Charu Pelnekar, CISA, CISM, ACA, AICWA, BCOM, CISSP, CPA, MCSE, QSA
ISO/IEC 27001:2005 Information Technology— Security techniques—Information security management systems—Requirements is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).1, 2 The potential benefits3, 4 of implementing ISO 27001 and obtaining certification are numerous. Implementing ISO 27001 can enable enterprises to benchmark against competitors and to provide relevant information about IT security to vendors and customers, and it can enable management to demonstrate due diligence. It can foster efficient security cost management, compliance with laws and regulations, and a comfortable level of interoperability due to a common set of guidelines followed by the partner organization. It can improve IT information security system quality assurance (QA) and increase security awareness among employees, customers, vendors, etc., and it can increase IT and business alignment. It provides a process framework for IT security implementation and can also assist in determining the status of information security and the degree of compliance with security policies, directives and standards.
The goal of this article is to provide guidance on the planning and decision-making processes associated with ISO 27001 implementation, including associated costs, project length and implementation steps.
Before implementing ISO 27001, one needs to consider the costs and project length, which are further influenced by the detailed understanding of the implementation phases. Any cost is painful in tough economic times. In today’s cloud computing environment, organizations that want to reduce costs without compromising information security are looking at ISO 27001 certification as a promising means to provide knowledge about their IT security.
Implementation costs are driven by the perception of risk and how much risk an organization is prepared to accept. Four costs need to be considered when implementing this type of project:
On average, implementation of a system such as this can take four to nine months and depends largely on the standard of conduct and quality and management support (tone at the top6), the size and nature of the organization, the health/ maturity of IT within the organization, and existing documentation.
ISO 27001 requires a company to establish, implement and maintain a continuous improvement approach to manage its ISMS. As with any other ISO compliance, ISO 27001 follows the plan-do-check-act (PDCA) cycle, as shown in figure 1.
The cost factors mentioned earlier are directly impacted by the inventory of IT initiatives within the organization. Organizations with COBIT framework, Statement on Auditing Standards (SAS). No. 70 Type I and Type II, Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST), or US Sarbanes-Oxley Act capabilities in place provide a ready inventory of set policies and procedures, risk assessments, control objectives, and operational controls that can often significantly reduce the time and expense needed to complete the project. Refer to figure 2 to understand the time and cost savings on respective PDCA phases associated with different IT efforts.
In addition to the previously mentioned cost savings, the organization that wants to have a step-by-step approach to ISO compliance can adopt a corporate scheme, which envisages that the scope of compliance can be restricted to a specific division, business unit, and type of service or physical location. The adoption of a corporate scheme will save time and allow the organization to realize the benefit of ISO 27001 certification. In addition, once successful compliance has been achieved for a limited, but relevant, scope, the corporate scheme can be expanded to other divisions or locations.
ISO/IEC 27001 and its supporting document, ISO/IEC 27002 (ISO/IEC 17799), detail 133 security measures, which are organized into 11 sections and 39 control objectives. These sections specify the best practices for:
The ISMS may be certified as compliant with ISO/IEC 27001 by a number of accredited registrars worldwide. The ISO/IEC 27001 certification, like other ISO management system certifications, usually involves a three-stage audit process:
Independent assessment necessarily brings some rigor and formality to the implementation process, and it must be approved by management. ISO/IEC 27001 certification should help assure most business partners of the organization’s status regarding information security without the business partners having to conduct their own security reviews.
PlanningAs in all compliance and certification initiatives, consideration of the organization’s size, the nature of its business, the maturity of the process in implementing ISO 27001 and commitment of senior management are essential. The most important departments and activities that will be vital to the success of the project include:
Although implementation of policies and procedures is largely perceived as an IT activity, other departments play an important role in the implementation. For example, facilities management is largely responsible for physical security and access controls.
Decision MakingThe decision of when and how to implement the standard may be influenced by a number of factors, including:
Various IT initiatives that can save time and cost on implementation phases are illustrated in figure 2. As explained earlier, an organization also needs to have the detailed understanding of PDCA implementation phases to manage the costs of the project. The cycle of PDCA is consistent with all auditable international standards: ISO 18001, 9001 and 14001. ISO/IEC 27001:2005 dictates the following PDCA steps for an organization to follow:
These suggested PDCA steps are further simplified and mapped (figures 1, 3 and 4) to the implementation phases developed for easy understanding and implementation—with the end objective of time and cost savings in mind. The following steps take into account the IT maturity within the organization and the review/registration process (see figure 4 for the details of review and registration steps).
Phase 1—Identify Business ObjectivesStakeholders must buy in; identifying and prioritizing objectives is the step that will gain management support. Primary objectives can be derived from the company’s mission, strategic plan and IT goals. The objectives can be:
Phase 2—Obtain Management SupportManagement must make a commitment to the establishment, planning, implementation, operation, monitoring, review, maintenance and improvement of the ISMS. Commitment must include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS have the proper training, awareness and competency. The following activities/initiatives show management support:
Phase 3—Select the Proper Scope of ImplementationISO 27001 states that any scope of implementation may cover all or part of an organization. According to section B.2.3, Scope of the ISMS, only the processes, business units, and external vendors or contractors falling within the scope of implementation must be specified for certification to occur.
The standard also requires companies to list any scope exclusions and the reasons why they were excluded. Identifying the scope of implementation can save the organization time and money. The following points should be considered:
The scope should be kept manageable, and it may be advisable to include only parts of the organization, such as a logical or physical grouping within the organization.
