The Business

Getting ISO27001 Certification

The requirement for information security certification is spreading from large organisations to small ones. What’s involved, and do you need it?


How many certificates must a man walk down before he decides that putting two CDs filled with the personal data of 25 million households into the post is a really bad idea? Shouldn’t every company (and government department) have a better and more secure way of doing business?

The point about ISO27001 security certification, “is that the baseline it introduces that enables people to do business with a level of confidence,” says Richard Walters, product director for the information security software vendor Overtis Systems (www.overtis.com/systems), which has helped both large and small companies through the process. It answers, he says, principle seven of the Data Protection Act, which states that you must have adequate security around data that can identify living individuals. “The Information Commissioner will say that actually certification to ISO27001 is a very good starting point to meeting that requirement.”

ISO27001 began life as the British standard 7799; it became an international standard in 2005.  One surprise for many people considering certification is that the standard is not prescriptive in terms of technology.

“It’s about managing risk,” says Chris Smith, director of hosting operations at  Vialtus (www.vialtus.com). “You may choose to have security cameras or not, post discs or not, have controls on moving data around – you show that have you reduced risk as much as you can.” Vialtus provides managed services in the business-to-business market; as such, its customers include media companies, financial services companies, and the public sector.

“A lot of customers have the misperception that it’s just a security standard,” says Smith, “but it’s more a framework around controls to protect availability, integrity, and confidentiality of systems and data. It’s more about building an information security management system that is continuously improved.” And he cautions, “It’s more of a challenge to maintain it and keep it up to date than the original process.”

Getting started
Most people say getting ISO27001 certification involves implementing controls and procedures that ought to be in place in any case if your company is dealing with personal data, especially such sensitive information as financial and health records. Implementation of the standard also varies regionally, according to Julian Thrussell, standards manager at the BSI (www.bsigroup.com).

“There are local nuances,” he says. “For example, the Japanese market likes very rigid audits, whereas in Europe although we cover the same content, we take a softer approach.” In Japan, conducting an audit is more like giving an exam, where in Europe more often the auditor will move around the building with the client.

In the assessments he does himself, Thrussell finds the same mistakes repeated over and over again. “A pile of backup cassettes or hard drives sitting on the top of the server is ever so common,” he says. The standard requires offsite backups. “Or looking in Rolodexes for the boss’s password under ‘P’.” Or, as part of the audit, he might ask a member of staff to log him into the system; they should refuse. “It’s often the common, day-to-day things that aren’t properly managed,” he says.

Thrussell also finds two groups of organisations seeking certification. “One, organisations that want to prove to their supply chain that they can keep information safely and securely; for example, organisations doing financial transactions on behalf of a bank, such as a call centre.” Or, possibly less well known, anyone who prints cheques or cheque paper or share certificates has to be certified to ISO27001 under the rules set down by APACS (the UK trade association for payments).

The second group are “organisations who want to use the standard to ensure they’re following a best practice approach, to make sure they haven’t forgotten anything – like spellchecking your own document.”

In some cases, he admits, organisations just want the badge. “You can tell,” he says. “There often isn’t a maturity in the system. They have gone through the standard and ticked the boxes, but done it to the minimum requirement. It’s not wrong; it’s still going to be a lot better than without it. Still, if an organisation really values it they’ve gone a little way further and thought things out more sensibly.” Those organisations may find it hard to get through subsequent audits because they have approached the standard as a one-off exercise, whereas certification is intended to be an on-going process.

John Pironti, president of IP Architects (www.iparchitects.com) and a member of the ISACA education board (www.isaca.org), warns, similarly, that a certificate can give a false sense of security. “It just says the capabilities exist, but not that you’re mature in them.” Pironti, who is based in the US but offers technical and management consulting to clients worldwide, says the standard is currently more important in Europe than in the US.

“I tell people in the US that yes, ISO is a good thing, but it’s one of many things they should be looking at as part of the overall universe that would be beneficial for me to align to. The certificate itself from a US perspective is not as powerful.” In Europe, however, “We’re finding that many companies are requiring it. Even if they don’t want to do it, it may be required to deal with larger firms. Financial services and health care ask for it the most.”

The time it takes to get ISO27001 certification varies, but the average seems to take six months to a year depending on the size and complexity of the organisation, how much it needs to change and how much of the necessary framework it already has in place. Most begin by buying a copy of the standard, which costs £90, and reading through it to work out the implications for the business. Many, of course, choose to  hire specialist advice – for example from Overtis – to help them through the process.

Walters notes that many organisations initially certify just a portion of the business. “A lot start by certifying just the central core IT function, not the entire business,” he says, “or one group, one team, one department, or one operational function. Once that’s defined, the next piece is to come up with a statement of applicability – the key document that defines it for whoever audits later. It can really be as big or as small as you want it to be.” Vialtus went for ISO27001 certification for its data centres, for example.

