Alan Calder on IT Governance, information security & ISO 27001

At the end of October, we submitted the manuscript of the 5th Edition of our best-selling book on implementing an ISO27001 Information Security Management System (ISMS) to our external publisher, Kogan Page. It should be in bookshops across the world in Spring 2012.

This 5th Edition is completely updated and combines the content of International IT Governance, the version of the book that we produced for the North American market, with that of IT Governance. This means that there will now be a single edition, with coverage of IT governance, legal, security and compliance issues in the UK and in North America, as well as in Europe and elsewhere across the world.

We’ve obviously also updated all the technology content of the book, and have included the most recent information about Advanced Persistent Threats, attack vectors, cyber crime standards, the cyber resilience agenda, social media governance, PCI DSS and, of course, cloud computing.  

While the core standards, ISO/IEC 27001 and ISO/IEC 27002, have not yet been updated from the versions published in 2005, a whole family of ISO27000 standards has been created and are being published with great regularity.  Our new book incorporates material from a number of these standards and places them in their broader implementation context.

While working on the book, I came across a growing number of surveys and reports in which the link between increased expenditure on information security and a reduced incidence of cyber breaches (and, therefore, reduced financial and business impairment) is clear.  It has always been obvious to us that, in an insecure neighbourhood – and the Internet is a deeply insecure environment – it is simply good sense to lock the doors, alarm the house and secure one’s valuable assets.

The growing number of organisations certificated to ISO27001 (many of whom have taken advantage of our range of certificated ISO27001 training courses to prepare themselves) all contribute to greater information security awareness amongst users of digital assets. We hope that the 5th edition of IT Governance: a Manager’s Guide will help many more organisations around the world make the first step toward better digital self-preservation.

Among the most common errors of judgement that I see from company directors is the failure to carry out regular and detailed reviews of their business continuity arrangements. For most boards, the whole discussion is boring. It becomes even more boring when the discussion has to work its way through identification of critical systems and processes, determination of Minimum Tolerable Periods of Disruption and Recovery Time Objectives, as well as identifying threats and vulnerabilities and estimating likelihoods and impacts of external events that might unacceptably disrupt key processes.

Inactions have consequences. DistributeIT.com.au ceased to exist as an independent business because it hadn’t identified the possible impact of a devastating hack attack: it didn’t have adequate offsite backups for the 4,800 websites it hosted.  And that’s what business continuity plans are for: to ensure that, as an organisation, you can survive when something terrible happens. You would have thought that an IT company would understand the importance of backups but, again, my experience is that most organisations never actually think through the circumstances in which they might have to recover from their backups and they are therefore never prepared when disaster strikes.

The good news, of course, is that there are internationally recognised standards for business continuity management – BS25999 (shortly to be ISO22301) and ISO/IEC 27031  - and there are Business Continuity Management Toolkits to help you with an BCM implementation – but there is no substitute for directors paying attention to what is going on in the risk world around us, and taking appropriate action to survive the unexpected. Right now, of course, being hacked is one of the more likely things to happen - so there really isn’t an excuse for being caught napping on this one!

‘Nearly 1in 5 businesses suffer a major disruption every year – and only 28% of them had any form of continuity plan’ – reports Adam Bernstein who continues, in Business Continuity: the small firm view, to provide good, sound advice to small firms on how they should plan and prepare for their own business continuity challenge.

There are two additional things you should do: the first is to right down all the steps that you’ve worked out, together with contact details and critical information like bank contacts, insurance policy numbers and so on, and the second is to keep a copy of the business continuity plan somewhere away from your business, where you can access it when you need it but where it won’t be compromised if your office is not accessible.

The best place to write this stuff down is in a business continuity plan – and the inexpensive Business Continuity Toolkit (just £27.95) that you can download from our website is just the tool for that.

I came across an interesting post on Ireland’s Security Watch blog making the topical connection between bird flu scares and business continuity planning. It rightly points out that a disaster can strike from unlikely sources when you least expect it.

BCP is a very topical subject generally, given the recent introduction of the BS25999 standard. This finally provides a way for organisations to PROVE that they have a robust plan in place to ensure that their business can withstand adverse events. With our increasingly global and interdependent supply chains, more and more organisations are coming under pressure to reassure their major customers and business partners that they are a safe bet.

To help organisations get to grips with the new Standard and the competitive advantage that being certificated represents, we have just published several new books:

* We have brought out a second edition of Disaster Recovery & Business Continuity, a quick guide for small organisations and busy executives. This is based on last year’s successful book but updated to reflect the particular requirements of the new BS25999 Standard.
* For people needing a quick introductory overview of business continuity management we have launched a new BS25999 Pocket Guide. This sets out all the key facts and is a great tool for organisations that are implementing, or set to implement, a business continuity plan and management system. If you need to share practical knowledge between many project team members this is also a very cost effective way of doing it.
* Lastly, to support the take-up of the new Standard we have launched Business Continuity and BS25999: A Combined Glossary. No previous glossary has adequately addressed the full range of terms likely to be useful to a business continuity practitioner. In this book, we have drawn not only from BS25999 but also a wide range of related standards and frameworks, including ITIL and ISO27001, to create a standardised set of terms that should enable professionals to conduct global conversations based on a shared understanding.

One of the most worrying things I encounter time and again is how seldom growing businesses have proper disaster recovery plans in place. Statistically, few businesses that suffer a major data loss or business interruption survive for more than a year afterwards, and small businesses are the most vulnerable as they simply don´t have the resources to bounce back.

The issue for business owners, and also senior executives from larger enterprises, is usually a lack of time to learn about the subject from scratch. People know it is important, but as they don´t know where to start they procrastinate – which is fine until one morning their business is on the line.

I´m pleased to say that we have just launched a new book that I really believe could come to the rescue of such companies. ‘Disaster Recovery & Business Continuity’ is written specifically as a quick guide for small businesses and time poor executives who need to master the key facts in a hurry. It summarises best practice in a clear and jargon-free manner, meaning that readers can quickly get the right measures implemented in their own business.

Each of its 16 chapters is written in a Question & Answer format with real world examples providing helpful illustration throughout. Further resources are provided in the appendices, including templates, checklists and information on training. The book’s contents are applicable to organisations based anywhere in the world.

The book is priced at just £29.95/US$59.25/€44.52 and is available online here and in leading bookshops. It is considerably cheaper than a full scale business interruption, so there can be no excuses for not getting your house in order at last!

The British Standards Institute has found a significant improvement in companies’ business continuity planning in the past 12 months. However, of the 100 FTSE-250 firms interviewed, “Only 45% … had comprehensive plans in place for a supply chain failure, and 21% of companies said they required all suppliers to have business continuity plans in place.”

Nobody should kid themselves that this can remain the case: any company is potentially vulnerable to a continuity failure if a supplier lets them down. For that reason, expect to see suppliers increasingly called upon to prove that they have measures in place to ensure their dependability. This will be one of the main drivers for the growth of ISO 27001 certification in the next five years. Companies that have it will prosper; companies that don’t will get left behind.

Buncefield, as Grainne Gilmore makes clear in a Times article today, is a wake up call for all those businesses – large and small – that don’t already have fully thought-through and tested business continuity, disaster recovery and contingency plans.

Directors and top management are responsible for the survival of their businesses. Identifying and planning to deal with the full range of potential risks is a fundamental part of that responsibility.

It’s too late to start preparing when disaster strikes – today, when nothing looks as though it’s about to happen, is the best time to start. And our business continuity web page is the best place to make that start.