ISO 27001 & ISO 22301

When I heard the news that the DIS (draft) version of ISO 27001:2013 is publicly available at the BSI website (until 23 March 2013), I was very impatient to read it. Although one should not get too excited yet – this draft version might differ quite a bit from the final version of the standard (expected to be published in the second half of 2013) – the purpose of such a draft standard is to be revised based on many inputs during a public debate.

When compared to the old (still valid at the time of writing this article) ISO/IEC 27001 from 2005, the changes are actually not too drastic – here are the main differences I found:

The structure

As expected, the new ISO 27001 will be compliant with Annex SL of ISO/IEC Directives, in order to be aligned with all the other management standards – this is already evident in ISO 22301, the new business continuity management standard. So, here are the main clauses that you will see in all the management standards:

0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement

Naturally, Annex A is still here in the new ISO 27001 – this is where all the controls are listed. The quite useless Annex B from the old standard is gone, while there is no need for Annex C anymore.

Interested parties

The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.

This is definitely an excellent way of defining key inputs into the ISMS.

Documented information

The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.

The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is gone – however, the requirement for documenting the output from those processes remains in the new standard. Therefore, you don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions.

Also, the clause from the old standard where all the required documents are listed (4.3.1) is gone – there is no central list of required documents.

Risk assessment and treatment

Assets, vulnerabilities and threats are not the basis of risk assessment anymore! It is only required to identify the risks associated with the confidentiality, integrity and availability – although this might seem too radical of a change, the authors of the new standard wanted to allow more freedom in the way the risks are identified; however, I assume that the assets-vulnerabilities-threats methodology will remain as a best practice for a long time.

The concept of determining the level of risk based on consequences and likelihood remains the same.

Further, Risk Assessment Methodology does not need to be documented, although the risk assessment process need to be defined in advance; the concept of asset owner is gone, too – a new term is used: “risk owners” – so the responsibility is pushed to a higher level.

Objectives, monitoring and measurement

A big change here: these are not mentioned within some other requirements, but now there are separate clauses with very concrete rules. The rules are that you need to set clear objectives, you need to define who will measure them and when, and you need to define who should analyze and evaluate those results. Further, comprehensive plans need to be developed that will describe how the objectives will be achieved.

This is definitely something that will bring ISMS closer to other management processes in a company. Hopefully, it will push information security onto the management agenda because – once you have very clear figures as to how your security performs – you cannot turn your head away from it.

Corrective & preventive actions

The biggest change is there are no preventive actions anymore, at least not at first sight – they are basically merged in risk assessment and treatment, where they naturally belong.

Further, a distinction is made between corrections that are made as a direct response to a nonconformity, as opposed to corrective actions that are made to eliminate the cause of a nonconformity. This way another ambiguity from the old standard is resolved.

Communication

This is also a new clause where all the requirements are summarized – what needs to be communicated, when, by whom, through which means, etc. This will help overcome the problem of information security being only an “IT thing” or “security thing” – the success of information security depends on both the IT side and the business side, and their overall understanding about the purpose of information protection.

What will this mean for the implementation?

I must admit I like all these changes – not only will the new ISO 27001 be easier to integrate with other management standards like ISO 9001, ISO 22301, ISO 20000 and others, but it also allows more freedom for companies (especially smaller ones) to scale the ISMS to their real needs and thereby avoid unnecessary overhead. But this may also turn out to be the greatest weakness of this new standard – because of its loose definitions, some companies may try to focus on satisfying the minimum instead of focusing on increasing security.

In other words, companies that mean well and really want to increase their level of security will find it easier to comply with this standard; however, the companies that not so positive and are looking for loopholes to implement it only for the sake of certification will see this standard as an opportunity.

P.S. I’ll examine the controls from Annex A more thoroughly in one of my next blog posts that will focus on new ISO 27002:2013.

Surveillance visits are very often quite different from (initial) certification audits, so in this post I’ll explain why this is so and what the differences are.

It bears mention here that all the issues I’ll be talking about in this post are not only applicable to certification audits for ISO 27001 and ISO 22301, but also to all other certifiable management standards like ISO 9001, ISO 14001, ISO 20000, etc.

The certification audit and its limitations

During the first (initial) certification audit the certification auditor will check whether all the main elements of the management system are in place – all the documentation, all the required records, all the processes, etc. The auditor will also check whether the main processes are working as they are described in the documentation, but such check will be limited because at that point in time the management system will have been in place for only a few months, or even only a few weeks. (To read more about the certification process, read this blog post: How to get certified against ISO 27001?)

