BYOD must evolve from 'Bring Your Own Devil' to 'Bring Your Own Defense' associated to security probation and monitoring.
—Stéphane Nappo
Nearly all industries and organizations rely on computers to do their daily tasks, regardless of the industry they’re in, which means the security of digital information has become of upmost importance.
Organizations generate lots of business-critical information and no organization can keep up without that data. When planning to implement ISO 27001, the first step is to assess the business’s needs and scope.
To start an ISO 27001 implementation, you must first understand the business context of your organization. Why is your organization going for ISO 27001 certification? The decision to implement ISO 27001 can be a strategic one driven from upper management and the way you are taking it can be different.
Assessing Business Needs
Once the business need is clear, you can implement a robust ISMS (Information Security Management System) that covers the needs of the interested parties and customers. It should also meet management expectations.
Clause 4.1 of ISO 27001, identifying the organizational context, is the first step in implementation. This clause requires you to analyze the external and internal issues that influence your company’s information security.
It is important to understand the external and internal environments affecting the company when you’re defining an ISMS. The ISO standard for information security management requires that you define the organizational context.
Internal issues: Factors that are under the control of the organization.
External Issues: Factors that the organization cannot control.
Organizational structure: Defines the roles, responsibilities, accountability, and hierarchical positions in the organization. This helps define the position of the ISMS. Having clearly defined roles and responsibilities in securing the information helps you know who is responsible for which areas and provides clarity on what needs to be done.
Organizational culture: The culture of the organization can be expressed in terms of the vision, mission, and values. The organizational policy, business strategies, and objectives also help define the information security policy. As per the standard ISO 27001:2013 Clause 5.2, organizations need to publish their information security policies. Considering employees perspectives is very important when publishing documents that will affect the way people work.
Available resources: It is important to know which resources are available to the organization to implement information security. Knowing which technologies, systems, equipment, and personnel you already have helps guide you in terms of procurement or acquisition of resources.
Legal and regulatory requirements: From an implementation point of view, it is essential to determine the legal, safety, and regulatory requirements of your organization. Some regulatory requirements—such as labor laws, IT-related safety requirements, and intellectual copyright law—are mandatory and must be met to be compliant. Chapter 6 covers the mandatory controls in detail.
Political and economic environment: This also plays an important role when implementing ISMS, and you need to monitor government policy changes or changes in currency rate.
Technological trends: New technologies may bring new security challenges and may require new ways to protect the information.
Interested parties and internal/external issues
It is important to understand the business needs, which means you need to know the context of your business. In other words, why does your business exist? This will help you assess the business needs and strategize the ISO 27001 implementation.
Many organizations either skip or neglect to understand the business context. Then, during the scope planning, many areas are missed or unidentified and that can lead to problems because of incomplete scope analysis.
So, who should know or understand the business context? Every employee, contractor, and vendor who works with your organization should, because it directly or indirectly impacts the organization’s business objectives. If the business context is not clear, workers won’t be able to meet the organization’s set objectives.
IT/hardware/software organization: The company is doing software development work or providing IT services. Lots of customer data is handled by the company. If the solutions provided or the systems used by the company are not secure, it can impact company business and its reputation. Hence, it becomes important to secure business critical information in all possible ways.
Banking organization: Banks handle your financial data and transactions and they must be protected from unauthorized access and theft. Their customers have put lot of faith in the bank and in its systems. If it gets breached, it can impact the bank’s business and reputation. It’s very important for bank to secure their systems and networks in all possible ways.
Healthcare organization: These organizations handle and store patient healthcare information and it must be protected from unauthorized access and theft. Your customers won’t be happy if their personal health information is made public or stolen. Victims could sue you, which in turn could impact the company’s business and reputation. Hence, it’s important for healthcare organizations to secure their systems and networks in all possible ways.
These are just a few examples to show you why it’s worth it to invest your time and money in implementing ISO 27001 security practices.
Scope and High-level Timeframe for Implementation
Once you are clear about the business need, the next big step is to assess the scope of the implementation within the organization. It doesn’t matter whether the organization is small, medium, or large.
Note
No matter how small or big the organization is, the scope assessment is very important, as it will provide an understanding to all stakeholders and employees including senior management, customers, and auditors about the areas in your organization that are part of the implementation.
There are numerous factors involved in identifying the scope. You need to consider the organization entities, locations, geographies, business units, departments, any products or services that are offered.
You need to look for areas that are out of scope from an implementation or certification point of view and then assess the impact on the overall implementation. For areas you find to be out of scope (not under your control or influence), you have to assess if important stakeholders or interested parties are affected.
So, how do you identify out of scope areas? You analyze business process flow and key dependencies between the activities performed by the organization and activities that are outsourced to another organization.
Say your organization has outsourced the hosting of datacenter services. The activities of the datacenter are out of your controlled scope, but you still need to manage your vendor as part of your outsourced policies and processes. They are responsible for managing your business and customer risks. You should also conduct a vendor risk assessment, which you will learn about in the coming chapters.
