Alan Calder on IT Governance, information security & ISO 27001

Businesses and organisations operating within the United States face particular challenges when it comes to regulatory demands. This is keenly felt in the area of information security, where it is necessary to satisfy a complex web of regulations. ISO 27001 is something of a magic bullet for many of these demands, and the US has seen rapidly building interest in the new standard. To meet the need for information on this topic we have just launched www.27001.com, a new website that is specifically tailored to the United States and provides a one-stop-shop for all the key ISO27001/ISO17799 standards, books and tools currently available.

Through www.27001.com organisations can find out how an ISO27001 ISMS works with ISO17799 to help them meet their business needs for cost-effective information security, while at the same time meeting their information-related regulatory compliance objectives and preparing them for new and emerging regulations. US regulatory requirements currently addressed by the site include HIPAA, GLBA, SB 1386 and other State breach laws, PIPEDA, FISMA and EU Safe Harbor regulations.

We have aimed to make the site the Neiman Marcus of IT governance and security. It showcases the very best products and services currently available, including works by the most respected industry thinkers as well as uniquely focused products developed by us. Whether you need C-Suite guides to the regulatory landscape, or highly practical guides for project managers, it is all available in a single place.

Given the increasing desire of businesses to be certified to ISO27001, risk assessment has emerged as an important skill for the infosec professional. While it is well-established in other areas, risk assessment is new to many in technology and requires mastering. There are various approaches, but ISO 27001 has particular requirements and compliance and certification can only be achieved if the right method is used. We have launched two new books to help different types of professional get the information they need in this area.

‘Risk Assessment For Asset Owners’ is a pocket guide aimed at people who need a quick overview of the facts. It is ideal for senior executives, people with peripheral involvement in a risk assessment or those who need a clear and concise place to start. Over 48 pages it explains the risk assessment requirements of ISO 27001 and how the entire assessment process should be managed, from identifying assets and assessing threats to selecting appropriate risk treatments and controls. The book is the latest in our series of Practical Information Security pocket guides and is available for only £7.95 / US$15.92/ EUR11.81 from.

For people directly responsible for conducting risk assessments a more detailed account is necessary, so we have also introduced ‘Information Security Risk Management for ISO27001/ISO17799’. Over 196 pages this provides step-by-step guidance on matters such as Impact and Asset Valuation, Risk Treatment and the Selection of Controls, and The Gap Analysis and Risk Treatment Plan. It also gives advice on the use of risk assessment tools, including vsRisk [link to item above]. Priced at £39.95/US$79.98/EUR59.37 it can be obtained from IT Governance here.

One of the great virtues of an information security management system is that it helps steer you around the pitfalls of your own preconceptions. By having a rigorous process that reaches across the organisation and involves people at every level it becomes easier to spot vulnerabilities that you never knew were there. For example, Doug Schweitzer on ComputerWorld highlights that the modern office copier contains a hard drive that retains a record of the images it handles – how many people realise that? How many businesses have measures in place to ensure that vital data doesn’t just walk off the premises when a copier is upgraded? When technology evolves so quickly a best practice ISMS is an absolute must.

The FSA Handbook sets out clear requirements for the management of information security within its regulated sectors. The requirements are best met by implementing and maintaining an ISMS that meets the ISO27001 standard – ISO27001-certification is clear evidence that the firm has taken full account of ISO 17799, as laid down in SYSC 3A.7.8

SYSC 3A.7.7
Information security
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so a firm should have regard to:
(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
(2) integrity: safeguarding the accuracy and completeness of information and its processing;
(3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
(4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.
SYSC 3A.7.8
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).

Building an Information Security Management System (ISMS) from scratch can be a daunting task, particularly for mid-size organisations who may not have the luxury of generous budgets. To help eliminate the uncertainties and headaches we’ve launched a new ISO 27001 Toolkit, which in a single box gives provides everything you need to build a world-class system efficiently and at a fraction of the cost of calling in outside experts.

The Toolkit is an all-in-one programme for building an ISMS compliant with global best practice, in respect of ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006. It is based on our definitive guide to ISMS development, ‘A Manager’s Guide to Data Security and BS7799/ISO17799’. In addition to the third edition of this book, the Toolkit includes the ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006 standards and a CD-ROM with almost 400 densely packed pages of fit-for-purpose policies and procedures: a model Information Security Policy, a pre-written Information Security Manual, 110 pre-written policies, analysis tools, training materials and much more.

