INTRODUCTION
Cyber risk has become a critical business issue, with senior management increasingly under pressure—from customers, regulators, and partners—to ensure their organization can defend against, respond to, and recover from cyber attack.
Resilience against cyber attack requires an organization to defend itself across all of its attack surface: people, process, and technology. Significant investment in technological defenses are inadequate without at least commensurate investment in people and process; breaches in the people and process domains can be more devastating than those that come through inadequate technology. Effective cybersecurity therefore requires a comprehensive, systematic, and robust information security management system that encompasses people, process, and technology. Top managements, customers, and regulators all seek assurance that information risks have been identified and are being managed.
Impact of cyber breaches
Data breaches have measurable negative impacts on stock prices, customer retention, reputation, and profitability. Firms with better cybersecurity are usually able to recover more quickly from breaches than those without. Budgets, however, are tight and employees are continuously being pushed to take on more work. This means cybersecurity investments are often a ‘grudge’ investment—right up to the moment an organization suffers a cyber breach and it becomes obvious that the size of investment required to avoid the breach would have been considerably smaller than the scale of the financial and non-financial consequences of the breach itself.
Impact of regulation
While the United States currently has no single federal law that regulates cybersecurity and privacy throughout the country, several states do have their own cybersecurity laws in addition to their data breach notification laws. There is a patchwork of industry-specific federal laws (such as HIPAA and GLBA) and state legislation whose scope and jurisdiction vary. The NYDFS Cybersecurity and Massachusetts regulations are examples of state cybersecurity regulations. Outside of the US, many countries are introducing cybersecurity laws—including China. In addition, organizations providing services in the EU must now also comply with the EU General Data Protection Regulation—breaches of which could bring regulatory penalties of up to 4% of global revenues. Therefore, the challenge of compliance for organizations that conduct business across all 50 states and potentially across the world is considerable.
What organizations really need is some form of silver bullet that, at a stroke, brings cost-effective compliance with legislation and regulation, together with enhanced cyber resilience and market competitiveness. While silver bullets do not exist, of course, ISO/IEC 27001 is an international standard that comes closest to performing this function in the cybersecurity environment.
ISO/IEC 27001
The international standard ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements is the blueprint for managing information security in line with an organization’s business, contractual and regulatory requirements, and its risk appetite. Information security has always been an international issue, and this version of the Standard reflects eight years of improvements in the understanding of effective information security management. It also takes account of the evolution in the cyber threat landscape over that period and allows for a wide range of best-practice controls.
Information security is now clearly also a management issue, a governance responsibility. The design and implementation of an information security management system (ISMS) is a management role, not a technological one. It requires the full range of managerial skills and attributes, from project management and prioritization through communication, sales skills, and motivation, to delegation, monitoring, and discipline. A good manager who has no technological background or insight can lead a successful ISMS implementation, but without management skills, the most technologically sophisticated information security expert will fail at the task.
This is particularly the case if the organization wants to derive the maximum long-term business value from the implementation of an ISMS. Achieving external certification is increasingly a standard cost of doing business; achieving the level of information security awareness and good internal practice that enables an organization to safely surf the stormy, cruel seas of the information age requires a level of culture change no less profound than that required to shift from industrial to post-industrial operations.
I know all this because my background is as a general manager, not as a technologist. I came to information security in 1995 because I was concerned about the information security exposures faced by the company of which I was CEO. When you’re the CEO, and you’re interested in it, you can make an ISMS happen—as I’ve proved a number of times. While this book will shorten the learning curve for other CEOs in my position, really it is aimed at the manager—often an IT or information security manager, sometimes a quality manager—who is charged with tackling an ISO 27001 implementation and wants to understand the route to a positive outcome. It builds on the experience of many ISO 27001 implementations and reflects the nine-step implementation methodology that now underpins all the ISO 27001 products and services accessible through IT Governance Ltd (www.itgovernanceusa.com), the company I founded back in 2005. These nine steps work in any organization—public sector, voluntary sector, or private—anywhere in the world. Technology infrastructure, business model, organizational architecture, and regulatory requirements all inform the context for implementation of an ISO 27001 ISMS, but do not limit its applicability. We’ve helped implement an ISO 27001 ISMS in businesses with as few as two people, in mammoth, multi-national global enterprises, and in organizations of all sizes and types in between.