On the other hand, the certificate is issued for a period of three years – so, for instance, if the initial certification audit was performed in November 2012, this means that the certificate will be valid until November 2015. Since the certification body guarantees that the management system will be in place throughout the validity of the certificate, the only way for the certification body to check out whether it really works is to send the certification auditor periodically to check out how things are going. And these are called the surveillance visits – they have to be performed at least once a year, or in some cases they are performed twice a year.

In cases where they are performed once a year, and using the previous example of a certification audit in November 2012, the first surveillance visit would be in November 2013, and the second (and last) surveillance visit in November 2014. After this, in November 2015, the certificate would expire and a company could go for the recertification audit.

The purpose of surveillance visits

So the main purpose of the surveillance visits is for the certification body to find out whether your management system really works in everyday operations, or not. It will focus on things that the certification audit wasn’t able to check: for instance, whether all the incidents are recorded, whether all the measurements are made, whether all corrective and preventive actions are properly recorded and implemented, whether the top management really supports and cares about the system, etc.

A surveillance visit will also focus on issues that were identified as weak in the certification audit or previous surveillance visit – minor nonconformities, as well as areas where the auditor has made some observations.

The point is, during the surveillance visit the certification auditor will pay far less attention to the documents themselves, and far more attention to how the key processes are performed, how they are measured, and how they are improved – in other words, whether your system really works.

So don’t relax after your certification audit is over – the certification body is highly interested in finding out whether your management system is really functioning, and this is exactly what the surveillance visits will be focused on. And this is one more reason why you shouldn’t implement the standard only for the purpose of certification – the idea should be that the procedures and policies are really used in everyday operations.

Click here to see a series of ISO 27001 and ISO 22301 video tutorials that will help you with your implementation.

There are probably two main thoughts managers have when starting ISO 27001 implementation:  (1) we’ll pay quite a lot of money for something we’re not sure is worth it; and (2) the annoyance of maintaining such a system will cost us even more.

Yes, ISO 27001 does require an investment, but I would strongly argue that such investment pays off very quickly (see Four key benefits of ISO 27001 implementation). The bigger problem here is this: how to minimize the costs of running such a system, especially the time required of employees that have to “lose time dealing with all that documentation.”

And yes, I do agree that very often large quantities of documentation or inappropriate documentation is a problem – it simply takes too much time to comply with it (and to maintain it) without any obvious benefit. Therefore, here are 5 simple principles you should bear in mind when developing your ISMS:

Don’t get too ambitious

Basically, create only the documents you really need – if you’re a company of 10 employees it is not likely you’ll need a written description of the operating procedure for a security committee.

How would you know which documents are needed? You should start from ISO 27001 clause 4.3.1 where all the mandatory documents are listed (see also Mandatory documented procedures required by ISO 27001); add to this documents required by other interested parties (legislation, agreements with clients and partners, etc.), and areas that are very complex or are very risky – they normally need policies/procedures to define operating rules.

Bottom line is – the purpose of documentation is to serve your company, to describe the processes to your employees – not to satisfy the certification auditor.

The documentation should be written by those who will be using it

Not only do you need to avoid unnecessary documents, you also need to avoid unnecessary content in required documents. Very often I see consultants or security experts pushing too much text into a document that could have been much shorter (and easier to comply with).

It would be best if the documents are written by the employees who will be using those documents in day-to-day operations – they will make sure all the unrealistic parts are removed because otherwise they would make their own lives miserable.

Get commitment in the early phase

And having miserable employees is the best way for them to start avoiding compliance with such documents, which will contribute to the general consensus regarding the “needlessness of such documents.”

To avoid such an image, besides including the employees in writing the documents, it is also important to run awareness and training programs – such programs should run parallel to the implementation of documents/controls, because once documents/controls are implemented (without proper preparation), the image could already be turned irreversibly in the wrong direction.

Maintain the documentation

Did you ever try observing an outdated procedure? Pretty much a time-wasting experience, wasn’t it? To avoid this, you need to make sure your documentation is up-to-date – to achieve that, these elements need to be in place: (1) each document should have an owner who should periodically check whether the document needs to be updated; (2) regular and thorough internal audits should find irregularities in the documents; and (3) corrective and preventive actions should be effectively implemented so that all nonconformities are continuously eliminated.

