ISO 27001 & BS 25999

“Your ISO 27001 is nice in theory, but if our system administrator goes crazy, we’re dead.” – I hear this quite often when speaking to my clients about which security controls they should apply.

And it’s not only system administrators, it is also the line managers, engineers, top management, etc. – actually, anyone who has access to sensitive information or systems could be a potential threat. For instance, the biggest damage in banks is not done by robbers (with guns in their hands), but by inside jobs (with computers in their hands).

Of course, money theft is not the only purpose of these kinds of attacks – it can also be sabotage, theft of confidential corporate information, altering of data, theft of identities, etc.

Since this is such a complex issue, how can you deal with it?

Risk assessment

ISO 27001 is a standard which approaches security management mainly from the preventive point of view – the first step is to find out which incidents could happen regarding your employees (but also external partners with access to your systems), and then to choose appropriate security controls in order to avoid those incidents. In ISO 27001, this process is called risk assessment and risk treatment.

However, risk assessment shouldn’t be done superficially. If you didn’t think really hard about all the bad things that can happen, then you won’t mitigate those risks and someone could exploit those vulnerabilities.

Therefore, don’t rush through this step; do it systematically.

Preventive measures

Once you know how an insider can exploit your vulnerabilities, you can start planning your security controls in a comprehensive way. Again, ISO 27001 offers a catalogue of security controls in its Annex A – here are a few examples of the most common controls to mitigate the risk of insider threats:

• Access control (section A.11 in Annex A) – access to sensitive data can be approved on a need-to-know bases only. This way you decrease the number of people that can do harm, but also decrease the damage if someone’s identity is stolen.
• The access privileges must be regularly reviewed (control A.11.2.4) – very often quite a few employees have access to information they don’t really need.
• The accounts and access rights of former employees must be removed (A.8.3.3) – yes, sometimes there are open accounts a few years after an employee has left the company…
• Strong password policy (control A.11.2.3) or some other authentication method should be enforced to disable identity theft.
• Segregation of duties (control A.10.1.3) – you probably wouldn’t allow a single person to authorize large payments – the same goes for any other sensitive system.
• Backup (A.10.5.1) – of course, it should be regular; but also access to backup information cannot be allowed to employees who can harm your production systems the most.
• Document policies and procedures which clearly define the security roles and responsibilities (A.8.1.1; A.10.1.1) – you cannot expect your employees to observe the security rules if they don’t know what the rules are.
• Awareness & Training (A.8.2.2) – all of your employees need to know why it is necessary to protect sensitive data, as well as how to do it; for certain jobs (like monitoring logs) you may need to send your employees to special trainings.

Of course, there are other controls that are more technically oriented, like segregated network architecture (A.11.4.5), regular security patches (A.12.6.1), spyware scanning (A.12.5.4), anti-virus (A.10.4.1), firewall (A.10.6.1), physical entry controls (A.9.1.2), etc.

People issues

However, someone with high motivation and skills can bypass all of these security controls and achieve whatever agenda he or she has. Therefore, in my opinion, the most important thing is to develop some early warning indicators. And that requires a little bit more sophistication.

First of all, you need to know who you are employing – you probably wouldn’t allow some total stranger to access your sensitive data and/or systems only because he or she has a very nice diploma and a letter of recommendation. You need to dig deeper, or as ISO 27001 puts it – perform the background verification checks (A.8.1.2).

The second, and probably the most important control, is to constantly monitor what is going on – both on the “soft” side (most of the times you can observe if someone is starting to behave in a strange way) and on the “hard” side – by monitoring logs (A.10.10.2), i.e. monitoring whether there is anything suspicious in the use of information systems. Actually, the two can often be viewed together – whenever you conclude that someone’s behavior is peculiar, then this person’s logs need to be observed in more detail. And vice versa – if you spot some strange usage of information system, the soft side should be monitored more closely.

To conclude, insider threats will probably remain the biggest risk to the security of information – the complexity of information systems and amount of data will only increase this threat in time. And the best way to deal with them is to prevent them – once they happen, you can only hope they won’t go too far.

