration of implementation for these two phases depends primarily on the size of the organization:

• Smaller organizations (up to 50 employees) usually implement the standard in up to 8 months
• Mid-size organizations (up to 500 employees) usually implement the standard in 8 to 12 months
• Large organizations (500 employees and more) – implementation usually lasts 12 to 15 months

One note here – in my experience, the companies that drag such projects for too long (e.g. small companies for more than 12 months), usually never finish the project – in such organizations there is never enough recognition of the importance of ISO 27001 or BS 25999, so human or financial resources dedicated to such a project are never sufficient.

When speaking about implementation time, it is worth mentioning here that the work on ISO 27001 / BS 25999 doesn’t stop with Plan and Do phase – these management systems need to be maintained and improved (phases Check and Act), meaning that the work on information security and business continuity is not one-off, but continuous. However, the effort for maintaining and improving the system is not as great as in the first two phases.

Things that will speed up your implementation

The duration mentioned above depends of course on many factors, but generally the following factors will speed up the implementation:

• If you run the implementation as a project – if you know exactly what are the objectives, who is responsible for what, if the resources are available and what are the deliverables, you will not only speed up the process but also increase your chances of a successful outcome.
• If you already have ISO 9001 or some other management system – ISO 27001 and BS 25999-2 are not that different from other management systems, so you can use some of the existing procedures and processes and save probably 20% to 30% of your time.
• If you already have many security/business continuity policies and procedures already in place – chances are that your existing documentation will be acceptable for ISO 27001/BS 25999 and it will decrease your implementation time; not only that, you will already have an understanding in your organization about what information security / business continuity is all about.
• Having the appropriate documentation templates – here I don’t mean any documentation templates, but the templates in your language, appropriate for the size of your company, and made specifically for the purpose of ISO 27001/BS 25999. (Another note here – free templates downloaded from the Internet are not going to speed up your process because you’ll need considerable time for their customization.)
• Having the knowledge – you can obtain the knowledge either through literature, in-person courses, online courses (that’s our specialty!), or by hiring a consultant; without knowledge not only will your project last much longer, but you’ll probably never finish it.
• Last but certainly not least – the support of your management. If you don’t get their support in terms of money and human resources, your project will actually last quite short – it will be finished even before it begins.

So the point is – the implementation of standards like these does take quite a lot of time, so you need to make sure you do it with some purpose in mind. If implementation is done superficially or without clear objectives, you’ll not only lose time but miss an opportunity to help your company improve and grow.

And of course, you can decrease the implementation time – if you plan your project carefully.

Every time I speak to someone about cybersecurity I hear rather different definitions about what it actually is – but at least the general idea is pretty much the same. However, when it comes to the question on how to achieve it, opinions differ sharply.

This topic has become so hot lately that even President Obama dedicated a speech to it in 2009 (I must admit, the best explanation on cybersecurity I’ve ever heard), and the White House has dedicated a web page to cybersecurity.

Cybersecurity definition

So what is cybersecurity? I think this short definition from Techtarget.com is the most appropriate: ”Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.”

Just to note here – cybersecurity is not exactly the same thing as information security. Information security is a discipline that doesn’t take care only of digital information, but also of information in other media – paper documents, etc. Therefore, cybersecurity is a subset of information security, although in today’s world cybersecurity takes up a major part of information security.

How can cybersecurity be important to you? Can you imagine doing your business without IT infrastructure? Your most sensitive information is (most probably) archived on your IT systems – what would happen if they were compromised? How would you communicate with your clients without e-mail, website or phone?

One could argue that nowadays the companies are all about information – although I do not agree completely with that statement, it does show the reliance of modern organizations on information. Information that is primarily stored in digital form.

Connection with ISO 27001

Reading the above definition, cybersecurity is all about policies, procedures, processes, applying technology in a secure way, etc.

When thinking about this, the first thing that comes to mind is – it sounds complex! Is it really possible to carry out all that is required, and not to forget something? I would say it is, but you need to find a framework to achieve such a comprehensive task. ISO 27001, a leading international standard that defines how to manage information security, is emerging lately as the leading framework to protect your digital assets. It is already very popular in Europe and East Asia, and is gaining more and more popularity in North and South America.

Click here to read about the basics of ISO 27001.