Measure if you achieved what you planned for

Measuring information security effectiveness is still considered to be something almost mystical; above all, it is thought of as THE overhead.

But I would argue differently – if you cannot prove that information security makes sense, it will always be perceived as an overall overhead, wouldn’t it? So in my opinion it does make sense to set some clear objectives (they don’t have to be numerous) and occasionally check whether you have achieved those. Such checks don’t have to take too much time, especially if you already have some kind of Balanced Scorecard in place – and it will show very vividly to your top management whether an investment in ISO 27001 did make sense. If it did, they will make an even greater effort to support it.

Here you can download free preview of ISO 27001 Documentation Toolkit.

—

If you think writing a bunch of information security documents is enough to get ISO 27001 certificate , you’re wrong. You need to implement all the activities described in your documentation, but that’s not all – you also need to follow certain steps in the final phase of your ISO 27001 project.

ISO 27001 certification process

Let’s start first with the certification process itself – it is divided in two steps: Stage 1 audit and Stage 2 audit. In Stage 1 audit (also called Documentation review) the certification auditor checks whether your documentation is compliant with ISO 27001; in Stage 2 audit (also called Main audit) the auditor checks whether all your activities are compliant with both ISO 27001 and your documentation.

Therefore, you need to pay attention to both writing appropriate documentation for your needs, and to really committing to implementation information security in your company. For details on required documentation, steps in the audit and how to deal with nonconformities read this article How to get certified against ISO 27001?.

Mandatory steps for finishing the implementation

After finishing all your documentation and implementing it, you need to perform these mandatory steps in your ISO 27001 project:

• Internal audit
• Management review
• Corrective and preventive actions

The purpose of internal audit is that someone independent checks out whether your Information Security Management System (ISMS) is working properly. Read more about internal audit here Dilemmas with ISO 27001 & BS 25999-2 internal auditors.

Management review is actually a formal way for management to take into account all the relevant facts about information security and make appropriate decisions. The point with ISO 27001 is to reach such decisions as part of a regular decision making process.

Finally, the company needs to correct all the problems detected by internal auditors, managers or someone else, and document how these problems were resolved – this process is called corrective actions. It is recommended to take preventive actions too – to try to prevent problems before they happen (something the certification auditor will appreciate quite a lot).

How to test ISO 27001 implementation?

However, before undertaking these mandatory steps, it is useful to check whether everything is in place. This step is not required by ISO 27001 (at least not in such an explicit way), but in my opinion it significantly increases the chances for successful certification.

Doing the ISO 27001 test (or check) means that everyone who has a role in ISMS has to check whether everything he/she is responsible for really functions as required by the standard, and by the company’s documentation.

Such test/check is not the same thing as internal audit because during internal audit it is the auditor who goes through the company checking out things, while what I’m talking about here is that almost every employee needs to think hard whether he/she has done really everything that is required. In such a way you not only decrease the chances for something going wrong, but also raise the awareness of your employees.

All these steps might seem complicated or you may think of them as costly overhead. But, believe me, they do serve their purpose – if implemented properly, you will see that they will actually increase your level of information security.

You can also check out our series of ISO 27001 video tutorials which explain every step in ISO 27001 implementation (commercially sold videos).

Your management has given you the task to implement business continuity, but you’re not really sure how to do it? Although it is not an easy task, you can use the BS 25999-2 methodology to make your life easier – here are the main steps necessary to implement this standard:

1. Obtain management support

Although this is not a mandatory step in BS 25999-2, this is certainly the crucial step in the beginning – if the management does not understand the benefits of business continuity and is not committed to this project, your project is most probably going to fail.

2. Treat it as a project

It will take quite a lot of time and resources to set up your business continuity management system (BCMS) – you have to define clearly what needs to be done, in which timeframe, and what are the roles in project implementation. In other words, you have to apply project management methods.

3. Define objectives and scope; write down a BCM Policy

You have to define what is it you want to achieve with the BCMS – compliance, decreasing the level of risk, requirements of your customers/partners etc. You also have to define what you are going to include in your BCMS – the whole organization, or just a part of it. For instance, you may decide that you are going to include only your data centre if you are providing hosting services to your customers. All of these have to be documented in the BCM Policy.

4. Defining roles and responsibilities for BCMS

Because the BCMS is going to become a permanent activity in your organization, you have to define clear responsibilities for it, especially for the “sponsor” of the BCMS (someone accountable for the BCMS but not engaged in day-to-day BCMS activities) and “BCM coordinator”, “BCM manager” or something similar to it – one or more persons with active duties regarding the BCMS. It is the best to document these roles and responsibilities in your BCM Policy.

