ISO 27001: Flexible Security for Everyone
Security has been an issue since the beginning of computing, and today it’s harder than ever to protect your business from the risks of breaches and reputation damage. To help organisation’s orient their security endeavours towards a more consistent and robust defensive outcome, standards emerged back in the mid-'90s that set down the foundation for today’s plethora of guidelines, frameworks, standards and benchmarks. British Standard (BS) 7799 was first published in 1995 and was written by the UK’s Department of Trade and Industry (DTI) to offer security guidance and best practices for UK organisations (government and private sector). BS 7799 evolved through several iterations and was eventually taken over by ISO and became the inaugural publication in their ISO 27000 series of standard for information security. The full name of this standard is ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements. From its name you can see that it focuses on a specific kind of business system known as an Information Security Management System (ISMS).
Nowadays, ISO 27001 is used by organisations all over the world of any size and working in any industry to embed good security practices within their organisation’s operating model. Furthermore, this standard provides companies with the necessary guidance on how to protect their most valuable assets (information and systems) and allows them to get certified, proving to their customers and partners that they are protecting their data and reputation with robust systems and technology.
Why do you need an ISMS?
The basic goal of ISO 27001 is to uphold the confidentiality, integrity and availability (CIA) of information and systems. These attributes apply to most assets an organisation needs to protect, and are described as follows:
Confidentiality: only the authorised persons have the right to access information.
Integrity: only the authorised persons can change the information.
Availability: the information must be accessible to authorised persons whenever it is needed.
The ISMS is delivered as a set of documented processes, procedures and registers that capture the rules your company uses to maintain CIA by doing the following:
- Identifying stakeholders and their expectations of the company in terms of information security
- Identifying any security risks you currently need to manage
- Defining security controls and mitigation strategies to meet your objectives
- Setting clear security target states for people, processes, and technical controls
- Implementing controls and other risk treatment methods
- Continuously measuring and monitoring controls and remediating any issues
- Continuously improving your security posture to make the ISMS more effective
The ISMS becomes the business management system for security within your overall organisation’s Quality Management System (if you understand the target state of ISO 9001 for Quality) and takes the form of written policies, procedures, and other types of documents, like spreadsheet registers, officially recorded governance meetings, and operational reports. ISO 27001 defines which documents are needed for compliance, which in turn tell you which ones will be scrutinised by an auditor should the business require certification.
Compliance – a Goal for all Businesses
Complying with legal requirements is something every business needs to do. In Australia, we see an ever-increasing raft of laws, regulations, and contractual requirements related to cyber security, and it may seem like every industry and every sector has a different approach. However, the goals are always the same, no matter how you are expected to construct your security approach. What’s great about ISO 27001 is that it doesn’t tell you how to achieve the outcome, rather it provides the target state for each control and lets you flexibly design how you deliver it. For a pure ISO 27001 implementation, ISO offers ISO 27002 as a detailed list of controls you can implement to achieve ISO 27001 compliance. However, if you work in finance, then you have APRA’s requirements to meet, while a credit card processing company needs to adhere to PCI-DSS. Federal Government agencies need to follow ACSC’s guidelines, while states governments are now pushing their own sets of compliance goals. Changes in the recent Australian Cyber Security Strategy also foreshadow new legislation that will see more requirements places on critical infrastructure, and on their service providers. And in each case, a different set of controls are imposed.
The good news is that every one of these sets of security control objects can be mapped to ISO 27001, and you can build an ISMS that delivers them all. That way, even if the target state goal is harder to achieve in terms of technical implementation, you have the business systems in place to gain a security accreditation that proves you are following best practice. What we are seeing in CXO Security is that while all these other practices are emerging per industry, ISO 27001 remains a common goal that satisfies them all.
We are now seeing that organisations that achieve compliance are gaining a competitive advantage when tendering for work. ISO 27001 is helping government departments both implement and maintain compliance against their goals of Essential Eight and the ACSC’s Information Security Manual (ISM). In the end, while it will cost some money to set up, ISO 27001 will lower your operating costs over time, especially as it reduced the likelihood of being breaches and provides assurance to your insurance company that you have done what you can to protect yourself against attacks. At least, if you are breached, they cannot refuse to pay out on the basis of your lack of duty of care.
ISO 27001 is the most flexible security standard around today. It allows you to deliver whatever control framework makes sense to the sector or industry you work in and provides a consistent way to report on security progress both internally and externally to regulators and auditors.
The other great thing about ISO 27001 is that no controls are used that are not required. You have the flexibility to justify why some controls are not applicable, and you can choose to implement some with processes, and others with technology. No two implementations are the same, but the outcomes are consistent. Therefore ISO 27001 remains the best standard for organisations to adopt, irrespective of their ultimate goals because it allows you to prove your compliance through certification.