The pros and cons of using ISO 27001 as a cybersecurity framework

I may be subjective about the importance of ISO 27001, but let’s take a look at how this standard can help you with regard to cybersecurity:

• First of all, the standard forces you to think comprehensively, so that you wouldn’t forget some important element of your information security / cyber security protection.
• The philosophy of ISO 27001 is based on risk assessment – in such a way it allows not only to customize the protection of information security according to the needs of each particular organization, but it also allows to focus on the most important issues. By the way, risks management is becoming more and more prevalent in managing not only financial institutions, but all kinds of for-profit and non-profit organizations.
• The standard recognizes that emphasis only on technology wouldn’t solve the problem, so it focuses on how to manage the relationship between the organization (processes, structure, policies, etc.), the people (employees, vendors, etc.) and the technology.
• A large portion of information security legislation in many countries is based on ISO 27001 – that means you can use this standard for resolving compliance issues.
• ISO 27001 is the only international information security standard against which an organization can get certified, proving  to third parties that it is compliant.

There are negative sides to ISO 27001, of course. The primary concern, especially among IT professionals, is that this standard doesn’t offer any guidelines on how to implement certain technology. This lack of technical detail is due to the intention of the standard – to serve as a framework within which an organization can choose the most appropriate technology.

But for the technological details you can use other standards – like ISO 27002 (guidelines for the implementation of security controls), or NIST Special Publications (800 Series). The good thing about ISO 27001 is that it tells you where to start from, and when to use other standards for particular technology.

The next step

Of course, ISO 27001 is not the only framework you can use to implement cybersecurity – but you must choose a framework because otherwise you will be left with a headache about where to start from and what to take into account.

So when President Obama said ”cyber threat is one of the most serious economic and national security challenges we face as a nation“, you are lucky if you don’t have to take care of the cybersecurity of a whole nation. But you do have to take care of your company’s sensitive information, or at least of your personal information. And you need to find the way to do it.

You can also check out our series of ISO 27001 video tutorials which explain every step in ISO 27001 implementation (commercially sold videos).

It’s been six years since the last revision of ISO/IEC 27002 (in 2005) – much has changed in information security since then, and this standard definitely needs some “facelifting”. Since ISO 27002 is closely tied to ISO 27001, this revision has to be done simultaneously for both standards, and is expected to happen in the latter half of 2012 or during 2013.

ISO 27001 and ISO 27002

What these two standards have in common are the 133 controls – they are offered as a kind of catalogue in Annex A of ISO 27001, with the idea that appropriate controls are selected based on the risk assessment. ISO 27002 lists all of these 133 controls again, but offers detailed explanation of best practices for their implementation. For a detailed explanation of the differences between ISO 27001 and ISO 27002, read ISO 27001 vs ISO 27002.

This relationship between the two standards is why ISO 27002 has changed its name in 2007 – it was previously called ISO/IEC 17799, but its name was changed to ISO/IEC 27002, making it part of ISO 27k series.

This most important link between ISO 27001 and ISO 27002 – identical structure of ISO 27001 Annex A and ISO 27002 controls – will most likely still be included in new revisions of both standards. However, the way it is structured and the individual controls will most probably change.

Expected changes

At the moment of writing this article (October 2011) it is impossible to predict all the changes in ISO 27002 because the final draft hasn’t been written yet. However, most likely changes can be judged by hearing what ISO 27001 experts have to say – here’s a summary of suggestions from ISO 27k Forum, the leading expert forum about ISO 27001/ISO 27002:

• Accountability – definition of what it means in relation to human resources management
• Authentication, identity management, identity theft – they need better description because of their criticality for web-based services
• Cloud computing – this model is becoming more and more dominant in real life, but hasn’t been covered in the standard
• Database security – the technical aspects haven’t been systematically laid down in the existing revision
• Ethics and trust – an important concept not covered at all in the existing revision
• Fraud, phishing, hacking, social engineering – these particular types of threats are gaining more and more importance, but aren’t covered systematically in the existing revision
• Governance of information – this concept is very important for the organizational aspect of information security and is not covered in the current revision
• IT auditing – needs to focus more on computer auditing
• Privacy – needs to go broader than existing data protection and legal compliance, especially because of cloud computing
• Resilience – this concept is completely missing in the existing revision
• Security testing, application testing, vulnerability assessments, pen tests etc. – these are essentially missing in the current revision

As Gary Hinson from the ISO27k Forum argues, several of these issues are already covered, but they were not given sufficient emphasis in the current revision of the standard – key terms widely used today are either completely missing or are only vaguely alluded to.