However this does mean if you are choosing a company to deal with on the basis that it has ISO27001 certification, you need to check the scope it covers and the statement of applicability. But if you have to get certification quickly because a customer or client requires it, keeping the scope narrow can help speed things up. That can also help later not just with recertification but also with internal changes within the company.

Finding advice
In general, it’s been larger enterprises that have gone for certification but, Walters says, over the last 12 to 18 months the need for certification has begun appearing in tenders from smaller organisations as well. The smallest organisation where Overtis has taken the whole company through certification is about 50 people; it’s also helped departments within multinational companies as small as 20 people.

“A one- or two-man consultancy would find it hard to meet some of the physical security requirements, in particular,” warns Walters. “Making sure that computing facilities are in secure areas; they would struggle.”

The costs are often surprisingly modest. Vialtus’ Smith estimates that buying the certificate and getting through the initial audits for the company’s data centres cost well under £10,000. Vialtus, however, already had BS9001 certification and was used to dealing with on-going auditing requirements; the company even had two full-time employees in place to do nothing but work on certification, and a third who assisted them part-time.

“In man hours, it took us the best part of six months from deciding to do it to getting it – and with the assistance of a third-party security consultancy.” Without that help, he says, “it would have been more of a challenge to understand it.”

It pays also to be careful in choosing the source of such advice. The BSI’s Thrussell warns that it’s important to ask the right questions before hiring anyone and also vital to take up references from other organisations the consultancy you’re considering hiring has helped.

“A key piece is to use the organisations the BSI can refer them to,” he says, “or to take up the references the consultancy provides. Do it properly.”

And about those two CDs that HMRC lost in the post. “The ISO certification wouldn’t have helped HMRC,” says Pironti. “It would say ‘there’s a policy in place saying don’t do that’, but it doesn’t say to have controls to stop them from doing it or show how the capabilities work in the environment.”

Nonetheless, the certification was valuable for Vialtus, Smith says; “We feel we’re operating better now because of it.” !

The BSI Group on ISO27001:
www.bsigroup.com/en/Assessment-and-certification-services/management-systems/Standards-and-Schemes/ISO-IEC-27001/

ISACA’s advice on streamlining ISO27001 implementation:
www.isaca.org/Content/ContentGroups/...


 
Banner
Share |
Write comment
security image
smaller | bigger
Comments (5)
Author
Message
Andy123
Posted: Oct, 20 2009

Thanks

Great article!!! help me so!!!...
Sun Tzu
Posted: Jan, 16 2010

General

I understand that ISO can be a differentiator for a business and a clear demonstration of a commitment to security. I've certainly feel like I've seen an increase in ISO presence in the UK market place. But what are the actual figures of companies UK wise and globally taking up the standard? Do we see a spike coming or will this dip in the current depressed market? I personally think that this makes a good and more mandatory step towards security from the subjective comply and explain business approach that ultimately gets risk down graded in a traffic light sense. What business and leaders need to realise is that security is a differentiator from those who win and those who lose. There is little value in denying the landscape and skimming the cracks. Perhaps ISO can help address this but like Pironti says it the culture and belief in security and a mature attitude towards risk away from spin and politics.
Mary Branscombe
Posted: Jan, 29 2010

Indeed, 'Sun Tzu'

Indeed - security is a process. We're going to be keeping an eye on how popular this ISO certification proves to be among our audience, but we're hearing more customers asking for it because their customers are requiring it: a definite network effect.
iso 9001
Posted: Aug, 10 2011

iso 9001

I really appreciate your post and you explain each and every point very well.Thanks for sharing this information.And Ill love to read your next post too.

Regards

ISO 9001
ISO 9001
Posted: Sep, 22 2011

iso 9001

I appreciate your post. I also wrote that SMS advertising provides a cost effective method of targeting promotions to specific customer profiles. You might want to remind customers of specific events or promotions, but for whatever reasons, SMS allows you to pa*s information directly to the right customer at very affordable prices and fast delivery.
ISO 9001

busy

Download


Subscribe and get the magazine in the post before it's online

Subscribe and get access to all of the back issues

To read a sample eMagazine - March 2010

 
FREE SUBSCRIPTION!
Banner

IT EXPERT TOP TIP

Need to reset a Windows Mobile handset? This list covers about a dozen phones; if yours isn't here, try holding different combinations of buttons as you restart or power up.
http://blogs.msdn.com/devmktg/archive/2008/01/11/how-to-hard-reset-your-windows-mobile-phone.aspx read more

TAKE THE POLL

Unified communications

Banner

The #1 Bestseller for Only 77p

RECENT COMMENTS