I have people ask me all the time about Security Assessments, benchmarking their Security Program, what the best framework is, etc. I usually point them to ISO27001 as framework to benchmark and measure their Information Security Program. ISO27001 is commonplace in Europe, especially in the Business-to-Business Commerce space and an ISO27001 Certification is often required as a minimum requirement to conduct business. In the US ISO27001 is used primarily as a mechanism to measure and benchmark an Information Security Program, and will often only seek an ISO27001 certification if the US Business is transacting with a European Business. The great thing about ISO27001 when deployed properly can enable an Information Security Program by upleveling Security efforts from an IT-centric view to a business-pervasive Information Security view. In otherwords, it can be a differentiator between an IT Security program and an Information Security Program.
If you are not aligning with ISO27001, here are 7 reasons why ISO27001 will enable your Information Security Program:
1. Uplevel security efforts from IT Security to Information Security. I often hear of IT Security Departments trying to expand their program to include other departments such as Legal, Finance, HR, Facilities, etc. (i.e. they are looking to build an Information Security Program not only an IT Security Program). If your company is bought into ISO27001, and you scope your project appropriately, this will be a good catalyst to start the conversations with other non-IT Business Units as you need their participation to conduct an ISO27001 Implementation.
2. Security Awareness for the business teams. Along the same lines as #1 above, starting to discuss where information is stored, processed, and transmitted with other Business Units, the risks that current information management practices poses, and collaboratively discussing remediation security controls will drive behavioral awareness in your business. Security Awareness will begin to occur when your business peers begin to understand impacts and risks of certain behaviors, and in time, they will self-select the correct security behaviors.
3. Your program is explicitly under management control. A great thing about ISO27001 is you have to be very purposeful about scope of your implementation, whether you choose a geography, a data center, or systems supporting a business unit–ISO27001 will force you to be purposeful about scope. Additionally, once your implementation is complete you will have controls in place to prevent the sprawl of information assets, or configuration drift of systems.
4. Establish a common definition. I think this is the most powerful benefit of an ISO27001 implementation. Since you’ll be talking with business peers (many of them non-technical), you’ll have to define and educate them about definitions of a “vulnerability”, “high risk” versus “low risk”, to topics such as “system access models”. For most of our business peers these terms are foreign and if you teach them a new language you can communicate more dynamically.
5. Establish a security risk tolerance. Part of an ISO27001 assessment requires you to document and classify risk related to where information assets are stored, processed, transmitted, and the people involved in the process. This should be a collaborative exercise and you should seek buy-in from your business peers to make sure you contextually understand the business risk. For risks deemed to be of importance, you might subsequently craft Security Controls to mitigate risk. In this process, you’ll invoke some great conversations about risk and how much risk is appropriate and therefore establishing a risk tolerance for your organization.
6. Accelarates your Security Architure efforts. I often see organizations trying to implement Security Architecture programs without a formal set of Security Controls they are trying to adhere to. Instead, they have Security Technology and they work within the parameters and functionality of that specific Security Technology. After you’ve completed your ISO27001 Implementation, you’ll know you controls that you need to adhere to and what risks they actually mitigate or what compliance objective they achieve. You can purposefully use these controls to create a security service catalog and plug these controls into an enterprise architecture framework such as TOGAF or a Security Architecture Framework such as SQUARE.
7. Ability to benchmark your Information Security Program. Given that ISO27001 is vast in it’s coverage, it forces you to consider many different areas of your business and presence of Security Controls in those areas. ISO27001 will help you organize your assessment efforts through use of controls listed in ISO27001, and there’s opportunity to expand the detailed controls with use of ISO27002. With this gap assessment coupled with an assessment of risk you’ll have a robust platform which to develop a Security Roadmap and Strategy.
For Security Programs trying to get a better foot hold in your organization, trying to up-level Security presence from IT to include other business units or generally trying to be more purposeful and controlled in the management of your program, I recommend checking out ISO27001 as a mechanism to jump-start your Security Program.