Tip
Look for vendors/suppliers who are compliant with information security practices, as this will help you feel confident that they understand your business risks.
By taking all these steps, you can rest easy that you have not missed any important areas or stakeholders.
- 1.
Identify the areas/systems/locations where all the information is or will be stored. This includes the physical and digital document files.
- 2.
Identify all the ways by which information is or will be made accessible to users.
- 3.
Identify what is out of scope, i.e., what your organization doesn’t have control over, such as outsourced products or services.
Scope document
Statement of applicability
A well-defined scope provides assurance that all the important areas of your organization have been covered in terms of implementing security controls. It also helps to get everyone, including management, on the same page, with one common vision. If this is not handled properly, it may delay or extend the implementation timeline. Documenting the organization’s scope is one of the requirements of the ISO 27001 standard.
Steering committee members: This includes the managing director, vice president, chief executive officer, chief technology officer, and the chief information security officer.
Information security department members: This includes the information security manager, team members, and department heads of any departments that are part of the implementation. The information security department members schedule a meeting with the department heads to define their scope of work and determine what standard operating procedures they use on a daily basis to perform their tasks.
During such discussions, you can use a checklist or questionnaire to collect the information. This will help you conclude whether the collected information is important from a business point of view and can be placed under the crucial category. That is why this chapter discussed business context. You need to understand the business context in order to understand the systems and processes that you use in your organization.
Once all these department discussions are done, the team makes a collective decision to identify the overall scope of the organization, including the departments to be included, company locations, etc.
To decide on the final scope, a meeting is arranged with the steering committee members. The scope is presented to them and there might be multiple rounds of discussions. The CISO might need to explain the reasoning for selecting the identified scope, at which point it might be tweaked. There can be multiple rounds of this process.
Once management or the approval authority has approved everything, the scope can be frozen, and it becomes a guiding document for working on the implementation. The key is to manage the expectations of management.
Once the scope document is frozen, you might wonder whether it can be revised or modified. It can be revised based on the many inputs and scenarios observed during the implementation, because more clarity comes when you execute the tasks.
Team members must meet on a weekly basis to share information with the CISO, who can make initial decisions and determine whether the issues should be included in the scope. The final decision is the steering committee’s as they know the budget requirements as well as the implementation requirements.
What’s Covered in the Scope Document?
Purpose of the document: Describe what is covered in the scope document.
Company/organization description: A brief description of the organization, including the company’s business.
- Scope statement: A statement that covers the primary objective of the ISMS implementation.
Within the scope: What is in the scope
Out of scope: Exclusions with justifications
Company stakeholders: Mention the key stakeholders
Company geographical/physical locations: Mention locations that are part of the implementation
Information security objectives: Mention the objectives to be achieved
Responsibilities of the information security group: Mention the key responsibilities in a clear manner
Monitoring and review: Mention the scenarios in which the scope document can be reviewed/revisited for any changes/additions
If you adequately cover all these points in your scope document, you will properly document your organization ISO 27001/ISMS implementation’s scope. This can be shown to your customers or to auditors who need to know the scope and areas that are excluded.
What Is the Statement of Applicability (SOA)?
The Statement of Applicability (SOA) goes hand in hand with the scope identification exercise. It is an important document that helps you look for the areas to be included in your ISMS.
This document helps you select the controls that you implement within your organization. It is also a mandatory document and it’s required to show the auditor or the certification body during the ISO 27001 certification exercise. It will act as a roadmap of your ISMS implementation and will ensure that your organization meets the standard criteria put forth by the international standard organization (ISO).
The sample SOA template explained in the following sections will help you understand the controls mentioned in the SOA. Then you can determine which controls are applicable to specific teams or members in your organization. When it is not clear which team member has the responsibility to implement certain controls, this document can help clarify the roles and responsibilities.
To provide more clarity and understanding, the following SOA tables have been provided with explanations. However, detailed explanations on how to do the implementations are covered in later chapters. See Tables 2-1 through 2-14.
Section A.5 of the Annexure
Table 2-1 shows Section A.5. This is the policy document that needs to be established based on the ISMS scope that’s been finalized for the implementation.
Note
Security controls are categorized into annexures in the ISO 27001 standard.
A.5 Information Security Policies
Responsibility
The Information Security Department establishes the policy document after approval from management or another authority.
Section A.6 of the Annexure
A.6 Organization of Information Security
Responsibility
The Human Resources department should take the lead in establishing the roles and responsibilities of the team members. The Information Security department will act as a guide.
Section A.7 of the Annexure
A.7 Human Resource Security
Responsibility
All the controls should be owned by the Human Resources/recruitment team. The Information Security department will act as a guide.
Section A.8 of the Annexure
A.8 Asset Management
Responsibility
Each department member is responsible for managing the assets produced or maintained by their department. The Information Security department will act as a guide.
Section A.9 of the Annexure
A.9 Access Control
Responsibility
The IT team is responsible for providing and monitoring the access to the organization’s information. The Information Security department will act as a guide to all departments involved.
