In today’s information economy, the development, exploitation and protection of information assets are key to the long-term competitiveness and survival of corporations and entire economies. The protection of information assets – information security – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility. Information security management, defined as ‘the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities’,1 is becoming a critical corporate discipline, alongside marketing, sales, HR and financial management.
A key corporate governance objective is to ensure that the organisation has an appropriate balance of risk and reward in its business operations and, as a consequence, enterprise risk management (ERM) increasingly provides a framework within which organisations can assess and manage risks in their business plan. The recognition of substantial, strategic risk in information and communication technologies has led to the development of IT governance.2
The changing global economy, together with recent corporate and IT governance developments, all provide the context within which organisations have to assess risks to the information assets on which their organisations, and the delivery of their business plan objectives, depend. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment process in relation to identified risks and specific information assets.
Risk assessment is, therefore, the core competence of information security management.
The early clauses of ISO/IEC 27002:2005 (ISO27002), the international code of best practice for information security management systems, support this business- and risk-oriented approach. Information security requirements should be ‘identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures’.3
A growing number of organisations are adopting this approach to the management of risk. A number of national or proprietary standards that deal with information security risk management have emerged over the last few years. They all have much in common. ISO27001 is the international standard for information security management and provides an approach to risk management which is consistent with all other guidance. This approach is also appropriate for organisations complying with the PCI DSS.4
Of course, every organisation needs to determine its criteria for accepting risks, and identify the levels of risk it will accept. It is a truism to point out that there is a relationship between the levels of risk and reward in any business. Most businesses, particularly those subject to the Sarbanes-Oxley Act of 2002 and, in the UK, the Turnbull Guidance within the Combined Code on Corporate Governance, will want to be very clear about which risks they will accept and which they won’t, the extent to which they will accept risks and how they wish to control them. Management needs to specify its approach, in general and in particular, so that the business can be managed within that context. As we have already indicated, risk assessment, as an activity, should be approached within the context of the organisation’s broader enterprise risk management (ERM) framework.
Whilst ISO27002 is a code of practice, ISO/IEC 27001:2005 (ISO27001) is a specification that sets out the requirements for an information security management system (ISMS). ISO27001 is explicit in requiring a risk assessment to be carried out before any controls5 are selected and implemented, and is equally explicit that the selection of every control must be justified by a risk assessment. Risk assessment, as we’ve already said, is therefore, the core competence of information security management.
Organisations that design and implement an ISMS in line with the specification of ISO27001 can have it assessed by a third party certification body and if, after audit, it is found to be in line with ISO27001, an accredited certificate of conformity can be issued.6
This standard is increasingly seen as offering a practical solution to the growing range of information-related regulatory requirements, as well as helping organisations to more cost-effectively counter the increasingly sophisticated and varied range of information security threats in the modern information economy.7 As a result, a rapidly growing number of companies around the world are seeking certification to ISO27001.
An ISMS developed and based on risk acceptance/rejection criteria, and using third party accredited certification to provide an independent verification of the level of assurance, is an extremely useful management tool. Such an ISMS offers the opportunity to define and monitor service levels internally, as well as in contractor/partner organisations, thus demonstrating the extent to which there is effective control of those risks for which directors and senior management are accountable.
It is becoming increasingly common for ISO27001 certification to be a pre-requisite in service specification procurement documents and, as buyers become more sophisticated in their understanding of the ISO27001 accredited certification scheme, so they will increasingly set out their requirements more specifically, not only in terms of certification itself, but also in respect to the scope of the certification and the level of assurance they require. This rapid maturing in the understanding of buyers, as they seek greater assurance from an accredited certification to ISO27001, is driving organisations to improve the quality of their ISMS and, by definition, to improve the granularity and accuracy of their risk assessments.
The level of assurance relates, of course, directly to the risk assessment and management aspects of creating and maintaining an ISO27001-compliant ISMS. It is this key aspect that ensures that a consistent level of assurance is achieved across all facets of information security within an organisation.
ISO27001 is a specification for an ISMS. As we have said, it is based on risk assessment, both initially and on an ongoing basis. ISO27001 goes so far as to specify the steps that an information security risk assessment must go through, and the level of granularity required of it. While there are many recognised – and valid – approaches to risk assessment, an organisation that wishes to achieve ISO27001 certification must meet the requirements set out in the standard itself. There is no room for half measures: either a risk assessment methodology is in line with the requirements of ISO27001, in which case accredited certification is within reach, or it is not, in which case accredited certification is not going to happen.
This book has been written to expand on guidance that is already contained within other ISO27001 implementation books8 by the same authors. It draws on emerging national and international best practice around risk assessment, including ISO/IEC 27005:2008 (ISO27005). It has been written to provide detailed and practical guidance to information security and risk management teams on how to develop and implement a risk assessment and risk management process that will be in line with the requirements of ISO27001, that will reflect the best practice guidance of ISO27005, and which will simultaneously deliver real, bottom-line, business benefits.
1 ISO/IEC 27002:2005, clause 0.1 ‘What is information security?’
2 Other books by the same authors discuss these issues in greater detail. See, for instance, International IT Governance: An Executive Guide to ISO 27001/ISO 17799 (Kogan Page, 2006).
3 ISO/IEC 27002:2005, clause 0.4 ‘Assessing security risks’.
4 Payment Card Industry Data Security Standard, in version 1.2 at the time this book was published.
5 A ‘control’ can be thought of as a countermeasure, or mitigation, for a risk. See A Dictionary of Information Security Terms, Abbreviations and Acronyms (ITGP, 2007).
6 There is a full description of the process of accredited certification in IT Governance: A Manager’s Guide to Data Security and ISO 27001/ISO 27002 by Alan Calder and Steve Watkins (Kogan Page, 2008).
7 See The Case for ISO 27001 by Alan Calder (ITGP, 2005) for detailed coverage of the business, contractual and regulatory reasons that should lead an organisation to consider developing an ISMS in line with the ISO27001 specification.
8 See, in particular, IT Governance: A Manager’s Guide to Data Security and ISO 27001/ISO 27002 (Kogan Page, 2008) and International IT Governance: An Executive Guide to ISO 27001/ISO 17799 (Kogan Page, 2006). Note also the range of ISO27001 implementation guidance titles listed in the resources section at the back of the book.
3.149.27.168