The international information security standard, ISO27001 is the only security standard that takes an integrated approach to information security by addressing people, processes and technology.
According to Alan Calder, founder and executive chairman of IT Governance, all too often companies focus primarily on technology while neglecting the role people and processes play in ensuring the confidentiality, integrity and availability of their organisation’s information.
“ISO27001 can help streamline the information security management process and ensure the right controls are implemented, and thus significantly reduce the probability and impact of cyber risks,” he said.
We asked Calder about the state of the current standard, its take-up and its future with the rollout and take up of the 2013 version.
Are businesses generally compliant with the Standard?
As a company that has been delivering ISO27001 products and services for more than ten years, IT Governance has seen increasing interest in and implementation of the Standard. The number of clients turning to us for help has been growing year on year, but there are still many organisations that are just beginning to understand the importance of information security management.
Meeting contractual obligations is one of the major drivers for businesses to comply with ISO27001. Increasingly, the standard is being mandated by clients who rightly want to ensure that their information is going to be safe in the hands of suppliers and partners. Our own Boardroom Cyber Watch 2014 survey found that 55 per cent of the respondents have been asked by clients to prove their security credentials in the past 12 months.
Official figures also show a steady growth in the number of ISO27001 certificates worldwide. Certification to ISO27001 has grown by 14 per cent globally and by 25 per cent in Europe. The USA has the tenth highest number of ISO27001 certificates globally, combined with growth of 36 per cent, while ISO27001 certificates in the UK are up by 13 per cent on 2012.
I believe that this trend will continue as ISO27001 is increasingly recognised as an important standard globally, and compliance pressure is growing.
What is the process of becoming compliant with ISO27001?
Those who are completely new to the standard may require some guidance before they embark on the project. The first phase usually involves understanding the standard and the business requirements, and calculating the benefits.
In terms of the implementation process, there is no one-size-fits-all approach, but there are some common steps that can be used to steer the project. A typical process would start with a gap analysis to assess the differences between an organisation’s current information security controls and those recommended by ISO27001.
Also at the start of the project, the scope and the objectives must be determined and a risk assessment carried out so that the appropriate controls can be identified and a risk response plan can be developed.
Later in the process, the necessary management system documentation needs to be created, staff
information security awareness needs to be assessed and training provided as necessary. Finally, an internal audit needs to be performed, which will determine the effectiveness of the procedures and the selected controls. Any non-conformances need to be addressed and a continual improvement plan developed before the scheduled certification audit (provided the organisation has chosen to certify its ISMS).
It is important to note that an ISO27001 certificate is issued for a period of three years. During this time, the relevant certification body is required to perform surveillance visits at least once a year to verify that the ISMS works, which are then followed by a re-certification audit at the end of the three-year period. This means that an organisation needs to maintain its ISMS and carry out regular internal audits to ensure it is up to date.
What are the benefits of complying with ISO27001?
As mentioned before, contractual requirements and regulations are a major business driver for compliance with ISO27001. In this regard, organisations certified to ISO27001 have an advantage over their competitors, especially in tendering for contracts. Proof of ISO27001 compliance reduces or removes the need for second-party audits and their associated overheads.
Implementing a cyber security framework based on best practice such as ISO27001 will help organisations create a joined-up and systematic approach to compliance.
ISO27001 also helps to build trust and confidence among your stakeholders, adopt a risk-based approach that informs senior-level decision-making, and support a continuous process of improvement throughout the organisation.
There was the change from the 2005 version to a 2013 version. Do those compliant with the 2005 version need to re-certify?
ISO 27001:2013 was released in October 2013 and replaced the 2005 version of the Standard. Companies have been given a grace period to transition their ISMS from the 2005 to the 2013 version, but this is coming to an end.
In the UK, certification bodies should have stopped accepting any further applications for certification to ISO 27001:2005 from October 2014, according to a statement issued by UK accreditation body UKAS.
Globally, the International Accreditation Forum (IAF) has given certification bodies a deadline of two years from the date of publication of the standard for conformity with ISO/IEC 27001:2013. This means that after October 2015 certification bodies will only accept certification to ISO 27001:2013.
Organisations whose certification bodies have already transitioned to ISO27001:2013 should start transitioning their information security management systems (ISMSs) now to ensure they pass their next recertification audit.
What are the differences between ISO 27001:2005 and ISO 27001:2013?
ISO 27001:2013 has been written using the new high-level structure common to all new management systems standards in order to make integration with other management systems more straightforward.
One of the major changes to the Standard is associated with the risk assessment methodology. ISO 27001:2013 is no longer prescriptive about the methodology, meaning that companies no longer need to follow an asset-based approach.
The control selection process has changed, offering the benefit of greater flexibility, and the controls in Annex A have been modified. The standard now also puts a greater emphasis on setting objectives, and monitoring performance and metrics.
Alan Calder is the founder and executive chairman of IT Governance