The second-biggest challenge that, in my experience, is faced by information security technologists everywhere in the world is getting—and keeping—the C-suite’s attention. The biggest challenge is gaining—and maintaining—the organization’s interest in and application to the project. Ongoing press and public attention regarding cyber risk is driving the issue onto top management agendas and, when top managements do finally understand they need to act—systematically and comprehensively—against information security threats, they become very interested in hearing from their information security specialists. They even develop an appetite for investing organizational dollars into hardware and software solutions, and for mandating the development of a new ISMS—or the tightening up of an existing one.
A successful ISMS project stems from and depends on genuine top management support. Progress is quicker if the project is seen as having a credible business need: to win an outsourcing or other customer contract, for instance, or to comply with a public funding requirement, improve competitiveness, or reduce regulatory compliance costs and exposures.
When we first decided to tackle information security way back in 1995, my organization in the UK was required to achieve ISO 9001 certification as a condition of its branding and trading license. We also intended to sell information security and environmental management services and—out of a desire to practice what we preached, as well as from a determination to achieve the identifiable benefits of tackling all these components of our business—we decided to pursue both BS 7799 and ISO 14001 at the same time.
BS 7799 certification only existed then in an unaccredited form and was, essentially, a Code of Practice. There was only one part to it and, while certification was technically not possible, some certification bodies were interested in issuing statements of conformity. The other standards we were interested in did all exist, but at that time it was generally expected an organization would approach each standard individually, developing standalone manuals and processes. This was hardly surprising, as it was unusual for any organization to pursue more than one standard at any time.
We made the momentous decision to approach the issue from primarily a business perspective, rather than a quality one. We decided we wanted to create a single, integrated management system that would work for our business, and was capable of achieving multiple certifications. While this seemed to fly in the face of standard practice around management system implementation, it seemed to be completely in line with the spirit of the standards themselves.
We also decided we wanted everyone in the organization to take part in the process of creating and developing the integrated management system we envisioned. We believed this was the fastest and most certain way of getting them to become real contributors to the project, both in the short and long term. We used external consultants for part of the ISO 9001 project, but there simply was no BS 7799 expertise available externally.
This lack of BS 7799 experts was a minor challenge compared with the lack of useful books or tools. Today, you can purchase books such as An Introduction to Information Security and ISO 27001:2013; however, back then there were bookshelves full of thick, technologically focused books on all sorts of information security issues, but nothing that might tell a business manager how to systematically implement an ISMS. We had no option but to try to work it out for ourselves.
We actually did the job two times: once under the unaccredited scheme and the second after the Standard had become a two-parter and was accredited (the earlier, single part had become a Code of Practice, while a new part—a specification for an ISMS—had been introduced). In fact, our accredited audit was also our certification body’s first observed audit for its own formal accreditation. While that was an interesting experience, it did mean our systems had to be particularly robust if they were to stand the simultaneous scrutiny of two levels of external auditors.
We underwent external examination on five separate occasions within a few months, and our integrated management system achieved all the required external certifications and recognitions. We did this without anything more than the part-time assistance of one ISO 9001 consultant and an internal quality management team of one. Steve Watkins, now a director of IT Governance Ltd and a UKAS Technical Assessor for ISO 27001, was that quality manager, and he did most of the real work to create our integrated, multi-standard management system. Admittedly, the organization was a relatively small one, but although we only employed about 80 people (across three sites), we did also have an associate consultant team that was nearly 100 strong. And back then, we probably could not have done something as complex as this in a much larger organization.
The lessons Steve and I learned in our first two implementations—and our experience with ISO 27001 implementations since then, often in very substantial public and private sector organizations around the world—has enabled us to crystallize the nine key steps to a successful ISMS implementation.
Properly managed and led, any ISO 27001 project can be successful. We’ve proved it.
Over the years, my organization, IT Governance Ltd, has developed approaches to implementing an ISMS that can help project managers identify and overcome many of the very real problems they face in achieving a successful outcome. We’ve worked successfully with organizations in North America, the UK and Europe, and across the rest of the world. We’ve also developed unique tools and techniques that simplify the process, that fit together around the nine steps described in this book, and that enable organizations to succeed without additional external assistance. Information security success, in the long term, does not need to be consultant-dependent; but it does depend on the organization itself. This book describes the key issues—the building blocks of success—and tells you how to tackle them.
The book is intended to be a fairly high-level guide to the nine-step implementation process and it therefore refers, from time to time, to more detailed books or tools that have been developed or published by my company. In particular, it often makes reference to the substantially more detailed and comprehensive IT Governance – An International Guide to Data Security and ISO27001/ISO27002, Sixth Edition, which Steve and I originally wrote to fill the evident gap in available guidance on the subject. That book is also now the Open University’s postgraduate text book on information security.