Also, the new ISO 27002 will refer more on other standards that define certain areas in more detail – for instance, Section 14 Business Continuity Management will refer to ISO 22301 (new standard dedicated to business continuity management) and ISO/IEC 27031 (focused on ICT aspect of business continuity).

All these changes mean that not only some of the controls will change or will be added, but it also means that the structure of the standard will change – instead of existing 11 sections of Annex A / ISO 27002, some new sections will probably have to be created, and others merged. And these structural issues are probably the toughest ones since the body in charge of the revision (JTC 1/SC 27 committee) will need to ensure compatibility with the existing revision. This is why we have no idea at the moment what these structural changes will look like.

ISO 27002 certification?

Many people still ask me whether it is possible to get certified against ISO 27002. The situation with the new revision will stay the same – currently it is not possible, nor will it be possible to get an ISO 27002 certificate because unlike ISO 27001, this is not a management standard.

This means ISO 27002 will remain a code of practice (or best practices) for implementation of security controls. It will not define the management system – e.g. the documentation management, internal audit, management review, corrective and preventive actions, risk management, etc.  – all these remain in the domain of ISO 27001. Therefore, ISO 27001 will remain the only certifiable standard in the ISO 27k series.

Implications for the ISMS

If you already have your Information Security Management System implemented, you don’t have to worry too much – no matter which changes the new revision will bring, you will have enough time (normally one year after both standards have been published) to implement the changes.

Once the revisions are published, you will need to align the structure of your controls in the Statement of Applicability with the new Annex A in the revised ISO 27001. And although the structure won’t change too much, this alignment will be the biggest job that’s ahead of you.

And this is where the new ISO 27002 will bring the most value – in the transition period you will have plenty of refreshed best practices to choose from. And since ISO 27002 is quite detailed, and you still have the freedom to choose only the appropriate stuff for your organization, it will definitely help you make such transition easier.

You can also check out our webinar ISO 27001 Foundations Part 3: Annex A overview (commercially sold training).

Having a business continuity plan is nice, but if you don’t know when and how to start using it, the money you’ve invested in it was spent in vain. Even worse, you’ll likely lose quite a lot of money because your business operations will be disrupted.

What is a business continuity plan?

Before going into the activation procedures, let me go through some of the basics of business continuity plans. BS 25999-2 standard defines a business continuity plan as a “documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level”. (Click here to read more about BS 25999-2).

Therefore, a business continuity plan is not a single procedure or a single document. It usually consists of at least two parts: (1) incident response plan, and (2) recovery plan. An incident response plan is a procedure that clearly defines what to do immediately after an incident occurred – e.g. how to evacuate the building, who to call for help, how to contain the incident etc.

The purpose of the recovery plan is to resume business critical activities within the recovery time objective. It is activated right after the incident response plan, and can be used e.g. to recover the ICT infrastructure (also called “disaster recovery plans”), to recover production sites, to recover business processes in a service company, etc.

Since the business continuity plan consists of several parts, each of these parts is activated separately – here I’ll focus only on the two parts mentioned earlier.

Activation of incident response plan(s)

Well, the activation of this one is quite obvious. If anyone notices fire, an explosive device, flood in the basement or malicious code, he or she should notify someone immediately. Now, who is it they are going to call? In case of a smaller company, there is usually one responsible person who must be notified in case of any incident; however, in larger companies there could be more people responsible – e.g. one person for all IT related incidents, and one person for all non-IT related incidents.

It is up to them to activate the appropriate incident response plan – the company should have quite different incident response plans for e.g. fire as opposed to a threat letter.

Activation of recovery plan(s)

At first thought, it is not so obvious who should activate them. But good practice says that recovery plans should be activated by top level management dealing with crisis – usually it is the Crisis Manager. Such a decision should be made by a high level authority because it could prove quite costly to activate the recovery plan if there was no reason for it – e.g. someone at a lower level might panic and initiate transportation to the alternative site, which could prove quite unnecessary. But also someone who is not informed about the whole picture of the crisis could wait too long to make such a decision, which could prove even more expensive.