You can also check out our webinar ISO 27001 A.6 & A.8: Organization of information security; external parties; raising awareness, training and HR management (commercially sold training).

More and more often people ask me how to deal with cloud computing in the context of ISO 27001 and BS 25999. My answer is: use common sense.

Their dilemma is quite understandable – these standards were written before cloud computing was such a big issue, and there is no particular focus on cloud computing in any of them. To make things worse, the outages of cloud computing providers cause serious problems to other Internet-based businesses, as was the recent case with Amazon Web Services (for more info on AWS and ISO 27001 read Does ISO 27001 mean that information is 100% secure?).

Therefore, their point is: since we cannot control information in cloud computing, the security of information in such cases is only a dead letter.

New concept?

I would disagree on that. The point is – cloud computing is nothing else but outsourcing (of your information archiving and/or processing).

And you already do outsource other activities which could endanger the security of your information – your software is usually developed externally, you may have external suppliers which maintain your hardware and software assets (sometimes with remote access to your network), most probably you do have some kind of external maintenance staff on-site (if nothing else for the infrastructure), almost certainly you do have consultants and/or auditors on-site (who do know the vulnerabilities of your company) and you probably do have cleaning staff outsourced (and they do have access to most of the facilities when no one else is present).

Therefore, I would say that although cloud computing is a new technological opportunity, the main issue of outsourcing remains as before – how much can you trust your outsourcing partner?

Common sense

This is where you need to apply your common sense, or to put it in the wording of ISO 27001 and BS 25999-2 – you need to apply risk assessment to find out what the potential risks are, and then you need to choose your partner wisely and apply necessary security controls to mitigate those risks.

In its control A.6.2.1 ISO 27001 requires to identify “… risks to the organization’s information and information processing facilities from business processes involving external parties”, and A.6.2.3 requires to address security issues in agreements that “… shall cover all relevant security requirements”; there also various other controls specifying information backup (A.10.5.1), access control (A.11), classification (A.7.2.1) etc. In clause 4.1.1 BS 25999-2 requires to “…identify all dependencies relevant to the critical activities, including suppliers and outsource partners”, in clause 4.1.2 “…understand the threats and vulnerabilities … including those provided by suppliers and outsource partners”, and in clause 4.2 “…determine how it will recover each critical activity … including products and services provided by suppliers and outsourcing partners”.

So what can you do to decrease the risk of cloud computing? Here are a few very basic tips:

• Do a thorough check on the potential provider – not only its performance record, but also the background of its management, have they implemented the information security and business continuity policies and procedures, financial stability, legal risks etc.
• Write very specific security clauses in your agreement with the provider, where the biggest emphasis will be on issues that have raised the highest concerns during risk assessment.
• Keep a backup copy of your information locally – although a cloud computing provider will (probably) do regular backup, it is always a good idea to have direct control of your information. (e.g. banking regulators in some countries have imposed regulations to local banks to keep the backup copy inside the country specifically because of this risk.)
• Develop your strategy on how to return the information processing/archiving back to your company (re-insourcing) in case of problems with your cloud computing provider – you should know exactly which steps are needed, as well as which resources.
• An exit strategy might also be to have an alternative cloud computing provider standing by, ready to jump in if your existing partner performs badly.
• Perform regular checks of your provider to find out whether they are complying with the security clauses in the agreement.

Of course, most of the things mentioned here will seem impossible for a smaller company. But in such a case, would you really give them your important information without having any guarantees? Sometimes you are better off with no cloud computing – this is something your management needs to decide: they have to weigh out the balance between the cost & convenience and the risks.

Manage your risks

I’m not trying to say here that the risks of cloud computing are the same as other outsourcing risks, because they are not – cloud computing usually brings higher risks. I’m also not trying to say that ISO 27001 and BS 25999-2 (soon to become ISO 22301) do not have to be more specific about cloud computing, because they do. I also think that the legislation will have to address this issue very quickly.

What I’m trying to say here is that although the risks related to cloud computing are high, it doesn’t mean they cannot be mitigated. Therefore, use your common sense when choosing your cloud computing provider – if you don’t trust your provider fully, then don’t entrust them with your sensitive information.

