Alan Calder on IT Governance, information security & ISO 27001

BS7799/ISO17799 are big standards, as anyone who has ever successfully implemented an ISMS can attest. Updating my book to take account of the new standard, and putting together a tool to help people migrate from the 2000 version to the forthcoming 2005 version, drove home to me just how tough certification really is. And, while the revised version of 17799 brings the standard right up to date, and makes a number of useful improvements, I’m not convinced that it makes the process any more straightforward.

In fact, if anything, it makes the process tougher, not least because it now cross refers to a number of other, supporting (but not mandatory) standards, as well as shifting business continuity and disaster recovery management out of the standard, leaving behind only the information security aspects of both. Large organizations usually have the resources to tackle 17799; smaller ones don’t. The revised standard is not going to make it easier – smaller organizations really need a 17799-lite – one that clearly differentiates between what is essential (eg vulnerability management) and what is relevant only to certain types of companies (eg software development).

Until that happens, it’s going to be incumbent on consultants to help smaller companies find the simple ways of benefitting from the guidance in the standard, and achieving certification as well. If we can’t do that, the standard will survive only as something for larger organizations – which means it won’t survive in the form we know it today.

When my book on IT Governance was first published two and a half years ago, it stood on its own. IT Governance Ltd and www.itgovernance.co.uk were equally unique. There has, since then, been a proliferation of articles, companies and websites professing to be about IT Governance. When you scratch the surface of most of them, you find they are selling a specific product or service that may (or may not) have a governance role; they are not providing services to help organisations develop, implement or improve their IT governance postures. I might have been partly to blame, I guess, as my book was largely about achieving BS 7799; at the time, I thought (and still do) that information security was the most pressing IT governance issue. However, the agenda is changing and I will be extending coverage of the broader IT Governance issues in the third edition (an up-to-the-minute combined hard copy/online version), due out next year.

Using the concept of “IT Governance” to peddle software or other “solutions” does our clients no favours: legal compliance software is no more an IT Governance solution than an anti-virus package is an information security management system. When a client purchases something that deals with one part only of a whole spectrum of issues – but believes that it is the entire solution – they are blinded to other threats and vulnerabilities – some of which may have the potential to do more damage than the one they have just patched. Vendor transparency is, I believe, essential for providers of governance solutions; we must be able to say clearly: “We do this, and this – but not that or that – although we will refer you to others who can fill the gaps…” That way, we can each build long lasting client relationships – not least because we will have helped ensure that our clients are around for the long term!

Often – far too often – people say to me: “We’re doing BS 7799 but we’re not going for BS 7799 certification – we’re just going to pick and choose what we need from the standard. After all, it’s just a badge on the wall, and we don’t really need another one of those.”

Rubbish.

There are two good reasons for certification. 1: Management are more likely to focus on effective implementation if they are signed up to certification as a key challenge – we all know that information security change programmes that don’t have management’s full support are usually doomed to failure and 2: certification keeps everyone honest – when you know there’s someone coming from outside on a regular basis to take a hard objective look at your management system, there’s no room for the “we’re not quite going to apply those criteria” back-sliding to take place.

If an organisation is going to the trouble of designing and implementing an ISMS to systematically reflect best practice, then you might as well reflect best practice – which includes achieving certification. After all, if your reputation depends on secure information, you really should secure it – shouldn’t you?