ISMS Light touch Directors' Brief
Executive SummaryIt is generally accepted that information is the greatest asset any organisation has under its control. Directors are aware that the supply of complete and accurate information is vital to the survival of their organisations.
Today more and more organisations are realising that information security is a critical business function. It is not just an IT function but covers:
- Risk Management;
- Physical Security;
- Business Continuity;
- Regulatory and Legislative Compliance.
ISO27001:2005 which was formally BS7799 is the International Standard for Information Security Management (ISMS) and provides a definitive reference to developing an information security strategy. Moreover a successful certification to this standard is the confirmation that the system employed by the organisation meets internationally recognised standards.
However reduced resources may cause problems when planning and implementing a full ISMS; this can be resolved by using a reduced scope. This does allow for extension at some time in the future.
The Statement of Applicability which accompanies the application can be tailored to meet the specific requirements of the organisation.
Information SecurityBusiness has been transformed by the use of IT systems, indeed it has become central to delivering business efficiently. The use of bespoke packages, databases and email have allowed businesses to grow while encouraging remote communication and innovation.
Most businesses rely heavily on IT but critical information extends well beyond computer systems. It encompasses knowledge retained by people, paper documents as well as traditional records held in a variety of media. A common mistake when incorporating an information security system is to ignore these elements and concentrate only on the IT issues.
Information security is a whole organisation matter and crosses departmental boundaries. It is more than just keeping a small amount of information secret; your very success is becoming more dependent upon the availability and integrity of critical information to ensure smooth operation and improved competitiveness.
C I A
Directors' PerspectiveYour vision is central to organisational development; driving improvements in all areas of the business to create value. With information technology being key to so many change programmes, effective information security management systems are a prerequisite to ensuring that systems deliver on their business objectives. Your leadership can help create the appropriate security culture to protect your business.
Organisations are increasingly being asked questions about ISO 27001, particularly by national or local government, professional and the financial sector. This is being driven by adoption of the standard as part of their legal and regulatory obligations. In some areas this is becoming a tender requirement.
Others are seeing a competitive advantage in leading their sector and using certification in information security management to develop customer/client confidence and win new business. With public concern over security issues at an all time high, there is a real need to build effective marketing mechanisms to show how your business can be trusted.
You will certainly be aware of your responsibilities for effective governance, and be answerable for damaging incidents that can affect organisational value. The risk assessment, which is the foundation of the standard is designed to give you a clear picture of where your risks are and to facilitate effective decision making. This translates into risk management, not simply risk reduction and therefore replaces the feeling many directors have of risk ignorance in this area. This will help you understand the potential risks involved with the deployment of the latest information technologies and will enable you to balance the potential downside with the more obvious benefits.
CFO ScrutinyWhether, as part of compliance, such as required by Professional Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective governance, information security is a key component of operational risk management. It enables the formulation of effective risk analysis and measurement, combined with transparent reporting of ongoing security incidents to refine risk decisions.
Giving values to the impact security incidents can have on your business is vital. Analysis of where you are vulnerable allows you to measure the probability that you will be hit by security incidents with direct financial consequences.
An added benefit of the risk assessment process is that it gives you a thorough analysis of your information assets, how they can be impacted by attacks on their confidentiality, integrity and availability, and a measure of their real value to your business.
Although the detail within the risk assessment process can be complex, it is also possible to translate this into clear priorities and risk profiles that the Board can make sense of, leading to more effective financial decision making. Basic risk assessment is a preferred method when smaller organisations are starting on the road to an ISMS.
Business ContinuityHow well would you cope if a disaster affected your business?
This could be from some natural cause such as flood, storm or worse from fire, terrorism or other civil unrest. The areas not often considered are sickness, failure of utilities or technology breakdown.
Business continuity planning in advance of a disaster can mean the difference between survival or extinction of the business.
Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered. Those with an effective business continuity plan have emerged like the phoenix from the ashes.
Many businesses claim to have a plan but if the plan is untested or ill prepared then it is bound to fail. ISO27001 states that a fully planned and tested BCP should be in place to prepare for and be able to deal with, such an emergency.
ISO 27001/2 Sections
- Risk assessment and treatment – Assessing the risks to the company's assets, devising a risk treatment plan and finally accepting those risks that cannot be mitigated.
- Security policy - This provides management direction and support for information security.
- Organisation of information security - To help manage information security within the organisation.
- Asset management - To help identify assets and protect them appropriately.
- Human resources security - To reduce the risks of human error, theft, fraud or misuse of facilities.
- Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information.
- Communications and operations management - To ensure the correct and secure operation of information processing facilities.
- Access control - To control access to information
- Information systems acquisition, development and maintenance - To ensure that security is built into information systems.
- Information security incident management – To deal effectively with any identified security incident.
- Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
- Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.
CONCLUSIONSA light touch ISMS can be very effective in providing confidence to customers/clients if careful selection of the elements, incorporated in the ISMS, is made. The Statement of Applicability details which parts are included/excluded.
Many organisations have benefited from this approach and with assistance from Quality Matters have maximised the use of resources while providing good levels of data protection.
This brief has been prepared by Chris Eden of Quality Matters Limited. Chris Eden FIC, MISSA, ACQI, A director of Quality Matters Limited with over 20 years experience in setting up, auditing and evaluation of systems. He is a Registered QMS2008 Internal Auditor (IRCA).