Phase 4—Define a Method of Risk AssessmentTo meet the requirements of ISO/IEC 27001, companies need to define and document a method of risk assessment. The ISO/IEC 27001 standard does not specify the risk assessment method to be used. The following points should be considered:
Choosing a risk assessment method is one of the most important parts of establishing the ISMS. Use of the following will be helpful:
ISO 27001 needs risk evaluations based on levels of confidentiality, integrity and availability (CIA):
Phase 5—Prepare an Inventory of Information Assets to Protect, and Rank Assets According to Risk Classification Based on Risk AssessmentThe company needs to create a list of information assets to be protected. The risk associated with assets, along with the owners, location, criticality and replacement value of assets, should be identified. Information regarding the grouping of assets, data classification documents and assets inventory documents will be useful. Following are suggested steps:
Once the assessment is completed, the information assets that have intolerable risk and, therefore, require controls will be identified. At that time, a document (sometimes referred to as a risk assessment report) that indicates the risk value for each asset is created.
Phase 6—Manage the Risks, and Create a Risk Treatment PlanTo control the impact associated with risk, the organization must accept, avoid, transfer or reduce the risk to an acceptable level using risk mitigating controls. The next stage is performing the gap analysis with the controls provided in the standard (refer to Annex A of ISO/IEC 27001 or to ISO/IEC 27002) to create an RTP and an SOA. It is important to obtain management approval of the proposed residual risks.
The RTP (figure 5) provides:
The SOA documents the control objectives (figure 6), the controls selected from Annex A, and the justification for adopting or not adopting the control.
Phase 7—Set Up Policies and Procedures to Control RisksFor the controls adopted, as shown in the SOA, the organization will need statements of policy or a detailed procedure and responsibility document (figure 7) to identify user roles for consistent and effective implementation of policies and procedures.
Documentation of policies and procedures is a requirement of ISO/IEC 27001. The list of applicable policies and procedures depends on the organization’s structure, locations and assets.
Phase 8—Allocate Resources, and Train the StaffThe ISMS process highlights one of the important commitments for management: sufficient resources to manage, develop, maintain and implement the ISMS. It is essential to document the training for audit.
Phase 9—Monitor the Implementation of the ISMSThe periodic internal audit is a must for monitoring and review. Internal audit review consists of testing of controls and identifying corrective/preventive actions. To complete the PDCA cycle, the gaps identified in the internal audit must be addressed by identifying the corrective and preventive controls needed and the company’s compliance based on a gap analysis.
To be effective, the ISMS needs to be reviewed by management at periodic, planned intervals. The review follows changes/improvements to policies, procedures, controls and staffing decisions. This important step in the process is project management review. The results of audits and periodic reviews are documented and maintained.
Phase 10—Prepare for the Certification AuditIn order for the organization to be certified, it is essential that it conduct a full cycle of internal audits, management reviews and activities in the PDCA process, and that it retains evidence of the responses taken as a result of those reviews and audits. ISMS management should review risk assessments, the RTP, the SOA, and policies and procedures at least annually.
An external auditor will first examine the ISMS documents to determine the scope and content of the ISMS. The objective of the review and audit is to have sufficient evidence and review/audit documents sent to an auditor for review. The evidence and documents will demonstrate the efficiency and effectiveness of the implemented ISMS in the organization and its business units.
Phase 11—Conduct Periodic Reassessment AuditsFollow-up reviews or periodic audits confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic reassessment audits to confirm that the ISMS continues to operate as specified and intended. As with any other ISO standard, ISO 27001 follows the PDCA cycle and assists ISMS management in knowing how far and how well the enterprise has progressed along this cycle. This directly influences the time and cost estimates related to achieving compliance.
The true success of ISO 27001 is its alignment with the business objectives and effectiveness in realizing those objectives. IT and other departments play an important role in implementing ISO 27001. Implementing ISO 27001 is an exercise toward better understanding an existing inventory of IT initiatives, information availability and ISMS implementation phases. An organization also needs to have the detailed understanding of PDCA implementation phases.
Without a well-defined and well-developed ISO 27001 project plan, implementing ISO 27001 would be a time- and cost-consuming exercise. To achieve the planned return on investment (ROI), the implementation plan has to be developed with an end goal in mind. Training and internal audit are major parts of ISO 27001 implementation.
ISO 27001 certification should help assure most business partners of an organization’s status with respect to information security without the necessity of conducting their own security reviews. An organization would choose to be certified against the ISO 27001 standard to provide confidence to their customer base and partners.
This article contains general information only, and Professional Consultant and the author are not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action that may affect the business, consult a qualified professional advisor. Professional Consultant, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this article.
The author would like to thank Mary Holloway for her assistance.
1 The ISO 27000 Directory, “The ISO 27001 Certification Process,” www.27000.org/ismsprocess.htm2 The ISO 27000 Directory, “Introduction to ISO 27002,” www.27000.org/iso-27002.htm3 ISO 27001 Security, “ISO/IEC 27001,” www.iso27001security.com/html/27001.html4 Perera, Daminda, “ISO/IEC 27001 Information Security Management System,” 26 July 2008, www.daminda.com/downloads/ISO27001.pdf5 Activa Consulting, “ISO 27001—Likely Costs,” www.iso-27001.co.uk/iso_27001_project_costs.htm6 Schwartz, Mark S.; Thomas W. Dunfee; Michael J. Kline; “Tone at the Top: An Ethics Code for Directors?,” Journal of Business Ethics, vol. 58, 2005
Charu Pelnekar, CISA, CISM, ACA, AICWA, BCOM, CISSP, CPA, MCSE, QSAis a director with Professional Consultant, a consulting firm. He has skills in business and technology consulting, as well as experience with audits and risk management, process reengineering, and business management. Since 1993, he has worked in an advisory role with national and international corporations across various industries. He served as vice president, in 2007–2008, and as membership director, in 2006–2007, of the ISACA Austin (Texas, USA) Chapter. He can be contacted at email@example.com.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.