Therefore, the decision to activate certain (or all) recovery plans must be made by the Crisis Manager (or similar) – the criteria for activation are based on an estimate whether the disruption of business activities caused by the incident is going the last longer than the RTO (Recovery Time Objective). If so, then an appropriate recovery plan must be activated.

The question which recovery plan to activate is rather simple – if, for example, the whole company is affected by the incident, then all the recovery plans must be activated; however, if only one department is affected, then only the recovery plan for that department must be activated.

Emergency preparedness

Of course, for all this to work, it is not enough to write nice activation procedures – it is essential that those activation procedures are customized to the company’s situation, that they are remembered by all employees involved, and that they are practiced. If they are just a theoretical document which no one has seen for 2 or 3 years, then it is hard to expect employees to observe such procedures. It is true that preparing for an emergency is quite a wide topic that must include exercising and testing of all elements of the business continuity plan, but sadly, activation procedures are very often neglected in this respect.

Once again, for your business continuity plan to work, you need good activation procedures. But good activation procedures are useless if no one knows about them.

You can also check out our webinar BS 25999-2 Foundations Part 3: Business Continuity Planning which explains how to write incident response plans and recovery plans (commercially sold training).

If you think writing a bunch of information security documents is enough to get ISO 27001 certificate , you’re wrong. You need to implement all the activities described in your documentation, but that’s not all – you also need to follow certain steps in the final phase of your ISO 27001 project.

ISO 27001 certification process

Let’s start first with the certification process itself – it is divided in two steps: Stage 1 audit and Stage 2 audit. In Stage 1 audit (also called Documentation review) the certification auditor checks whether your documentation is compliant with ISO 27001; in Stage 2 audit (also called Main audit) the auditor checks whether all your activities are compliant with both ISO 27001 and your documentation.

Therefore, you need to pay attention to both writing appropriate documentation for your needs, and to really committing to implementation information security in your company. For details on required documentation, steps in the audit and how to deal with nonconformities read this article How to get certified against ISO 27001?.

Mandatory steps for finishing the implementation

After finishing all your documentation and implementing it, you need to perform these mandatory steps in your ISO 27001 project:

• Internal audit
• Management review
• Corrective and preventive actions

The purpose of internal audit is that someone independent checks out whether your Information Security Management System (ISMS) is working properly. Read more about internal audit here Dilemmas with ISO 27001 & BS 25999-2 internal auditors.

Management review is actually a formal way for management to take into account all the relevant facts about information security and make appropriate decisions. The point with ISO 27001 is to reach such decisions as part of a regular decision making process.

Finally, the company needs to correct all the problems detected by internal auditors, managers or someone else, and document how these problems were resolved – this process is called corrective actions. It is recommended to take preventive actions too – to try to prevent problems before they happen (something the certification auditor will appreciate quite a lot).

How to test ISO 27001 implementation?

However, before undertaking these mandatory steps, it is useful to check whether everything is in place. This step is not required by ISO 27001 (at least not in such an explicit way), but in my opinion it significantly increases the chances for successful certification.

Doing the ISO 27001 test (or check) means that everyone who has a role in ISMS has to check whether everything he/she is responsible for really functions as required by the standard, and by the company’s documentation.

Such test/check is not the same thing as internal audit because during internal audit it is the auditor who goes through the company checking out things, while what I’m talking about here is that almost every employee needs to think hard whether he/she has done really everything that is required. In such a way you not only decrease the chances for something going wrong, but also raise the awareness of your employees.

All these steps might seem complicated or you may think of them as costly overhead. But, believe me, they do serve their purpose – if implemented properly, you will see that they will actually increase your level of information security.

You can also check out our series of ISO 27001 video tutorials which explain every step in ISO 27001 implementation (commercially sold videos).

“Your ISO 27001 is nice in theory, but if our system administrator goes crazy, we’re dead.” – I hear this quite often when speaking to my clients about which security controls they should apply.

And it’s not only system administrators, it is also the line managers, engineers, top management, etc. – actually, anyone who has access to sensitive information or systems could be a potential threat. For instance, the biggest damage in banks is not done by robbers (with guns in their hands), but by inside jobs (with computers in their hands).