You can also check out our video tutorial How to Implement Risk Assessment According to ISO 27001 (commercially sold video).

If you think your management doesn’t have a clue what information security is all about, keep in mind that misunderstanding usually goes both ways: management often thinks you have no idea about what is appropriate for the business.

So before suggesting to your management to start implementing your information security / ISO 27001 project, you should learn about your management’s way of thinking. Here are the five main concerns your management will have when you approach them:

Is it really necessary? You have to be prepared to present the main benefits of information security, because otherwise the management won’t understand its purpose. In most cases you can choose among the following benefits: (1) Compliance with various legislation and contractual requirements etc., (2) Achieving competitive advantage in the marketplace, (3) Lowering expenses by decreasing the number of incidents, and (4) Optimizing your business operations by clearly defining tasks and responsibilities. Read more on these four benefits here: Four key benefits of ISO 27001 implementation.

Does it fit into our company strategy? Strategic fit is very important for your top management – one of your management’s primary concerns is how to keep your company competitive for a longer time period. Therefore, you have to do your homework – find out how information security can underpin certain elements of your company’s corporate strategy.

How to decrease the costs? One of the most misunderstood aspects of information security is that most of the problems (i.e. incidents) happen not because of technology, but because of human behavior. Therefore, most of the investments needed will be in defining new policies and procedures, and training and awareness programs which will prevent such incidents from happening – such investments are usually far cheaper than new technology.

Sometimes, investment in technology will also be needed – in such cases you can try to calculate the Return on Security Investment. For instance, you might try to calculate the damage that would be caused by a fire, and calculate the investment needed to prevent such damage. Just be sure not to exaggerate here, because you’ll lose your management’s confidence.

How to make sure we’ve achieved what we wanted? First of all, you need to help your management set very clear objectives – usually, those objectives will derive from the four benefits mentioned above. The second step is to set up a measurement system which will define how to measure whether the company achieved the set objectives; that system must involve clear responsibilities of who will make the reports, in which form, and who is going to read them and interpret them. Finally, a system must be in place to correct all the deviations from the objectives (be sure that such deviations will certainly happen).

What risks are involved? Management usually wants to know what is the likelihood of failure of the investment they have made. Here you need to explain to them the balance between the risks you will identify during the risk assessment and the security measures your company will invest in – the higher the investment, the smaller the chances that something will go wrong. Of course, overinvesting is not a solution, and this is why you need to leave the decision about acceptable risks to the management – your role is to present them the risks and potential security measures in an objective manner. The decision what to do with those risks is up to the management.

The point here is – the problem is not that management doesn’t want to invest in information security, but that it is either uninformed about it, or that you cannot speak the same language with your management.

By understanding the five basic issues your management is concerned with and by establishing appropriate communication with them, you’ll dramatically increase your chances for your information security project.

You can also check out our webinar ISO 27001 / BS 25999-2 management responsibilities: What does management need to know? (commercially sold training).

You have probably heard that important web services like Reddit, HootSuite, Quora, Foursquare etc. have recently suffered a quite lengthy outage – what you also probably know is that this outage was caused by Amazon Web Services (AWS), their cloud computing service provider. What you probably didn’t know is that AWS is ISO 27001 certified.

But isn’t ISO 27001 a guarantee against such service outages? Didn’t a certification company check the AWS? What’s the point of ISO 27001 if such things can happen?

The answers are: No, Yes, and Lower risk.

Let me explain…

ISO 27001 certification does not guarantee that the Internet service provider is going to have uptime of 100%, or that none of the confidential information is going to leak outside the company, or that there would be no mistakes in data processing. ISO 27001 certification guarantees that the company complies with the standard and with its own security rules; it is guarantees that the company has taken all the relevant security risks into account and that it has undertaken a comprehensive approach to resolve major risks. ISO 27001 does not guarantee that none of the incidents is going to happen, because something like that is not possible in this world.

