ISO 27001 & BS 25999

Have you ever tried to convince your management to fund the implementation of information security? If you have, you probably know how it feels – they will ask you how much it costs, and if it sounds too expensive they will say no.

Actually, you shouldn’t blame them – after all, their ultimate responsibility is profitability of the company. That means, their every decision is based on the balance between investment and benefit, or to put it in management’s language – ROI (return on investment).

This means you have to do your homework first before trying to propose such an investment – think carefully how to present the benefits, using language the management will understand and will endorse.

I’ll try to help you – the benefits of information security, especially the implementation of ISO 27001 are numerous. But in my experience, the following four are the most important:

1. Compliance

It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way.

2. Marketing edge

In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information.

3. Lowering the expenses

Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.

The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.

4. Putting your business in order

This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc.

ISO 27001 is particularly good in sorting these things out – it will force you to define very precisely both the responsibilities and duties, and therefore strengthen your internal organization.

To conclude – ISO 27001 could bring in many benefits besides being just another certificate on your wall. In most cases, if you present those benefits in a clear way, the management will start listening to you.

You can also check out our webinar ISO 27001 / BS 25999-2 management responsibilities: What does management need to know? (commercially sold training).

One would think that these two terms are synonyms – after all, isn’t information security all about computers?

Not really. The basic point is this – you might have perfect IT security measures, but only one malicious act done by, for instance, administrator can bring the whole IT system down. This risk has nothing to do with computers, it has to do with people, processes, supervision, etc.

Further, important information might not even be in digital form, it can also be in paper form – for instance, an important contract signed with the largest client, personal notes made by the managing director, or printed administrator passwords stored in a safe.

Therefore, I always like to say to my clients – IT security is 50% of information security, because information security also comprises physical security, human resources management, legal protection, organization, processes etc. The purpose of information security is to build a system which takes into account all possible risks to the security of information (IT or non-IT related), and implement comprehensive controls which reduce all kinds of unacceptable risks.

This integrated approach to the security of information is best defined in ISO 27001, the leading international standard for information security management. In short, it requires risk assessment to be done on all organization’s assets – including hardware, software, documentation, people, suppliers, partners etc., and to choose applicable controls for decreasing those risks.

ISO 27001 offers 133 controls in its Annex A – I have performed a brief analysis of the controls, and the results are the following:

• IT related controls : 46%
• controls related to organization / documentation: 30%
• physical security controls: 9%
• legal protection: 6%
• controls related to relationship with suppliers and buyers: 5%
• human resources management controls: 4%

What does all this mean in terms of information security / ISO 27001 implementation? This kind of project should not be viewed as an IT project, because as such it is likely that not all parts of the organization would be willing to participate in it. It should be viewed as an enterprise-wide project, where relevant people from all business units should take part – top management, IT personnel, legal experts, human resource managers, physical security staff, the business side of the organization etc. Without such an approach you will end up working on IT security, and that will not protect you from the biggest risks.

You can also check out our webinar ISO 27001 Foundations Part 3: Annex A overview (commercially sold training).

At first glance, information security and business continuity don’t have much in common – some would add that the only similarity is that they are both about IT.

Information security management is best defined in the International standard ISO/IEC 27001, while business continuity management is defined in the British standard BS 25999-2 – therefore, if we want to compare these two topics, the wisest thing to do is to take a look at what these two standards have to say.

First of all, IT is an important part of both ISO 27001 and BS 25999-2, but by no means are those two standards about IT only – the emphasis is on business processes & assets, and associated risks. It is true that IT is the main tool to process the data, but the fact remains that the biggest risks are connected to both malicious and unintentional activities of people. Therefore, the risks associated with information security or business continuity cannot be resolved by information technology only – it is much more important to define the organization, processes and responsibilities within the organization.

But what is essentially information security? ISO 27001 defines it as “preservation of confidentiality, integrity and availability of information”. On the other hand, BS 25999-2 defines business continuity as “strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level”.

The two don’t seem very much alike. However, there is one thing which makes them very similar – availability. The focus of both information security and business continuity is to keep information available to those who need it – in that respect, Annex A of ISO 27001 offers some controls dedicated solely to business continuity.

Further, both standards require carrying out the risk assessment, in order to identify potential problems related to information; both standards require document management, conducting internal audits, management reviews, and corrective and preventive actions. It means that if you already have documentation for ISO 27001, you can use those same procedures for BS 25999-2 (with only minor adjustments).

What are the differences? The main difference is in the level of detail. ISO 27001 covers a much wider area, and is therefore not very precise when it comes to business continuity; on the other hand, BS 25999-2 describes in detail how to perform business impact analysis, how to define business continuity strategy, or what the contents of business continuity plans shall be etc.

To conclude – the point here is that you can think of business continuity as part of information security. The practical use of it is that when it comes to implementation of business continuity in the context of ISO 27001, it is best to use BS 25999-2 as a guideline.

You can also check out our free webinar ISO 27001 & BS 25999-2: Why is it better to implement them together?