Alan Calder on IT Governance, information security & ISO 27001

One of the key problems faced by organisations that want to comply with the Data Protection Act is that the DPA doesn’t contain any detailed guidance on compliance – in essence, it is just a set of 8 principles. And the worst principle from a compliance perspective is Principle 7, which requires organisations to make appropriate technical and administrative arrangements to protect personal information. What is appropriate? And how would you prove it? For some years, ISO/IEC 27001 certification has been the most effective way of demonstrating DPA compliance, but the read across between the two standards is not that precise.

BS10012 (Data Protection: Specification for a Personal Information Management System), on the other hand, is a standard that is specifically written to meet DPA compliance needs. It is written as a specification (in other words, audits can be conducted against the standard and there is talk of a certification scheme) and it deals specifically and completely with the requirements of the DPA. It has just been published and every organisation that has personal information to protect should

1. Buy a copy, and compare actual practices with those described in the standard and,
2. Consider improving actual practices so that they conform to those described in the standard.

Here’s a link where you can get your own copy: http://www.itgovernance.co.uk/products/2542

It is certainly true that most of those involved in the creation of IT standards are from large organisations. It is also true – as Steve Burrows says – that it can be challenging for an SME to implement a standard such as the ISMS standard, ISO/IEC 27001, for information security management.

However, all standards are explicitly designed for organisations of all sizes. ISO/IEC 27001, for instance, is clear that its requirements should be implemented in a way that is appropriate for the organisation; certainly the selection of controls will be driven by a risk assessment and, if the management of an SME has a high appetite for risk, it won’t find itself selecting many controls.

The reality is that all organisations are subject to similar types of risks; an impact (like the loss of a server for a week) that could severely disrupt an SME might not even bother a larger, multinational organisation. Organisations need to select and implement controls that will protect them from impacts they wish to avoid – and the management system they put in place will be very similar to that put in place by a much larger organisation to manage much larger impacts.

The issue isn’t really the IT standards; the real issue is the resources that SMEs have available to tackle them. Few SMEs will have the capability to plan and carry out an appropriate implementation of something like an ISMS – which, of course, is why we developed our FastTrack ISO27001 Implementation Service for organisations that have 19 employees or fewer, and why our classic consultancy service (with its 100% guarantee) is helping more and more SMEs implement appropriately scaled information security management systems that enable them to cost-effectively meet customer compliance requirements and to challenge larger competitors in their space.