A certification body (in this case Ernst & Young CertifyPoint) probably did check whether Amazon Web Services complied to the standard and to their own security policies & procedures, including their procedures for incident response and business continuity plans; they should have also checked the AWS risk assessment and whether all the relevant risks were taken into account. However the certification body does not have a crystal ball to predict all the incidents that could occur, neither is that their job – their job is to check whether the company has done its homework – developed a security system.

So the final and the most important question is – what’s the point of ISO 27001 then?

The point is in lowering the risk of doing business. If your company is implementing ISO 27001, that means you will have to consider very carefully what could endanger the confidentiality, integrity and availability of your information; knowing those risks, you need to implement various security measures in order to decrease risks to an acceptable level. If you are doing business with a company that is ISO 27001 certified, you will know that this company has done all that.

Does it mean that ISO 27001 will eliminate all the potential problems? Obviously it won’t. But it will decrease the chances of something like that happening, and if it does happen, the reaction of the company will be much quicker and more efficient, and the damage to the business will be lower.

You can also check out our video tutorial How to Write the ISO 27001 Risk Assessment Methodology (commercially sold video).

The importance of Statement of Applicability (sometimes referred to as SoA) is usually underrated – like the Quality Manual in ISO 9001, it is the central document that defines how you will implement a large part of your information security.

Actually, the Statement of Applicability is the main link between the risk assessment & treatment and the implementation of your information security – its purpose is to define which of the suggested 133 controls (security measures) from ISO 27001 Annex A you will apply, and for those that are applicable the way they will be implemented.

Why it is needed

Now why is such a document necessary when you already produced the Risk Assessment Report (which is also mandatory), and which also defines the necessary controls? Here are the reasons:

• First of all, during risk treatment you identify the controls that are necessary because you identified risks that need to be decreased; however, in SoA you also identify the controls that are required because of other reasons – i.e. because of the law, contractual requirements, because of other processes, etc.
• Second, the Risk Assessment Report could be quite lengthy – some organizations might identify a few thousand risks (sometimes even more), so such a document is not really useful for everyday operational use; on the other hand, the Statement of Applicability is rather short – it has 133 rows (each representing one control), which makes it possible to present it to management and to keep it up-to-date.
• Third, and most important, SoA must document whether each applicable control is already implemented or not. Good practice (and most auditors will be looking for this) is also to describe how each applicable control is implemented – e.g. either by making a reference to a document (policy/procedure/working instruction etc.), or by shortly describing the procedure in use, or equipment that is used.

Actually, if you go for the ISO 27001 certification, the certification auditor will take your Statement of Applicability and walk around your company checking out whether you have implemented your controls in the way you described them in your SoA. It is the central document for doing their on-site audit.

A very small number of companies realize that by writing a good Statement of Applicability you could decrease the number of other documents – for instance, if you want to document a certain control, but if the description of the procedure for that control would be rather short, you can describe it in the SoA. Therefore, you would avoid writing another document.

Why it is useful

In my experience, most companies implementing the information security management system according to ISO 27001 spend much more time writing this document than they anticipated. The reason for this is they have to think about how they will implement their controls: Are they going to buy new equipment? Or change the procedure? Or hire a new employee? These are quite important (and sometimes expensive) decisions, so it is not surprising that it takes quite a lot of time to reach them. The good thing about SoA is that it forces organizations to do this job in a systematic way.

Therefore, you shouldn’t consider this document as just one of those “overhead documents” that have no use in real life – think of it as the main statement where you define what you want to do with your information security. Written properly, SoA is a perfect overview of what needs to be done in information security, why it has to be done, and how it is done.

Click here to download a free template of the Statement of Applicability.

If you’ve been reading my blog, you probably think I’m convinced ISO 27001 is the most perfect document ever written. Actually, that’s not true – working with my clients and teaching on the subject, usually the same weaknesses of this standard emerge. Here they are, together with my suggestions how to resolve them:

Ambiguous terms

Some of the requirements in the standard are rather unclear:

• Clause 4.3.1 c) requires that ISMS documentation must include… “procedures and controls in support of the ISMS” – does that mean that a document must be written for each of the controls that are applied (there are 133 controls in Annex A)? In my view, that is not necessary – I usually advise my clients to write only the policies and procedures that are necessary from the operational point of view and for decreasing the risks. All other controls can be briefly described in the Statement of Applicability since it must include the description of all controls that are implemented.
• (Un)documented policies and procedures – in many controls from Annex A, policies and procedures are mentioned without the word “documented”. In effect, this means that such policies and procedures do not have to be written down, but this is not clear to 95% of the readers of the standard.
• External parties / third parties – these terms are used interchangeably, which may cause confusion. It would be much better if one term was used.