Since every organisation’s needs are different, purchasers benefit from our unique Drafting Support Service, which advises them on how to adapt the materials to their particular situation. They also receive our 12-month Automatic Update Service, which ensures that purchasers automatically benefit from any improvements to the Toolkit.

A robust ISMS is too important to be out of the reach of the middle market. We’ve deliberately priced this product at a significant discount to other options out there, so there can be no excuses!

ISO 27001 is of course an ideal solution to businesses that need to ensure they comply with Sarbanes Oxley IT control requirements. I’ll be doing a webinar on 25 January in collaboration with Compliance Online to discuss precisely how the standard draws together CobiT, ITIL and ISO 17799 to create the necessary multi-layered solution. Topics to be covered will include:

* Current and future governance and compliance requirements
* The role of enterprise risk management
* Linkages and similarities between state, national and international regulations
* Why the traditional approach to regulatory compliance no longer works
* Business risks arising from legal contradictions, overlaps and loopholes
* Scale and impact on corporate brand, market position and share value of regulatory failure
* Key governance requirements of directors
* Role of best practice frameworks Linkage between compliance requirements and best practice frameworks
* Background and history of CobiT, ITIL and ISO 17799 – similarities and differences
* Importance of the CobiT/ITIL/ISO17799 joint framework
* Benefits of deploying this best practice framework
* Critical success factors in deploying this framework

For more information or to make a booking, click here.

Positive developments in Portugal: a group of IT professionals has teamed up to form an ISMS community to promote best practice in information security, with a focus on ISO 27001 and ISO 17799. The community maintains a Portuguese blog and an English language page here describes its activities.

How many board directors know what ISO 27001 or ISO 17799 are? For that matter, how many still don’t know a firewall from a fire extinguisher? We are finding that, although an increasing number of non-IT company directors want to get to grips with data security, a limited technical understanding continues to frustrate the efforts of many. As a result, information security remains something of a ‘Bermuda Triangle’ in the executive role – everyone knows it’s there, but it’s surrounded in mystery and few have actually ventured in.

Clearly, this is a situation that has to change and we have just launched a new book to help bridge this boardroom knowledge gap. ‘A Business Guide to Information Security‘ is written for non-IT directors and is co-published by Kogan Page and the UK’s Institute of Directors, which has also endorsed the book because of its relevance to SMEs as well as large businesses. We have taken data security issues from the ground up, in order to explain the various threats to a company’s systems and what has to be done to address them. (If you are interested, the book is widely available through bookshops and also here.)

It would be good to hear some feedback on directors’ current awareness and concern about the data security issue – we think it is definitely on the increase but has a long way to go. What will it take to really get it onto every boardroom agenda?

The recently launched ‘Aligning Cobit, ITIL and ISO 17799 for Business Benefit‘ is a welcome step toward making IT governance more usable for most organizations. There has long been confusion over which of these three frameworks is really an IT governance framework; for an equal length of time, the answer has been that each is a component of such a framework, as I proposed in IT Governance Today: a Practitioner’s Handbook earlier this year.

While I’m delighed at this progress, there is (as I’ve already argued) further still to go in integrating and simplifying IT governance frameworks, and I will be taking this further in the 2nd edition of the Practitioner’s Handbook when it is published early next year.

BS7799/ISO17799 are big standards, as anyone who has ever successfully implemented an ISMS can attest. Updating my book to take account of the new standard, and putting together a tool to help people migrate from the 2000 version to the forthcoming 2005 version, drove home to me just how tough certification really is. And, while the revised version of 17799 brings the standard right up to date, and makes a number of useful improvements, I’m not convinced that it makes the process any more straightforward.

In fact, if anything, it makes the process tougher, not least because it now cross refers to a number of other, supporting (but not mandatory) standards, as well as shifting business continuity and disaster recovery management out of the standard, leaving behind only the information security aspects of both. Large organizations usually have the resources to tackle 17799; smaller ones don’t. The revised standard is not going to make it easier – smaller organizations really need a 17799-lite – one that clearly differentiates between what is essential (eg vulnerability management) and what is relevant only to certain types of companies (eg software development).

Until that happens, it’s going to be incumbent on consultants to help smaller companies find the simple ways of benefitting from the guidance in the standard, and achieving certification as well. If we can’t do that, the standard will survive only as something for larger organizations – which means it won’t survive in the form we know it today.