Compliance With ISO27001 - Is It Really Necessary by primusboy


									Compliance With ISO27001 - Is It Really Necessary?
In today's high technology environment, organizations are becoming
increasingly dependent upon their information systems. Information is
widely regarded as the life blood of the modern enterprise. And,
consequently, the security controls surrounding these systems are
becoming the differentiating factor in customer choice. With data being
held on many of the most sensitive aspects of the business, including key
third party stakeholders, information security integrity has become a
focal point of all business initiative. The protection of information
assets - information security - is therefore overtaking physical asset
protection as a fundamental corporate governance responsibility.
Organizations are facing a flood of threats to their information, with
new challenges emerging almost daily. Any breach to security can have a
severe effect on the operational running, reputation, or legal compliance
of the organization. Damage to any one of these areas can be measured by
its impact on the bottom line, in both the short and long term. It is
self-evident that organizations should, therefore, take appropriate steps
to secure and protect their information assets. This is now particularly
relevant with the web of legislation and regulation to conform too,
making firms criminally liable, and in some instances making directors
personally accountable for implementing and maintaining appropriate risk
control and information security measures. No longer is it enough to find
and fix vulnerabilities on an ad-hoc basis. Only a comprehensive,
systematic approach will deliver the level of security that any
organization really needs.
Today, security processes need to be well documented and substantiated.
So it's no longer good enough to be secure; organizations have to be able
to prove they are secure. If done correctly, this additional layer of
regulatory scrutiny and reporting can help enterprises combine their
security and compliance programs better to streamline efforts, control
costs and keep networks secure and compliant.
With the key corporate governance objective being to ensure that the
organization has an appropriate balance of risk and reward in its
business operations, information security requirements should be
identified by a methodical assessment of security risks, with expenditure
on risk controls needing to be balanced against the business harm likely
to result from security failures.
The most practical and effective way for policy makers to handle their
information security risks and obligations, is to adopt and implement an
information security policy and information security management system
(ISMS) that is capable of being independently certified as complying with
ISO/IEC 27001:2005. The standard provides the only independently
developed framework for the management of information security. While
compliance with the standard does not of itself confer immunity from
legal obligations, it does point clearly to management's implementation
of best practice, of effective IT governance. Security risks managed in
this systematic and comprehensive manner help to garner competitive
advantage in the organization through the adherence to an international
best practice standard. Certification to ISO27001 can also aid in forming
part of any potential legal defense required after a security breach.
ISO27001 compliance ensures a company will meet the regulatory guidelines
and standards such as the following:
• Sarbanes Oxley (SOX) requires companies to disclose information
regarding finances and accounting. SOX helps prevent financial
malpractice and accounting disclosures. All US-listed companies must
adhere to SOX regulations.
• Gramm-Leach Bliley Act (GLBA) requires financial institutions to
protect customer data and provide privacy notices. Banks and financial
institutions must follow GLBA.
• Health Insurance Portability and Accountability Act (HIPAA) requires
health care organizations to ensure the privacy of personal health
information. Hospitals, medical centers and any business dealing with
patient medical records must comply with HIPAA.
• Payment Card Industry (PCI) specifies how to secure information systems
and media containing cardholder account information to prevent access by
or disclosure to any unauthorized party. PCI also covers effective
deletion of unnecessary data. Companies that store, process or transmit
credit card holder data must follow PCI.
• COBIT is an IT governance framework and supporting toolset that allows
managers to bridge the gap between control requirements, technical issues
and business risks. COBIT enables clear policy development and good
practice for IT control throughout organizations. COBIT emphasizes
regulatory compliance, helps organizations to increase the value attained
from IT, enables alignment and simplifies implementation of the COBIT
ISO27001 provides a single coherent and over-arching framework for
compliance with all the regulations and standards laid out above, while
also actually providing a risk assessment-based approach to information
security. Nonetheless, in order to achieve a risk assessment that is
completed methodically, systematically and comprehensively an appropriate
software tool is a must. It is practically impossible to carry out and
maintain a useful risk assessment for an organization that has more than
about four workstations without using such a tool that contains fit-for-
purpose databases of risk threats and vulnerabilities. This is because
the risk assessment is a complex and data-rich process. And for an
organization of any size, the only practical way to effectively undertake
the project is to create a database that contains details of all assets
within the scope of the ISMS, and then to link, to each asset, the
details of its (multiple) threats and (multiple) vulnerabilities, and
their likelihood and resulting impacts, together with details of the
asset ownership and its confidentiality classification.
The risk assessment process is made enormously simpler if ready-made
databases of threats and vulnerabilities are used. The database should
also contain details of the control decisions made as a result of the
risk assessment, so at a glance, it easy to see what controls are in
place for each asset within the ISMS. To one extent or another, the
software tool chosen to perform the ISMS should automate the risk
assessment process and generate a Statement of Applicability. It should
also encourage the user to perform a thorough and comprehensive security
audit on the organization's information system, while not generating too
much paperwork. The chosen software should produce risk assessment
results that are easily comparable and reproducible.
One such tool on the market developed to help organizations quickly and
easily carry out an ISO27001-compliant risk assessment is the ISMS tool
vsRisk™- the Definitive ISO27001: 2005-Compliant Information Security
Risk Assessment Tool. Equipped with a wizard-based approach to simplify
and accelerate the process for undertaking risk assessments; asset by
asset identification of threats and vulnerabilities; the tool easily
imports additional controls to deal with risks, and an integrated threats
and vulnerability databases, which are continually updated to ensure that
they are the most up-to-date available. vsRisk™, in terms of
functionality, ease of use and value for money, and alignment with the
requirements of ISO27001 is the most complete ISMS software tool on the
Effective risk management is a continuous Plan-Do-Check-Act-Cycle which
means that the risk assessment must be regularly revisited at planned
intervals and take into account changes in the business environment,
regulatory bodies, and a review of the residual risks. However, following
the initial resource intensive phase of the ISMS implementation the
organization should find subsequent reviews of the ISMS are much less
labour intensive and relatively easily maintained with the aid of the
right software tool.
* vsRisk™ can also be found as part the No 3 Comprehensive ISO 27001 ISMS
Toolkit, a necessity for organizations looking to accelerate their
ISO27001 project and develop an ISO27001-compliant Information Security
Management System (ISMS).
Chris Hanwell is the Product and Services Executive of
(, the one-stop-shop for information security books,
tools, training and consultancy

To top