Organization of the standard

Some of the requirements in the standard are either scattered, or unnecessary duplicated:

• Some controls are simply located in a wrong place – for instance, A.11.7 Mobile computing and teleworking is located in section A.11 Access control. Although when dealing with mobile computing one has to take care of access control, section A.11 is not the most natural place to define issues related to mobile computing and teleworking.
• Issues related to external parties are scattered around the standard – in A.6.2 External parties, A.8 Human resources security and A.10.2 Third party service delivery management. With the advance of cloud computing and other types of outsourcing, it is advisable to gather all those rules in one document or one set of documents which would deal with third parties.
• Employee awareness and training is required both in clause 5.2.2 of the main part of the standard, and in control A.8.2.2. Not only is this duplication unnecessary, but it also causes additional confusion – theoretically, each control from Annex A could be excluded, so you may end up excluding a requirement that is actually not possible to exclude because it is required by the main part of the standard. The same thing happens with Internal audit (clause 6 of the main part of the standard) and control A.6.1.8 Independent review of information security.
• Some of the controls from Annex A can be applied really broadly, and they can include other controls – for example, control A.7.1.3 Acceptable use of assets is so general so that it can cover for example A.7.2.2 (Handling classified information), A.8.3.2 (Return of assets upon termination of employment), A.9.2.1 (Equipment protection), A.10.7.1 (Management of removable media), A.10.7.2 (Disposal of media), A.10.7.3 (Information handling procedures) etc. I usually advise my clients to make one document that would cover all those controls.

Problems or not?

Here are a few issues that are usually brought to attention as problematic, however I disagree with them:

• The standard is too vague, it does not go into enough detail – if it did go into more detail about the technology that is to be used, it would soon be outdated; if it did go into more detail about the methods and/or organizational solutions, it wouldn’t be applicable to all sizes and types of organizations – a large bank has to be organized quite differently than a small marketing agency, however both should be able to implement ISO 27001.
• The standard allows too much flexibility – by this the critics mean the concept of risk assessment where certain security controls can be excluded if there are no related risks. So they ask – “How would it be possible to exclude backup or anti-virus protection?” Actually, with the progress of technologies like cloud computing, this kind of protection might not be the responsibility of the organization implementing ISO 27001. (However, in such case the risks of outsourcing would be rather high so other kind of security controls would be necessary.)

Now what?

This standard will certainly need to change – the current version of ISO/IEC 27001:2005 is now six years old, and hopefully the next revision (expected in 2012 or 2013) will address most of the above issues.

Although these shortcomings can often cause confusion, I think that positive sides of the standard outweigh the negative ones in large measure. And yes, I really am convinced this standard is by far the best framework for information security management.

You can also check out our series of ISO 27001 video tutorials which explain every step in ISO 27001 implementation (commercially sold videos).

Have you ever found yourself in a situation where you have been given the task to write a security policy or a procedure? But you don’t want your document to end up like so many others – gathering dust in some forgotten drawer? Here are some thoughts that might help you…

The steps I’m about to present to you are designed based on my experience with various kinds of clients, large and small, government or private, for-profit or non-profit – I find these steps applicable to all of them. Actually, these steps are applicable to any kind of policies and procedures, not only those related to ISO 27001 or BS 25999-2.

1 Study the requirements

First you have to study very carefully various requirements – is there a legislation which requires something to be put in writing? Or maybe a contract with your client? Or some other high level policy that already exists in your organization (perhaps a corporate standard)? And of course the requirements from ISO 27001 or BS 25999-2 if you want to comply to those standards.