5. Implement mandatory procedures

BS 25999-2 requires the following four mandatory procedures to be implemented: document and records control, internal audit, preventive and corrective actions – these procedures are actually the foundation of your management system, similarly to ISO 27001 or ISO 9001.

6. Perform business impact analysis and risk assessment

Through business impact analysis you have to indentify the critical activities, their maximum tolerable period of disruption, the dependencies of those critical activities (including dependencies to suppliers and outsourcing partners), and set recovery time objectives.

By doing the risk assessment you actually find out what could be the causes to the disruption of your critical activities – those could be natural, but also man-made activities (either malicious or accidental). You would also need to do risk treatment, which means you need to decide how to decrease the possibility of something going wrong. Unfortunately, the risk assessment and treatment are not very well defined in this standard, so you might take a look at ISO 27001 which describes them in more detail.

7. Determining the business continuity strategy

Before you proceed with writing business continuity plans, you actually have to determine which resources you will need for resuming your critical activities – which people, locations, data, hardware, software, suppliers, outsourcing partners etc.

The business continuity strategy has to determine not only what you need, but also how you are going to provide those resources.

8. Developing incident management plans and business continuity plans

The purpose of incident management plans is to describe how you are going to respond directly to the occurrence of an incident (e.g. fire, earthquake, bomb threat, power failure etc.) in order to prevent it to spread, and to try to decrease its direct effects.

On the other hand, the purpose of business continuity plans is to describe how you are going to recover your critical activities – how you are going to put all the resources you have prepared into action. This means you have to describe who is going to do what, in which time, using which data and technology, in order to put your organization back into operation.

All of these plans have to be described in detail, because they must be executed even in case the main personnel is not available – therefore, they have to be written in such a way that somebody else would be able to execute them.

9. Training and awareness

You need to define the level of competence needed for the execution of business continuity plans in case of disruption, and then train all the personnel (both employees and external partners) to reach this level of competence.

However, this is not enough – you also need to explain to your personnel why BCM is necessary. Let’s face it – your business continuity plans will be used maybe only once in a life time, so most people consider it as a waste of time. Therefore, you have to explain to them why such a thing must exist. (See also How to deal with BCM sceptics)

10. BCMS exercising

If you thought you have written your plans perfectly, you are probably wrong – it is almost impossible to write a plan with no errors right at the beginning. This is why exercising is a mandatory part of BCMS – you have to test your plans in a situation that more or less resembles a real disruption. Only then will you find out what you planned well, and what you didn’t.

11. Maintaining and reviewing the BCMS

Another way to keep your BCMS up-to-date is by defining the intervals at which you will review your business continuity plans, but also other arrangements (e.g. contracts with suppliers and outsourcing partners, training and awareness etc.). There are all sorts of changes in the environment that are threatening your documentation to become obsolete – it is enough for an employee to leave the company to have an unusable telephone number in a plan if that person had a role in the BCMS.

It is also mandatory to perform post-incident review if an incident really occurred – the purpose is to find out how the organization really reacted – did it follow the plans or not.

12. Internal audit

The purpose of internal audit is to find out if there is something wrong, in an objective manner – the internal auditor should be a person who can find out if something is done wrong within your BCMS in order to correct it. If done properly, internal audit could be one of the best ways to improve your BCMS. (Read Dilemmas with ISO 27001 & BS 25999-2 internal auditors)

13. Management review

As said before, it is very important to get your management involved in the project – management review is designed exactly for that. The standard requires the management to examine all the relevant facts about BCM and decide whether it has fulfilled its purpose. Once that is done, the management has to decide which improvements must be made.

14. Preventive and corrective actions

The best thing would be to prevent mistakes (or in terms of BS 25999, the “non-conformities”) from happening – this is what the preventive actions are used for – they are a systematic way of correcting things before a problem occurs. Similar to preventive actions, there are also corrective actions which resolve the problem that has already occurred.

Now the question is – why would you use BS 25999-2? Although it is (still) not an international standard, it is the most popular standard for business continuity worldwide – the abovementioned steps are designed by the best business continuity experts, so if you want to implement the best accepted practices for business continuity, you have to look no further.

Here you can download the diagram of BS 25999-2 implementation process showing all these steps together with the required documentation (registration required).