Section A.10 of the Annexure
A.10 Cryptography
Responsibility
The IT team is responsible for implementing cryptographic controls over the information that’s processed and stored on the systems.
Section A.11 of the Annexure
A.11 Physical and Environmental Security
Responsibility
The IT and facility team is responsible for implementing the physical entry controls to your office locations and for securing the areas within your office.
Section A.12 of the Annexure
A.12 Operation Security
Responsibility
The IT and facility teams are responsible for implementing operational controls.
Section A.13 of the Annexure
A.13 Communication Security
Responsibility
The IT team is responsible for implementing controls on networks and on the transfer of information.
Section A.14 of the Annexure
A.14 System Acquisition Development and Maintenance
Responsibility
The IT team is responsible for implementing these controls. The Information Security team will act as a guide.
Section A.15 of the Annexure
A.15 Supplier Relationships
Responsibility
The procurement and development team is responsible for implementing controls during the procurement process. This includes the procurement and product development team. The Information Security team will act as a guide.
Section A.16 of the Annexure
A.16 Information Security Incident Management
Responsibility
The IT department and all department stakeholders are responsible for implementing controls. Incidents can occur in any department and the department should note the incident. The Information Security team will act as a guide.
Section A.17 of the Annexure
A.17 Information Security Aspects of Business Continuity Management
Responsibility
The IT department and all accountable stakeholders will be responsible for implementing these controls. Business continuity allows the business to run smoothly during incidents that are not in the company’s control. The Information Security team will act as a guide.
Section A.18 of the Annexure
A.18 Compliance
Responsibility
The information Security team is responsible for checking and maintaining compliance with respect to all applicable controls. The Information Security team will act as a guide.
High-Level Timeframe
Once the ISMS scope is defined and you have a clear understanding of what is needed to implement it, you need to create a timeframe to achieve the objectives.
We all know that an ounce of prevention is better than a pound of cure. That means it’s better to implement all needed security controls to prevent security incidents rather than have to address and fix incidents as they happen.
It is always tricky to determine the timeframe for implementation, as there are many dependencies and constraints for teams who will be working on this project. Sometimes, the timeline may come directly from management as a mandate to finish by a certain deadline. In that case, it becomes a top priority for various teams involved to work and deliver in a timely manner.
Commitment from the management and employees: If you don't have commitment from the top, your project will not get support from the various stakeholders. You’ll read more about the importance of management’s commitment in the next section.
Budget issues and tool availability: In order to implement security controls, you need many software tools that will help you ensure you achieve and maintain the compliance levels. If you’re waiting for budget approvals and tools, your implementation timeline needs to be defined accordingly.
Current compliance/gap levels: This will help you determine where you stand today in terms of your compliance levels and where you want to end up. If the majority of the security controls have not been implemented at the time of timeframe planning, a very clear input and timeframe should be carefully planned.
Geographies/locations: This will help you determine which areas of the organization will be covered. Organizations usually prefer to implement the ISMS at all company locations simultaneously, but this depends on how big the implementation team is and the commitment level of management to provide the time and resources. If the implementation team is small and the work has been planned in a phase-wise manner, ask management for guidance as to which entity should be implemented first.
These scenarios may help you identify the areas, dependencies, and constraints that could impact your implementation’s timeframe. It is important to create a realistic and achievable timeframe. Otherwise, you may feel unnecessary pressure to implement features in a shorter timeframe, which could impact the quality of security controls and the desired result.
The next chapter looks at the example of a high-level timeframe, which might help you identify the tasks involved and the timeline needed to complete the implementation.
Senior Management Support
You can increase the chances of having a successful implementation by bringing in top management. Without the support of management, your project will probably fail. Hence senior management support is essential. By support, it means that they are willing to provide all the resources required to implement information security. This could be human resources or the money required to support the project.
You need management support because the ISMS implementation process will be done by the departments and their team members. Top management may need to outline and define their expected roles, based on the overall priorities of the company, especially when these conflict with that group’s or project’s short-term priorities.
To get top management support, the CISO (Chief Information Security Information) or the person with the authority needs to present the ISMS/ISO 27001 project as a business case to senior management. They need to communicate the tangible and intangible benefits of the implementation.
You can increase the chances of a successful ISMS/ISO 27001 implementation by getting management buy-in. Without the support of management, the ISMS implementation might fail or may not lead to the desired result. Many security controls come with a cost and you will probably need top-level support to okay those costs.
Senior management should be willing to provide all the resources required to implement ISMS/ISO 27001 information security. Resources could be human, tools, budget, etc.
Meet the organization’s strategic objectives
Create a risk-management program to effectively manage risks
Manage resources efficiently
Create value-added initiatives
Note Clause 5.1 emphasizes top management commitment.
Summary
In this chapter, you learned about the importance of the first step in implementation, which is to assess and understand the business needs and the context of the organization. You also learned how to finalize the scope of the implementation by creating a roadmap for ISMS/ISO 27001 implementation. You read about the important things to keep in mind when deciding the timeframe. You also learned that it’s critical to get full support from management, in order to make your implementation achievable and useful.