2 Take into account the results of your risk assessment

Your risk assessment will determine which issues you have to address in your document, but also to which degree – for instance, you may need to decide whether you will classify your information according to its confidentiality, and if so, whether you need two, three or four levels of confidentiality.

This step may not be relevant in this form if your policy or procedure is not related to information security or business continuity. However, risk management principles are applicable to other areas as well – quality management (ISO 9001), environmental management (ISO 14001), etc. For instance, in ISO 9001 you have to determine to which extent a process is crucial for your quality management and accordingly to decide whether you will document it or not.

3 Optimize and align your document(s)

An important thing to consider is the total number of documents – are you going to write ten 1-page documents or one 10-page document? It is much easier to manage one document, especially if the target group of readers is the same. (Just don’t create a single 100-page document.)

Moreover, you have to be careful to align your document with other documents – the issues you are defining may be already partially defined in another document. In such case, it may not be necessary to write a new document, maybe only expand the existing one.

If you are writing a new document about an issue that is already mentioned in another document, be sure to avoid redundancy – to describe the same issue in both documents. Later it would become a nightmare to maintain those documents; it’s much better that one document makes a reference to another, without repeating the same stuff.

4 Structure your document

You also need to take care that you observe your corporate rules for formatting the document – you already may have a template with pre-defined fonts, headers, footers etc.

If you already implemented ISO 27001 or BS 25999-2 (or any other management standard), you’ll need to observe a procedure for document control – such a procedure defines not only the format of the document, but also the rules for its approval, distribution etc.

5 Write your document

The rule of the thumb is – the smaller the organization and the smaller the risks, the less complex your document will be. There is nothing more useless than deciding to write a lengthy document no one is going to read – you have to understand that reading the document takes time, and the level of one’s attention is inversely proportional to the number of lines in your document.

One good technique to overcome the resistance of other employees to this document (no one likes change, especially if that means something like an obligation to change passwords on a regular basis) is to involve them in writing or commenting this document – this way they will understand why it is necessary.

6 Get your document approved

This step is rather self-evident, but its underlying importance is this – if you are not a high ranking manager in your company, you won’t have the power to enforce this document.

This is why someone with such a position has to understand it, approve it, and actively require its implementation. Sounds easy, but believe me – it is not. This step (and the next one) are the ones where implementation most often fails.

7 Training and awareness of your employees

This step is probably the most important, but sadly it is one that is very often forgotten. As mentioned before, employees are tired of constant changes, and they surely won’t welcome another one especially if it means more work for them.

Therefore, it is very important to explain to your employees why such a policy or procedure is necessary – why it is good not only for the company, but also for themselves.

Sometimes training will be necessary – it would be wrong to assume that everyone possesses the skills to implement new activities. For you, who wrote this document, it may seem easy and self-evident, but for them it may seem like brain surgery.

End of story?

If you thought you’ve reached the end of your document-implementation story, you’re wrong – the journey has just begun. It is not enough to have a perfect policy or procedure that everyone just loves, you also need to maintain it.

Someone has to take care this document is up-to-date and improved, or else no one is going to observe it anymore – and that someone is usually the same person who has written it. Not only that, someone has to measure if such a document has fulfilled its purpose – again, it may be you.

As you may have noticed reading this article, it is not enough to have a nice template for a successful policy or procedure – what is needed is a systematic approach to its implementation. And in doing so do not forget the most important fact: the document is not an end in itself – it is only a tool to enable your activities and processes to run smoothly. Don’t let the opposite happen – that such a document makes these activities and processes run with more difficulty.

You can also check out our video tutorial How to Write ISO 27001/ISO 22301 Document Control Procedure (commercially sold video).

This is usually one of the first questions I receive from the potential client. To their disappointment, I cannot give them the exact figure right away – here is why.

First of all, the total cost of implementation will depend on the size of your organization (or the size of the business unit(s) that will be included in the ISO 27001 scope), the level of criticality of information (for instance, information in banks is considered more critical and demands a higher level of protection), the technology the organization is using (for instance, the data centers tend to have higher costs because of their complex systems), and the legislation requirements (usually the financial and government sectors are heavily regulated with regards to information security).