Of course, money theft is not the only purpose of these kinds of attacks – it can also be sabotage, theft of confidential corporate information, altering of data, theft of identities, etc.

Since this is such a complex issue, how can you deal with it?

Risk assessment

ISO 27001 is a standard which approaches security management mainly from the preventive point of view – the first step is to find out which incidents could happen regarding your employees (but also external partners with access to your systems), and then to choose appropriate security controls in order to avoid those incidents. In ISO 27001, this process is called risk assessment and risk treatment.

However, risk assessment shouldn’t be done superficially. If you didn’t think really hard about all the bad things that can happen, then you won’t mitigate those risks and someone could exploit those vulnerabilities.

Therefore, don’t rush through this step; do it systematically.

Preventive measures

Once you know how an insider can exploit your vulnerabilities, you can start planning your security controls in a comprehensive way. Again, ISO 27001 offers a catalogue of security controls in its Annex A – here are a few examples of the most common controls to mitigate the risk of insider threats:

• Access control (section A.11 in Annex A) – access to sensitive data can be approved on a need-to-know bases only. This way you decrease the number of people that can do harm, but also decrease the damage if someone’s identity is stolen.
• The access privileges must be regularly reviewed (control A.11.2.4) – very often quite a few employees have access to information they don’t really need.
• The accounts and access rights of former employees must be removed (A.8.3.3) – yes, sometimes there are open accounts a few years after an employee has left the company…
• Strong password policy (control A.11.2.3) or some other authentication method should be enforced to disable identity theft.
• Segregation of duties (control A.10.1.3) – you probably wouldn’t allow a single person to authorize large payments – the same goes for any other sensitive system.
• Backup (A.10.5.1) – of course, it should be regular; but also access to backup information cannot be allowed to employees who can harm your production systems the most.
• Document policies and procedures which clearly define the security roles and responsibilities (A.8.1.1; A.10.1.1) – you cannot expect your employees to observe the security rules if they don’t know what the rules are.
• Awareness & Training (A.8.2.2) – all of your employees need to know why it is necessary to protect sensitive data, as well as how to do it; for certain jobs (like monitoring logs) you may need to send your employees to special trainings.

Of course, there are other controls that are more technically oriented, like segregated network architecture (A.11.4.5), regular security patches (A.12.6.1), spyware scanning (A.12.5.4), anti-virus (A.10.4.1), firewall (A.10.6.1), physical entry controls (A.9.1.2), etc.

People issues

However, someone with high motivation and skills can bypass all of these security controls and achieve whatever agenda he or she has. Therefore, in my opinion, the most important thing is to develop some early warning indicators. And that requires a little bit more sophistication.

First of all, you need to know who you are employing – you probably wouldn’t allow some total stranger to access your sensitive data and/or systems only because he or she has a very nice diploma and a letter of recommendation. You need to dig deeper, or as ISO 27001 puts it – perform the background verification checks (A.8.1.2).

The second, and probably the most important control, is to constantly monitor what is going on – both on the “soft” side (most of the times you can observe if someone is starting to behave in a strange way) and on the “hard” side – by monitoring logs (A.10.10.2), i.e. monitoring whether there is anything suspicious in the use of information systems. Actually, the two can often be viewed together – whenever you conclude that someone’s behavior is peculiar, then this person’s logs need to be observed in more detail. And vice versa – if you spot some strange usage of information system, the soft side should be monitored more closely.

To conclude, insider threats will probably remain the biggest risk to the security of information – the complexity of information systems and amount of data will only increase this threat in time. And the best way to deal with them is to prevent them – once they happen, you can only hope they won’t go too far.

You can also check out our webinar ISO 27001 A.6 & A.8: Organization of information security; external parties; raising awareness, training and HR management (commercially sold training).

If you are an information security or business continuity professional, then you’re probably aware of the most difficult part of your job: to convince your management that investment in information security/business continuity makes sense.

Traditionally, “making sense” for management means that the revenues that will result from the investment will be larger than the total cost of investment. (Of course, there are some other aspects the management will also consider – read Management’s view of information security).

So what’s the problem? The problem is, even if you can calculate the total cost, there are no revenues to be made; OK, instead of revenues you might have cost savings, but the general opinion is that these are impossible to calculate.

However, I think there is a way to estimate the financial benefits (i.e. cost savings) of information security. Let’s take a deeper look of what it really means.

