CHAPTER 7: IMPLEMENTATION

The seventh of the nine steps deals primarily with the implementation of the Risk Treatment Plan—putting in place the selected information security controls. The technical aspects of control implementation—re-configuring firewalls, implementing boot-level encryption on laptops, segregating networks, meeting DPA or PCI compliance requirements, and so on—all depend in the first instance on the competence of those charged with their implementation.

The focal point of this step is the competence of those in the information security team, as well as of others across the organization who will be responsible for documenting processes, for communicating changed processes and controls across the organization, and for staff awareness, training, and education. At this point, you will also deal with outsourced processes.

Competencies

You will need a process to determine, review, and maintain the competencies necessary to achieve your information security management system (ISMS) objectives. Competence is defined in ISO 27000:2014 as the “ability to apply knowledge and skills to achieve the intended results.” But what competencies do you need?

To answer this question, you should conduct a needs analysis, assessing the competencies required for the effective management of the ISMS. The organization must define competence, either in terms of experience or in terms of qualifications. The current reality is there are relatively few people who have meaningful ISO 27001 experience; therefore, organizations tend to default to formal qualifications as a way of determining and assessing competence. We have looked at this previously: information security lead implementer, lead ISMS auditor, and internal ISMS auditor are typical competencies required, and International Board for IT Governance Qualifications (IBITGQ) qualifications in these subjects are typical ways that organizations demonstrate they have acquired what they need.

Information security requires more than just implementation and audit competencies, though. It also requires competence in areas like risk assessment, business continuity, and incident management, as well as in more technical areas like security testing and network security architectures. Qualifications like CISMP, CISSP, CEH, and CISM are becoming more common among information security professionals, but you also need to consider specific qualifications, such as those for managing Microsoft or Cisco security, or PKI infrastructure, for instance.

Once you determine the competencies required for your ISMS, you need to acquire them—either through recruitment, sub-contracting, or, more practically, by having your existing staff get trained and qualified. Public training organizations (such as the training arm of IT Governance Ltd) offer these sorts of training courses and access to the associated exams.

Evidence of competence needs to be retained. The most appropriate place in which to do this is individual HR files.

The ‘all persons’ requirement

It is a requirement of the Standard that all “persons under the organization’s control” are appropriately aware of the information security policy, the ISMS—and their contribution to it—as well as the implications of not conforming with ISMS requirements. The group of persons to whom this applies would logically include—as well as employees—all associates and contractors doing work either on behalf of the organization or within its security perimeter, ranging from cleaners to network support engineers.

While it is relatively straightforward to make this work with respect to staff and direct contractors, it is somewhat harder when dealing with those indirectly contracted to do work under the organization’s control. For example, cleaners and network engineers, employed by a third party that has a specific service contract with your organization, could be under your control when on your premises. You need to build into supplier contracts an obligation to ensure their staff comply with this requirement—and then make it possible for them to do so.

Staff awareness

It is also a requirement of the Standard that all staff should receive training in relation to the ISMS and their awareness of the ISMS and information security issues should be maintained over time. This is perfectly sensible; staff can be most organizations’ weakest link, and in an era where ‘hacking the human’ is just one of the standard skill sets of most cyber attackers, the humans on your staff need to be on their guard at all times. Of course, staff can make errors—when inputting data, for instance—that could have outcomes as catastrophic as a major cyber attack.

Practically speaking, this means staff need basic training—typically, when they join the organization—on how the IT systems operate and what their obligations are regarding information security. Most staff should also sign an acceptable use agreement when they join the organization. This document should set out in detail all aspects of the expected behaviors, from password strength to clean desk and clear screen policies, and protection of PII. Initial staff training should, at the very least, cover all the acceptable use requirements, as well as the policies and procedures the user is expected to comply with.

The organization should provide refresher training on a regular basis. This refresher training can cover the same areas as the original training, or it can be varied and updated to reflect a changing risk environment. As your objective is continued compliance with your acceptable use agreement, there is some sense in re-delivering the same core training.

There are three challenges with the traditional way of delivering such training, which usually takes the form of a group session. The first is it is expensive in terms of trainer and staff time. The second is that, invariably, not everyone manages to attend the training—and it is the person who does not attend who is likely to cause a problem. The third is you usually cannot extract evidence from this kind of training that everyone paid attention and learned what they were intended to learn. In legal proceedings, a court may request you to demonstrate a transgressor was actually aware their actions were wrong.

Increasingly, organizations address these challenges through eLearning—staff awareness training delivered online. Typically, a 40-minute staff awareness training course can be delivered cost-effectively and consistently to everyone within an organization within a specific timeframe. As everyone completes the training at a time that suits them, you can ensure everyone does get trained. Everyone gets the same message. And you can attach tests to the training, so you have evidence people learned what they were meant to learn. The most important aspect of online compliance staff awareness training is the extent of the administrative reporting. The interactivity of the course itself is far less important, and this has the benefit that you can usually keep down the cost of delivering this sort of training—either from a cloud provider or through your own in-house learning management system.

IT Governance Ltd is one of a number of organizations that can provide online ISO 27001 staff awareness training to help address this need.

Of course, staff awareness training often dovetails with the organization’s communication strategy. Keeping staff up-to-date with information security awareness is, in practical terms, simply building on the initial and repeat core training, and should be fundamental to how you keep staff aware of the dangers of a wide variety of social engineering-type attacks.

Outsourced processes

ISO 27001 specifies outsourced processes must fall within the scope of the ISMS, even though the organization delivering that process is by definition outside the scope. An outsourced process is one where the organization has contracted a third party to manage or operate a service on its behalf, such as desktop support. An outsourced service is not necessarily the same thing as a bought-in service; while you are able to determine how an outsourced service is operated, you have little discretion about bought-in ones.

Processes that fall within the scope of the ISMS must be controlled. Typically, outsourced processes are controlled through some mix of:

• Terms and conditions of contract
• Supplier information security questionnaires
• Mandating and monitoring recognized assurance badges, and/or
• Supplier audits.