In each case where I make a specific reference, the book or tool is unique and was developed to do the specific job I describe it as doing. We developed these books, tools, and services because there simply was nothing available on the market that did a comparable job or that delivered the sort of return on investment we know our customers are looking for.
The ISO 27000 family
The information security Standard is, in fact, a two-part standard that has evolved considerably. One part of the Standard (ISO 27001:2013) provides a specification for the ISMS (it uses words like ‘shall’, particularly in Annex A, which is the list of controls). The other part (ISO 27002:2013) has the status of a Code of Practice: the assembled guidance on best-practice information security from around the world.
The difference between a specification and a Code of Practice, in the world of management systems standards, is a specification contains the word ‘shall’ and specifies what is mandatory for a system if it is to comply with the standard, while a Code of Practice provides guidance and uses words like ‘should’ to indicate compliance is not mandatory. Organizations can choose controls from this Code of Practice or anywhere else, provided the requirements of the specification are met. Accredited certification takes place against a requirements specification, not a Code of Practice.
ISO 27001 is linked to ISO 27002 and, where the organization uses the Annex A controls, ISO 27002 provides the guidance on how to implement those controls.
These two standards are supported by ISO 27000, which provides the definitions on which they rely. This is a lightweight work, but contains useful guidance and all the essential definitions that will help ensure everyone involved in the implementation project is on the same page.
You need to obtain, and study, copies of both ISO/IEC 27001:2013 and ISO/IEC 27002:2013. It is against ISO 27001 specifically that compliance is measured and the exact words in that Standard have precedence over any other guidance or commentary. Copies of the Standards are obtainable from your national standards body or from www.itgovernanceusa.com (IT Governance Ltd is an authorized standards distributor for a number of standards bodies).
In cases of doubt or uncertainty, your certification auditor will refer to the Standards for clarification; if everything you do can be tied down to specific words in the Standard, you will be in a strong position. On the other hand, do not assume your action is incorrect if you do something the Standard does not specify. The Standard is a minimum requirement, not a maximum one.
Links to other standards
ISO 27001 is supported by a family of related best-practice standards, each of which provides additional guidance on a specific aspect of information security management. This family of standards is continuously growing and developing; up-to-date information is available from www.itgovernanceusa.com/iso27000-family.
ISO 27001:2013 harmonizes with ISO 9001:2015 and ISO 14001:2015, as well as with ISO 22301, ISO 20000-1, and ISO 50001, so management systems can be effectively integrated.
ISO 27001 implicitly recognizes information security and an ISMS should form an integrated part of any internal control system created as part of corporate governance procedures. The Standard fits in with the approach required, for instance, under Sarbanes–Oxley, for risk management.
There is further discussion on the relationships with these other standards, more detail on the interrelationship with ISO 27002, and initial guidance on how frameworks such as ITIL (and ISO 20000) and COBIT could be used in an ISO 27001 implementation in An Introduction to Information Security and ISO27001.
Before you start
It’s worth getting appropriate training before you start your ISMS project.
The most useful training courses are those that provide an introduction to the whole subject, those that cover implementation, and those that cover audit. All good courses are accredited by an external examination board, such as the International Board for IT Governance Qualifications (IBITGQ—www.ibitggq.org).
An ISO 27001 ISMS Foundation Course is a one-day course that provides a broad awareness of the subject and is suitable for all project team members.
An ISO 27001 Lead Implementer Course is the ideal course for those who will be responsible for taking the project forward. This is a three-day course that provides practical guidance on effective implementation. The Certified Information Security Lead Implementer (CIS LI) qualification is widely recognized, and CIS LI courses and exams reflect the nine-step approach I describe.
All management systems must be subject to internal (management) audit. A Lead ISMS (or, possibly, an Internal ISMS) Auditor Course provides those inside your organization who will be charged with designing and managing your internal information security audit process with the skills they need to do this effectively.
You can see more detailed information about these and other courses here: www.itgovernanceusa.com/training. These qualifications can be achieved by attending either a classroom (daily travel or accommodation expenses) or a live online (make your own drinks and meals) course.
Training will also, of course, be an important facilitator of the types of changes your organization may need to make in terms of information security management. Exposing the whole project team to the principles of ISO 27001 through an ISO 27001 Foundation training course is a sensible step after you provide for the critical lead implementer and lead auditor training. Staff throughout the business will also need specific training in those aspects of security policy that will affect their day-to-day work. The IT manager and IT staff will all need specific competencies in Information Security (see ISO 27001, Clause 7.2) and, if they need to be enhanced, it should be delivered by an organization that recognizes and understands the technical aspects of ISO 27001 training. You can find more information about appropriate training here: