I have people ask me all the time about security assessments, benchmarking their security program, what the best framework is, etc. I usually point them to ISO 27001 as framework to benchmark and measure their information security program. ISO 27001 is commonplace in Europe, especially in the B2B commerce space and an ISO2 7001 Certification is often required as a minimum requirement to conduct business. In the U.S., ISO 27001 is used primarily as a mechanism to measure and benchmark an information security program, and will often only seek an ISO 27001 Certification if the U.S. Business is transacting with a European Business. The great thing about ISO 27001 when deployed properly can enable an information security program by leveling up security efforts from an IT-centric view to a business-pervasive Information Security view. In other words, it can be a differentiator between an IT security program and an Information Security Program.
If you are not currently aligned with ISO 27001, here are seven reasons why ISO 27001 will enable your information security program:
1. Up-level security efforts from IT security to information security. I often hear of IT security departments trying to expand their program to include other departments such as legal, finance, HR, facilities, etc. (i.e., they are looking to build an Information security program not only an IT security program). If your company has bought into ISO 27001, and you scope your project appropriately, this will be a good catalyst to start the conversations with other non-IT business units as you need their participation to conduct an ISO 27001 implementation.
2. Security awareness for business teams. Along the same lines as #1 above, starting to discuss where information is stored, processed, and transmitted with other business units, the risks that current information management practices poses, and collaboratively discussing remediation security controls will drive behavioral awareness in your business. Security awareness will begin to occur when your business peers begin to understand impacts and risks of certain behaviors, and in time, they will self-select the correct security behaviors.
3. Your program is explicitly under management control. A great thing about ISO 27001 is you have to be very purposeful about scope of your implementation, whether you choose a geography, data center, or systems supporting a business unit, ISO 27001 will force you to be purposeful about scope. Additionally, once your implementation is complete you will have controls in place to prevent the sprawl of information assets, or configuration drift of systems.
4. Establish a common definition. This may be the most powerful benefit of an ISO 27001 implementation. Since you’ll be talking with business peers (many of them non-technical), you’ll have to define and educate them about definitions of a “vulnerability”, “high risk” versus “low risk”, and topics such as “system access models”. For most of our business peers these terms are foreign and if you teach them a new language you can communicate more dynamically.
5. Establish a security risk tolerance. Part of an ISO 27001 assessment requires you to document and classify risk related to where information assets are stored, processed, transmitted, and the people involved in the process. This should be a collaborative exercise and you should seek buy-in from your business peers to make sure you contextually understand the business risk. For risks deemed to be of importance, you might subsequently craft security controls to mitigate risk. In this process, you’ll invoke some great conversations about risk and how much risk is appropriate and therefore establishing a risk tolerance for your organization.
6. Accelerates your security architecture efforts. I often see organizations trying to implement security architecture programs without a formal set of security controls they are trying to adhere to. Instead, they have security technology and they work within the parameters and functionality of that specific technology. After you’ve completed your ISO 27001 implementation, you’ll know you controls that you need to adhere to and what risks they actually mitigate or what compliance objective they achieve. You can purposefully use these controls to create a security service catalog and plug these controls into an enterprise architecture framework such as TOGAF or a security architecture framework such as SQUARE.
7. Ability to benchmark your information security program. Given that ISO 27001 is vast in its coverage, it forces you to consider many different areas of your business and presence of security controls in those areas. ISO 27001 will help you organize your assessment efforts through use of controls listed in ISO 27001, and there’s opportunity to expand the detailed controls with use of ISO 27002. With this gap assessment coupled with an assessment of risk you’ll have a robust platform which to develop a security roadmap and strategy.
For security programs trying to get a better foot hold in your organization, trying to up-level security presence from IT to include other business units or generally trying to be more purposeful and controlled in the management of your program, I recommend checking out ISO 27001 as a mechanism to jump-start your security program.