It is a truism to say that information is the currency of the information age. Information is, in many cases, the most valuable asset possessed by an organisation, even if that information has not been subject to a formal and comprehensive valuation.

IT governance is the discipline that deals with the structures, standards and processes that boards and management teams apply to effectively manage, protect and exploit their organisations’ information assets.

Information security management is that subset of IT governance that focuses on protecting and securing an organisation’s information assets. The international standard ISO27001 defines information security as the ‘preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved’.

Regulations and the law in each of the areas mentioned above are still evolving; they are sometimes poorly drafted, often contradictory (particularly between jurisdictions) and have little or no case law to provide guidance for organisations in planning their compliance efforts. It can be difficult for organisations to identify specific methods for complying with individual laws. In these circumstances, implementation of a best practice ISMS may, in legal proceedings, support a defence in court that the management did everything that was reasonably practicable for it to do in meeting its legal and regulatory requirements. Of course, every organisation would have to take its own legal advice on issues such as this and neither this book nor these authors provide guidance of any sort on this issue.

Published by the International Standards Organisation, this is the most recent, most up-to-date, international version of a standard specification for an Information Security Management System. It is vendor-neutral and technology-independent. It is designed for use in organisations of all sizes (‘intended to be applicable to all organisations, regardless of type, size and nature’^[2]) and in every sector (e.g. ‘commercial enterprises, government agencies, not-for-profit organisations’^[3]), anywhere in the world. It is a management system, not a technology specification and this is reflected in its formal title, which is ‘Information Technology – Security Techniques – Information Security Management Systems – Requirements’. ISO27001 is also the first of a series of international information security standards, all of which will have ISO2700X numbers.

ISO/IEC27001:2005 is a specification for an ISMS. It sets out requirements and uses words like ‘must’ and ‘shall’. One mandatory requirement is that ‘control objectives and controls from Annex A shall be selected’ in order to meet the ‘requirements identified by the risk assessment and risk treatment process’.^[4] Annex A to ISO/IEC27001:2005 lists the 133 controls that are in ISO/IEC17799:2005, follows the same numbering system as that standard and uses the same words and definitions.

As the preface to ISO27001 states, ‘the control objectives and controls referred to in this edition are directly derived from and aligned with those listed in ISO/IEC17799:2005’.^[5] ISO17799 (now re-designated as ISO27002) provides substantial implementation guidance on how individual controls should be approached. Anyone implementing an ISO27001 ISMS will need to study both ISO27001 and ISO27002.

Whilst ISO27001 mandates the use of ISO27002 as a source of guidance on controls, control selection and control implementation, it does not limit the organisation’s choice of controls to those in ISO27002. The preface goes on to state:

This Standard is titled ‘Information Technology – Security Techniques – Code of Practice for information security management’. Published in July 2005, it replaced ISO/IEC17799:2000, which has now been withdrawn. It continued, until August 2007, to be designated ISO17799, but its formal re-classification as ISO27002 is now complete.

ISO/IEC27002:2005 is a Code of Practice. It provides guidance and uses words like ‘may’ and ‘should’. It provides an internationally accepted framework for best practice in information security management and systems interoperability. It also provides guidance on how to implement an ISMS capable of certification, to which an external auditor could refer. It does not provide the basis for an international certification scheme.

The definitions used in both standards are intended to be consistent with one another and also to be consistent with those used in related information security standards, such as ISO/IEC27006:2007 (which replaces ISO/IEC Guide 73:2002), ISO/IEC13335-1:2004, etc.

An asset is defined in ISO27001 as ‘anything that has value to an organisation’. Information assets are subject to a wide range of threats, both external and internal, ranging from the random to the highly specific. Risks include acts of nature, fraud and other criminal activity, user error and system failure. Information risks can affect one or more of the three fundamental attributes of an information asset, its:

These three attributes are defined in ISO27001 as follows:

ISO27001 defines an ISMS as:

An ISMS exists to preserve confidentiality, integrity and availability. It secures the confidentiality, availability and integrity of the organisation’s information and information assets, and its most critical information assets are those for which all three attributes are important.

The working relationship between ISO27001 and ISO27002 needs to be very clear, as ISO27001 relies to such a substantial extent on ISO27002 that it mandates use of ISO27002.

The link between the two standards was created in 1999, when BS7799 was first published as a two-part standard:

The original Part 2 specified, in the main body of the standard, the same set of controls that were described, in far greater detail (particularly with regard to implementation) in Part 1. These controls were later removed from the main body of Part 2 and listed in an annex, Annex A.

This relationship continues today, between the specification for the ISMS that is contained in one part of the combined standard, and the detailed guidance on the information security controls that should be considered in developing and implementing the ISMS and which are contained in the other part of the combined standard. The planned addition of further standards in the ISO2700x series is not expected to change this fundamental relationship between ISO27001 and ISO27002.

ISO/IEC27001:2005 is a specification for an ISMS. It uses words like ‘shall’. It sets out requirements.

A Code of Practice or a set of guidelines uses words like ‘should’ and ‘may’, allowing individual organisations to choose which elements of the standard to implement, and which not. A specification does not provide any such latitude.

Any organisation that implements an ISMS which it wishes to have assessed against ISO/IEC27001 will have to follow the specification contained in the standard.

As a general rule, organisations implementing an ISMS based on ISO/IEC27001:2005 will do well to pay close attention to the wording of the Standard itself, and to be aware of any revisions to it. Non-compliance with any official revisions, which usually occur on a three-year and a five-year cycle, will jeopardise an existing certification.

ISO27001 itself is what an ISMS will be assessed against; where there is any conflict between advice provided in this or any other guide to implementation of ISO27001 and the Standard itself, it is the wording in the Standard that should be heeded.

An external certification auditor assesses the ISMS against the published Standard, not against the advice provided by this book, a sector scheme manager, a consultant or any other third party. It is critical that those responsible for the ISMS should be able to refer explicitly to its clauses and intent and should be able to defend any implementation steps they have taken against the Standard itself.

An appropriate first step is to read ISO/IEC27001:2005. Copies can be purchased from the ISO website, from national standards bodies and from www.itgovernance.co.uk. There is a choice of hard copy and downloadable versions to suit individual needs.

An ISMS – which the Standard is clear includes ‘organisational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources’^[7] – is a structured, coherent management approach to information security which is designed to ensure the effective interaction of the three key components of implementing an information security policy:

The Standard’s requirement is that the design and implementation of an ISMS should be directly influenced by each organisation’s ‘needs and objectives, security requirements, the processes employed and the size and structure of the organisation’.^[8]

ISO27001 is not a one size-fits-all solution, nor was it ever seen as a static, fixed entity that interferes with the growth and development of the business. The Standard explicitly recognises that:

In the simple terms of the Standard, ISO27001 is a useful model for ‘establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS’.^[9] It is a model that can be applied anywhere in the world, and understood anywhere in the world. It is consistent, coherent, contains the assembled best practice, experience and expertise gathered from implementations throughout the world over the last ten years, and it is technology-neutral. It is designed for implementation in any hardware or software environment.

It should be noted that having an ISO27001-compliant ISMS will not automatically ‘in itself confer immunity from legal obligations’.^[10] The organisation will have to ensure that it understands the range of legislation and regulation with which it must comply, and ensure that these requirements are reflected in its ISMS.