Second, you won’t be able to calculate the exact costs before you know which level of protection you need – first you have to perform risk assessment, because such analysis will tell you which security measures are required.

When you know the results of risk assessment, you will have to take into account the following costs:

1. The cost of literature and training

Implementation of ISO 27001 requires changes in your organization, and requires new skills. You can prepare your employees by buying various books on the subject and/or sending them to courses (in-person or online) – the duration of these courses varies from 1 to 5 days (read How to learn about ISO 27001 and BS 25999-2).

And don’t forget to buy the ISO 27001 standard itself – too often I run across companies implementing the standard without actually seeing it.

2. The cost of external assistance

Unfortunately, training your employees is not enough. If you don’t have a project manager with deep experience in ISO 27001 implementation, you’ll need someone who does have such knowledge – you can either hire a consultant or get some online alternative (this is what we do at Information Security & Business Continuity Academy).

The greatest value of someone with experience helping you with this kind of project is that you won’t end up in dead end streets – spending months and months doing activities that are not really necessary or developing tons of documentation not required by the standard. And that really costs.

However, be careful here – do not expect the consultant to do the whole implementation for you – ISO 27001 can be implemented by your employees only.

3. The cost of technology

It might seem funny, but most companies I’ve worked with did not need a big investment in hardware, software or anything similar – all these things already existed. The biggest challenge was usually how to use existing technology in a more secure way.

However, you do need to plan such investment if it proves to be necessary.

4. The cost of employees’ time

The standard isn’t going to implement itself, neither can it be implemented by a consultant only (f you hire one). Your employees have to spend some time figuring out where the risks are, how to improve existing procedures and policies or implement new ones, they have to take some time to train themselves for new responsibilities and for adapting to new rules.

5. The cost of certification

If you want to obtain public proof that you have complied with ISO 27001, the certification body will have to do a certification audit – the cost will depend on the number of man days they will spend doing the job, ranging from under 10 man days for smaller companies up to a few dozen man days for larger organizations. The cost of man day depends on the local market.

You have to be very careful not to underestimate the true cost of ISO 27001 project – if you do, your management will start looking at your project in a negative light. On the other hand, forecasting all costs correctly will show your level of professionalism; and don’t forget – you always have to present both the cost and the benefits – read Four key benefits of ISO 27001 implementation.

You can also check out our video tutorial How To Set Up ISO 27001 Project – Writing the Project Plan which explains how to plan the ISO 27001 project (commercially sold video).

Very often I hear things about ISO 27001 and I don’t know whether to laugh or cry over them. Actually it is funny how people tend to make decisions about something they know very little about – here are the most common misconceptions:

“The standard requires…”

“The standard requires passwords to be changed every 3 months.” “The standard requires that multiple suppliers must exist.” “The standard requires the disaster recovery site to be at least 50 km distant from the main site.” Really? The standard doesn’t say anything like that. Unfortunately, this kind of false information I hear rather often – people usually mistake best practice for requirements of the standard, but the problem is that not all security rules are applicable to all types of organizations. And the people who claim this is prescribed by the standard have probably never read the standard.

“We’ll let the IT department handle it”

This is the management’s favorite – “Information security is all about IT, isn’t it?” Well, not really – the most important aspects of information security include not only IT measures, but also organizational issues and human resource management, which are usually out of reach of IT department. See also Information security or IT security.

“We’ll implement it in a few months”

You could implement your ISO 27001 in 2 or 3 months, but it won’t work – you would only get a bunch of policies and procedures no one cares about. Implementation of information security means you have to implement changes, and it takes time for changes to take place.

Not to mention that you must implement only those security controls that are really needed, and the analysis of what is really needed takes time – it is called risk assessment and risk treatment.

“This standard is all about documentation”

Documentation is an important part of ISO 27001 implementation, but the documentation is not an end in itself. The main point is that you perform your activities in a secure way, and the documentation is here to help you do it. Also, the records you produce will help you measure whether you achieve your information security goals and enable you to correct those activities that underperform.