Is it really impossible?

First of all, you need to estimate the potential damage an incident could cause – it is also called the Single Lost Expectancy or SLE. But to calculate SLE you need to take into account several factors:

• The scope of the potential incident – which departments, locations, business units and processes would be affected.
• The cost of purchasing of equipment, goods and materials that were damaged by the incident.
• Employees – the cost of employees resolving the incident.
• Legal and/or contractual penalties – if you didn’t comply with legislation or contractual obligations.
• Lost revenues – both from your existing clients and from potential clients.

The next step is to estimate the likelihood – normally, you would have to consider threats and vulnerabilities, as well as existing security measures. The best way is to assess how often you think such an incident would occur – e.g. once every three months, once every three years or once every 30 years.

When you multiply Single Lost Expectancy and likelihood, you get the Annualized Lost Expectancy (ALE) – you could also consider this number to be the annual cost of that risk. For instance, the annualized risk of earthquake will cost you US$ 30000 if SLE is US$ 3 million and the likelihood is once in 100 years.

After that you would need to assess the frequency of the potential incident after you implement security measures – in the earthquake example, the frequency will stay the same; however, if you implement more effective anti-virus software, the likelihood of a successful malicious code attack will decrease.

Finally, you need to estimate how much your security measures will cost – to be accurate, you will again need to take into account various factors:

• Purchase value – cost of hardware, software, implementation services etc.
• Residual value of the security measure – its value after it is no more in use.
• External costs of maintenance – servicing, repairs etc.
• Internal costs of maintenance – mainly employees.

When you have all these inputs together, you will know whether your Return on Security Investment is positive or not – the point is that the decrease in your risk needs to be bigger than the total cost of security measures. It is best if you calculate both on an annualized level – this would mean that your Annualized Lost Expectancy has to be greater than the annual cost of security measures.

“Delusion or idiocy?”

When we have published our ROSI Calculator based on the abovementioned logic, one of the leading information security experts (whom I really do respect) has commented our tool on his Twitter account as follows: “delusion or idiocy? take your pick: http://bit.ly/lAeFZv – just enter ‘probability of incident occurrence’ :-( #ROSI #ROI”.

Why did he react this way? – Let’s be realistic, it is quite difficult to calculate all the costs related to the potential damage of an incident; however it is even more difficult to estimate precisely the likelihood of such an incident occurring. Especially if there are no statistics to support such an estimation.

But the question is – is it better to have nothing at all, or is it better to have at least some feeling about the financial consequences of the work you are doing? If you are a perfectionist, you will probably wait for another 10 or 20 years for a better methodology / statistics to evolve (by the way, the banking sector is now developing those under Basel II – Advanced Measurement Approach); or if you are a realist, you could use this logic to help you, keeping in mind that it is not perfect.

If you take the latter approach, you won’t be the only one in your company – just take a look what your marketing department is doing. They usually spend a lot of money on TV and radio commercials, but they cannot calculate exactly if that is profitable either, can they? What they sure are good at is presenting why this investment is needed, guessing along the way quite a lot of factors. Instead of making fun of them you should learn from them.

Something is better than nothing

So is it possible to calculate exactly what the Return on Security Investment will be? Unfortunately, the sceptics are right – it is impossible to calculate it precisely – mainly because it is difficult to estimate the likelihood of incident occurrence. But chances are you wouldn’t miss the probability that much – you wouldn’t assess the likelihood once in 100 years if it is more likely that an incident is going to happen every five years. That, together with taking into account all other relevant factors, will give you a much better picture of the risk your organization is exposed to.

And having that information in hand is much better than having nothing at all. More importantly, you will start speaking your management’s language (Profit & Loss language), which increases your chances of being heard.

To access the free Return on Security Investment (ROSI) Calculator, click here.

More and more often people ask me how to deal with cloud computing in the context of ISO 27001 and BS 25999. My answer is: use common sense.

Their dilemma is quite understandable – these standards were written before cloud computing was such a big issue, and there is no particular focus on cloud computing in any of them. To make things worse, the outages of cloud computing providers cause serious problems to other Internet-based businesses, as was the recent case with Amazon Web Services (for more info on AWS and ISO 27001 read Does ISO 27001 mean that information is 100% secure?).

