ISO27001 2005 Information Security Management Standard
Submit Articles Back to Articles
ISMS Light touch Directors' Brief
It is generally accepted that information is the greatest asset any
organisation has under its control. Directors are aware that the supply
of complete and accurate information is vital to the survival of their
Today more and more organisations are realising that information
security is a critical business function. It is not just an IT function
With increasing reliance on data, it is clear that only organisations
able to control and protect this data are going to meet the challenges
of the 21st century.
- Risk Management;
- Physical Security;
- Business Continuity;
- Regulatory and Legislative Compliance.
ISO27001:2005 which was formally BS7799 is the International Standard
for Information Security Management (ISMS) and provides a definitive
reference to developing an information security strategy. Moreover a
successful certification to this standard is the confirmation that the
system employed by the organisation meets internationally recognised
However reduced resources may cause problems when planning and
implementing a full ISMS; this can be resolved by using a reduced
scope. This does allow for extension at some time in the future.
The Statement of Applicability which accompanies the application can be
tailored to meet the specific requirements of the organisation.
Business has been transformed by the use of IT systems, indeed it has
become central to delivering business efficiently. The use of bespoke
packages, databases and email have allowed businesses to grow while
encouraging remote communication and innovation.
Most businesses rely heavily on IT but critical information extends
well beyond computer systems. It encompasses knowledge retained by
people, paper documents as well as traditional records held in a
variety of media. A common mistake when incorporating an information
security system is to ignore these elements and concentrate only on the
Information security is a whole organisation matter and crosses
departmental boundaries. It is more than just keeping a small amount of
information secret; your very success is becoming more dependent upon
the availability and integrity of critical information to ensure smooth
operation and improved competitiveness.
C I A
These are the three requirements for any ISMS.
Your vision is central to organisational development; driving
improvements in all areas of the business to create value. With
information technology being key to so many change programmes,
effective information security management systems are a prerequisite to
ensuring that systems deliver on their business objectives. Your
leadership can help create the appropriate security culture to protect
Organisations are increasingly being asked questions about ISO 27001,
particularly by national or local government, professional and the
financial sector. This is being driven by adoption of the standard as
part of their legal and regulatory obligations. In some areas this is
becoming a tender requirement.
Others are seeing a competitive advantage in leading their sector and
using certification in information security management to develop
customer/client confidence and win new business. With public concern
over security issues at an all time high, there is a real need to build
effective marketing mechanisms to show how your business can be trusted.
You will certainly be aware of your responsibilities for effective
governance, and be answerable for damaging incidents that can affect
organisational value. The risk assessment, which is the foundation of
the standard is designed to give you a clear picture of where your
risks are and to facilitate effective decision making. This translates
into risk management, not simply risk reduction and therefore replaces
the feeling many directors have of risk ignorance in this area. This
will help you understand the potential risks involved with the
deployment of the latest information technologies and will enable you
to balance the potential downside with the more obvious benefits.
Whether, as part of compliance, such as required by Professional
Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective
governance, information security is a key component of operational risk
management. It enables the formulation of effective risk analysis and
measurement, combined with transparent reporting of ongoing security
incidents to refine risk decisions.
Giving values to the impact security incidents can have on your
business is vital. Analysis of where you are vulnerable allows you to
measure the probability that you will be hit by security incidents with
direct financial consequences.
An added benefit of the risk assessment process is that it gives you a
thorough analysis of your information assets, how they can be impacted
by attacks on their confidentiality, integrity and availability, and a
measure of their real value to your business.
Although the detail within the risk assessment process can be complex,
it is also possible to translate this into clear priorities and risk
profiles that the Board can make sense of, leading to more effective
financial decision making. Basic risk assessment is a preferred method
when smaller organisations are starting on the road to an ISMS.
How well would you cope if a disaster affected your business?
This could be from some natural cause such as flood, storm or worse
from fire, terrorism or other civil unrest. The areas not often
considered are sickness, failure of utilities or technology breakdown.
Business continuity planning in advance of a disaster can mean the
difference between survival or extinction of the business.
Many of the businesses affected by the Bunsfield Fuel Depot disaster
never recovered. Those with an effective business continuity plan have
emerged like the phoenix from the ashes.
Many businesses claim to have a plan but if the plan is untested or ill
prepared then it is bound to fail.
ISO27001 states that a fully planned and tested BCP should be in place
to prepare for and be able to deal with, such an emergency.
ISO 27001/2 Sections
- Risk assessment and treatment –
Assessing the risks to the company's assets, devising a risk treatment
plan and finally accepting those risks that cannot be mitigated.
- Security policy - This provides
management direction and support for information security.
- Organisation of information security -
To help manage information security within the organisation.
- Asset management - To help identify
assets and protect them appropriately.
- Human resources security - To reduce the
risks of human error, theft, fraud or misuse of facilities.
- Physical and environmental security - To
prevent unauthorised access, damage and interference to business
premises and information.
- Communications and operations management
- To ensure the correct and secure operation of information processing
- Access control - To control access to
- Information systems acquisition, development and
maintenance - To ensure that security is built into
- Information security incident management
– To deal effectively with any identified security incident.
- Business continuity management - To
counteract interruptions to business activities and to protect critical
business processes from the effects of major failures or disasters.
- Compliance - To avoid breaches of any
criminal and civil law, statutory, regulatory or contractual
obligations, and any security requirement.
A light touch ISMS can be very effective in providing confidence to
customers/clients if careful selection of the elements, incorporated in
the ISMS, is made. The Statement of Applicability details which parts
Many organisations have benefited from this approach and with
assistance from Quality Matters have maximised the use of resources
while providing good levels of data protection.
This brief has been prepared by Chris Eden of Quality
About the Author
Chris Eden FIC, MISSA, ACQI, A director of Quality Matters
Limited with over 20 years experience in setting up, auditing and
evaluation of systems. He is a Registered QMS2008
Internal Auditor (IRCA)
Follow us @Scopulus_News
Article Published/Sorted/Amended on Scopulus 2013-03-14 15:59:07 in Business Articles