“The only benefit of the standard is for marketing purposes”

“We are doing this only to get the certificate, aren’t we?” Well, this is (unfortunately) the way 80 percent of the companies think. I’m not trying to argue here that ISO 27001 shouldn’t be used in promotional and sales purposes, but you can also achieve other very important benefits – like preventing the case of WikiLeaks happening to you. See also Four key benefits of ISO 27001 implementation and Lessons learned from WikiLeaks: What is exactly information security?

The point here is – read ISO 27001 first before you form your opinion about it; or, if it’s too boring for you to read it (which I admit it is), consult with someone who has some real knowledge about it. And try to get some other benefits, other than marketing. In other words, increase your chances to make a profitable investment in information security.

You can also check out our series of ISO 27001 video tutorials which explain every step in ISO 27001 implementation (commercially sold videos).

Nowadays WikiLeaks is a hot story for a good reason – it is not very common for confidential documents of the world’s most powerful government to be published on the Internet. And some of these documents are, to put it mildly, embarrassing.

Here I am not going to write about whether it was legal for WikiLeaks to publish such information or not, whether the information should have been made public because of the public interest or not, what is going to happen to its founder (at the time of writing this article Julian Assange was in custody) etc.

The problem is – if WikiLeaks is going to be shut down, a new WikiLeaks will appear. In other words, the threat of leaking information to the public is constantly increasing. (By the way, before he was jailed, Julian Assange had announced he would publish incriminating information about a major U.S. bank and its malpractice.)

I want to touch here on the corporate point of view – what if we are the next target of WikiLeaks or its clone? How to ensure the security of our information and prevent the damage of such a large incident?

Simple example

But how does information security look like in practice? Let’s take a simple example – for instance, you leave your laptop frequently in your car, on the back seat. Chances are, sooner or later it will get stolen.

What can you do to decrease that risk? First of all, you can make a rule (by writing a procedure or a policy) that laptops cannot be left in a car unattended, or that you have to park a car where some kind of physical protection exists. Second, you can protect your information by setting a strong password and encrypting your data. Further, you can require your employees to sign a statement by which they are legally responsible for the damage that may occur. But all these measures may remain ineffective if you didn’t explain the rules to your employees through a short training.

So what can you conclude from this example? Information security is never a single security measure, it is always more of them together. And the measures are not only IT-related, but also involve organizational issues, human resources management, physical security and legal protection.

The problem is – this was an example of a single laptop, with no insider threat. Now consider how complex it is to protect the information in your company, where the information is archived not only on your PCs, but also on various servers; not only in your desk drawers but also on all your mobile phones; not only on USB memory sticks but also in the heads of all employees. And you may have a very disgruntled employee.

Seems like an impossible task? Difficult – yes, but not impossible.

How to approach it

What you need to solve this complex problem is a framework. The good news is that such frameworks already exist in the form of standards – mostly widespread is ISO 27001, the leading international standard for information security management, but there are also others – COBIT, NIST SP 800 series, PCI DSS etc.

I’m going to focus here on ISO 27001 – I think it gives you good ground for building the information security system because it offers a catalogue of 133 security controls, and offers flexibility to apply only those controls that are really needed in relation to risks. But its best feature is that it defines a management framework for controlling and directing the security issues, therefore achieving that security management becomes a part of the overall management in an organization.

In short – this standard enables you to take into account all the information in various forms, all the risks, and gives you a path to carefully resolve each potential problem and keep your information safe.

Consequences for business

So, should the corporations be afraid that their information will leak to the public? If they are doing something illegal or unethical, they certainly should.

However, for companies operating legally, if they want to protect their business, they cannot think only in terms of return on investment, market share, core competence, and long term vision. Their strategy must also take into account the security issues, since having insecure information can cost them much more than for example a failed launch of a new product. By security I mean not only physical security because it is simply not enough anymore – the technology makes it possible for information to leak through various means.

What is needed is a comprehensive approach to information security – it doesn’t matter whether you use ISO 27001, COBIT or some other framework, as long as you do it systematically. And it is not a one-time effort, it is a continuous operation. And yes – it is not something your IT guys can do alone – it is something the whole company has to participate in, starting from the executive board.