Alan Calder on IT Governance, information security & ISO 27001

I sat in, a few days ago, on a client interview with a network services provider. They were looking to finalise their choice of a company to support their substantial small network, of about 500 PCs. The provider’s offering was based on a primarily offsite, remote monitoring and response service; clearly, they expected to patch directly into the servers in our client’s data centre.
So I asked them to tell us a bit about how they managed information security. They have very good firewalls and anti-everything software, they told me, and they were very secure. ‘That’s cool,’ says I, ‘but I’m interested in your overall management system. Are you, for instance, cerficated against any international standards for information security management?’
There was a short silence.
Then their senior manager present said: ‘Sure, although I don’t remember specifically which. BS15000, or something, I think.’
‘Hmm,’ says I, ‘ BS15000 is the now withdrawn British Standard for IT Service Management. It does have an information security aspect to it, but it’s not an information security management standard per se.’
‘Oh, it is,’ says he.
‘Well,’ says I, ‘ can I suggest that you check, when you get back to the office, as to what standard you’re certificated against, whether or not your certification is still valid, and what the scope of the standard is?’
We got a telephone call from them today.
‘It is actually BS7799-2. We’re about to re-certificate to the international version of the standard, ISO27001. It is about IT Security, as I said, and the scope of the system is the Head Office IT services.
‘So your network service centre is outside the scope of your Information Security Management System, is it?’
‘Um, it appears that way, but our security is still very good.’
I explained that our client was in the process of implementing a management system that would meet the requirements of the standard and that ISO27001 certification was therefore a pre-requisite for any suppliers seeking remote access privileges.
He rang off.
So I didn’t need to tell him that our client had decided, immediately after the meeting, that there would be little point in further considering a supplier who so clearly couldn’t respond to such an obvious security c0ncern from a potential client.
Just one example of how ISO 27001 certification – with an appropriate scope – could have helped a client win a substantial new contract – although they would have had to ensure their new business teams knew what was going on!

A recent statement by Aidan Lawes, CEO of the itSMF, had him expresssing a belief that ITIL should be about integration – rather than alignment – with the business, and that there are now only business processes. That’s completely right – and there is a key point there for all IT governance practitioners – even for CobiT!

Now’s a good opportunity to add your views to the consultation around handing out prison terms to employees who knowingly breach the Data Protection Act – remembering that, while strengthening the law is probably a good idea, the absence of adequate resources for investigating possible breaches and pursuing and then prosecuting those who break the law will simply create yet more red tape for those companies who behave properly anyway, without doing anything meaningful to reduce data abuse.