Therefore, their point is: since we cannot control information in cloud computing, the security of information in such cases is only a dead letter.

New concept?

I would disagree on that. The point is – cloud computing is nothing else but outsourcing (of your information archiving and/or processing).

And you already do outsource other activities which could endanger the security of your information – your software is usually developed externally, you may have external suppliers which maintain your hardware and software assets (sometimes with remote access to your network), most probably you do have some kind of external maintenance staff on-site (if nothing else for the infrastructure), almost certainly you do have consultants and/or auditors on-site (who do know the vulnerabilities of your company) and you probably do have cleaning staff outsourced (and they do have access to most of the facilities when no one else is present).

Therefore, I would say that although cloud computing is a new technological opportunity, the main issue of outsourcing remains as before – how much can you trust your outsourcing partner?

Common sense

This is where you need to apply your common sense, or to put it in the wording of ISO 27001 and BS 25999-2 – you need to apply risk assessment to find out what the potential risks are, and then you need to choose your partner wisely and apply necessary security controls to mitigate those risks.

In its control A.6.2.1 ISO 27001 requires to identify “… risks to the organization’s information and information processing facilities from business processes involving external parties”, and A.6.2.3 requires to address security issues in agreements that “… shall cover all relevant security requirements”; there also various other controls specifying information backup (A.10.5.1), access control (A.11), classification (A.7.2.1) etc. In clause 4.1.1 BS 25999-2 requires to “…identify all dependencies relevant to the critical activities, including suppliers and outsource partners”, in clause 4.1.2 “…understand the threats and vulnerabilities … including those provided by suppliers and outsource partners”, and in clause 4.2 “…determine how it will recover each critical activity … including products and services provided by suppliers and outsourcing partners”.

So what can you do to decrease the risk of cloud computing? Here are a few very basic tips:

• Do a thorough check on the potential provider – not only its performance record, but also the background of its management, have they implemented the information security and business continuity policies and procedures, financial stability, legal risks etc.
• Write very specific security clauses in your agreement with the provider, where the biggest emphasis will be on issues that have raised the highest concerns during risk assessment.
• Keep a backup copy of your information locally – although a cloud computing provider will (probably) do regular backup, it is always a good idea to have direct control of your information. (e.g. banking regulators in some countries have imposed regulations to local banks to keep the backup copy inside the country specifically because of this risk.)
• Develop your strategy on how to return the information processing/archiving back to your company (re-insourcing) in case of problems with your cloud computing provider – you should know exactly which steps are needed, as well as which resources.
• An exit strategy might also be to have an alternative cloud computing provider standing by, ready to jump in if your existing partner performs badly.
• Perform regular checks of your provider to find out whether they are complying with the security clauses in the agreement.

Of course, most of the things mentioned here will seem impossible for a smaller company. But in such a case, would you really give them your important information without having any guarantees? Sometimes you are better off with no cloud computing – this is something your management needs to decide: they have to weigh out the balance between the cost & convenience and the risks.

Manage your risks

I’m not trying to say here that the risks of cloud computing are the same as other outsourcing risks, because they are not – cloud computing usually brings higher risks. I’m also not trying to say that ISO 27001 and BS 25999-2 (soon to become ISO 22301) do not have to be more specific about cloud computing, because they do. I also think that the legislation will have to address this issue very quickly.

What I’m trying to say here is that although the risks related to cloud computing are high, it doesn’t mean they cannot be mitigated. Therefore, use your common sense when choosing your cloud computing provider – if you don’t trust your provider fully, then don’t entrust them with your sensitive information.

You can also check out our video tutorial How to Implement Risk Assessment According to ISO 27001 (commercially sold video).

If you think your management doesn’t have a clue what information security is all about, keep in mind that misunderstanding usually goes both ways: management often thinks you have no idea about what is appropriate for the business.

So before suggesting to your management to start implementing your information security / ISO 27001 project, you should learn about your management’s way of thinking. Here are the five main concerns your management will have when you approach them:

Is it really necessary? You have to be prepared to present the main benefits of information security, because otherwise the management won’t understand its purpose. In most cases you can choose among the following benefits: (1) Compliance with various legislation and contractual requirements etc., (2) Achieving competitive advantage in the marketplace, (3) Lowering expenses by decreasing the number of incidents, and (4) Optimizing your business operations by clearly defining tasks and responsibilities. Read more on these four benefits here: Four key benefits of ISO 27001 implementation.

Does it fit into our company strategy? Strategic fit is very important for your top management – one of your management’s primary concerns is how to keep your company competitive for a longer time period. Therefore, you have to do your homework – find out how information security can underpin certain elements of your company’s corporate strategy.

How to decrease the costs? One of the most misunderstood aspects of information security is that most of the problems (i.e. incidents) happen not because of technology, but because of human behavior. Therefore, most of the investments needed will be in defining new policies and procedures, and training and awareness programs which will prevent such incidents from happening – such investments are usually far cheaper than new technology.

Sometimes, investment in technology will also be needed – in such cases you can try to calculate the Return on Security Investment. For instance, you might try to calculate the damage that would be caused by a fire, and calculate the investment needed to prevent such damage. Just be sure not to exaggerate here, because you’ll lose your management’s confidence.

How to make sure we’ve achieved what we wanted? First of all, you need to help your management set very clear objectives – usually, those objectives will derive from the four benefits mentioned above. The second step is to set up a measurement system which will define how to measure whether the company achieved the set objectives; that system must involve clear responsibilities of who will make the reports, in which form, and who is going to read them and interpret them. Finally, a system must be in place to correct all the deviations from the objectives (be sure that such deviations will certainly happen).

What risks are involved? Management usually wants to know what is the likelihood of failure of the investment they have made. Here you need to explain to them the balance between the risks you will identify during the risk assessment and the security measures your company will invest in – the higher the investment, the smaller the chances that something will go wrong. Of course, overinvesting is not a solution, and this is why you need to leave the decision about acceptable risks to the management – your role is to present them the risks and potential security measures in an objective manner. The decision what to do with those risks is up to the management.

The point here is – the problem is not that management doesn’t want to invest in information security, but that it is either uninformed about it, or that you cannot speak the same language with your management.

By understanding the five basic issues your management is concerned with and by establishing appropriate communication with them, you’ll dramatically increase your chances for your information security project.

You can also check out our webinar ISO 27001 / BS 25999-2 management responsibilities: What does management need to know? (commercially sold training).

You have probably heard that important web services like Reddit, HootSuite, Quora, Foursquare etc. have recently suffered a quite lengthy outage – what you also probably know is that this outage was caused by Amazon Web Services (AWS), their cloud computing service provider. What you probably didn’t know is that AWS is ISO 27001 certified.

But isn’t ISO 27001 a guarantee against such service outages? Didn’t a certification company check the AWS? What’s the point of ISO 27001 if such things can happen?

The answers are: No, Yes, and Lower risk.

Let me explain…

ISO 27001 certification does not guarantee that the Internet service provider is going to have uptime of 100%, or that none of the confidential information is going to leak outside the company, or that there would be no mistakes in data processing. ISO 27001 certification guarantees that the company complies with the standard and with its own security rules; it is guarantees that the company has taken all the relevant security risks into account and that it has undertaken a comprehensive approach to resolve major risks. ISO 27001 does not guarantee that none of the incidents is going to happen, because something like that is not possible in this world.

A certification body (in this case Ernst & Young CertifyPoint) probably did check whether Amazon Web Services complied to the standard and to their own security policies & procedures, including their procedures for incident response and business continuity plans; they should have also checked the AWS risk assessment and whether all the relevant risks were taken into account. However the certification body does not have a crystal ball to predict all the incidents that could occur, neither is that their job – their job is to check whether the company has done its homework – developed a security system.

So the final and the most important question is – what’s the point of ISO 27001 then?

The point is in lowering the risk of doing business. If your company is implementing ISO 27001, that means you will have to consider very carefully what could endanger the confidentiality, integrity and availability of your information; knowing those risks, you need to implement various security measures in order to decrease risks to an acceptable level. If you are doing business with a company that is ISO 27001 certified, you will know that this company has done all that.

Does it mean that ISO 27001 will eliminate all the potential problems? Obviously it won’t. But it will decrease the chances of something like that happening, and if it does happen, the reaction of the company will be much quicker and more efficient, and the damage to the business will be lower.

You can also check out our video tutorial How to Write the ISO 27001 Risk Assessment Methodology (commercially sold video).