Getting ISO27001 Certification
How many certificates must a man walk down before he decides that putting two CDs filled with the personal data of 25 million households into the post is a really bad idea? Shouldn’t every company (and government department) have a better and more secure way of doing business?
The point about ISO27001 security certification, “is that the baseline it introduces that enables people to do business with a level of confidence,” says Richard Walters, product director for the information security software vendor Overtis Systems (www.overtis.com/systems), which has helped both large and small companies through the process. It answers, he says, principle seven of the Data Protection Act, which states that you must have adequate security around data that can identify living individuals. “The Information Commissioner will say that actually certification to ISO27001 is a very good starting point to meeting that requirement.”
ISO27001 began life as the British standard 7799; it became an international standard in 2005. One surprise for many people considering certification is that the standard is not prescriptive in terms of technology.
“It’s about managing risk,” says Chris Smith, director of hosting operations at Vialtus (www.vialtus.com). “You may choose to have security cameras or not, post discs or not, have controls on moving data around – you show that have you reduced risk as much as you can.” Vialtus provides managed services in the business-to-business market; as such, its customers include media companies, financial services companies, and the public sector.
“A lot of customers have the misperception that it’s just a security standard,” says Smith, “but it’s more a framework around controls to protect availability, integrity, and confidentiality of systems and data. It’s more about building an information security management system that is continuously improved.” And he cautions, “It’s more of a challenge to maintain it and keep it up to date than the original process.”
Most people say getting ISO27001 certification involves implementing controls and procedures that ought to be in place in any case if your company is dealing with personal data, especially such sensitive information as financial and health records. Implementation of the standard also varies regionally, according to Julian Thrussell, standards manager at the BSI (www.bsigroup.com).
“There are local nuances,” he says. “For example, the Japanese market likes very rigid audits, whereas in Europe although we cover the same content, we take a softer approach.” In Japan, conducting an audit is more like giving an exam, where in Europe more often the auditor will move around the building with the client.
In the assessments he does himself, Thrussell finds the same mistakes repeated over and over again. “A pile of backup cassettes or hard drives sitting on the top of the server is ever so common,” he says. The standard requires offsite backups. “Or looking in Rolodexes for the boss’s password under ‘P’.” Or, as part of the audit, he might ask a member of staff to log him into the system; they should refuse. “It’s often the common, day-to-day things that aren’t properly managed,” he says.
Thrussell also finds two groups of organisations seeking certification. “One, organisations that want to prove to their supply chain that they can keep information safely and securely; for example, organisations doing financial transactions on behalf of a bank, such as a call centre.” Or, possibly less well known, anyone who prints cheques or cheque paper or share certificates has to be certified to ISO27001 under the rules set down by APACS (the UK trade association for payments).
The second group are “organisations who want to use the standard to ensure they’re following a best practice approach, to make sure they haven’t forgotten anything – like spellchecking your own document.”
In some cases, he admits, organisations just want the badge. “You can tell,” he says. “There often isn’t a maturity in the system. They have gone through the standard and ticked the boxes, but done it to the minimum requirement. It’s not wrong; it’s still going to be a lot better than without it. Still, if an organisation really values it they’ve gone a little way further and thought things out more sensibly.” Those organisations may find it hard to get through subsequent audits because they have approached the standard as a one-off exercise, whereas certification is intended to be an on-going process.
John Pironti, president of IP Architects (www.iparchitects.com) and a member of the ISACA education board (www.isaca.org), warns, similarly, that a certificate can give a false sense of security. “It just says the capabilities exist, but not that you’re mature in them.” Pironti, who is based in the US but offers technical and management consulting to clients worldwide, says the standard is currently more important in Europe than in the US.
“I tell people in the US that yes, ISO is a good thing, but it’s one of many things they should be looking at as part of the overall universe that would be beneficial for me to align to. The certificate itself from a US perspective is not as powerful.” In Europe, however, “We’re finding that many companies are requiring it. Even if they don’t want to do it, it may be required to deal with larger firms. Financial services and health care ask for it the most.”
The time it takes to get ISO27001 certification varies, but the average seems to take six months to a year depending on the size and complexity of the organisation, how much it needs to change and how much of the necessary framework it already has in place. Most begin by buying a copy of the standard, which costs £90, and reading through it to work out the implications for the business. Many, of course, choose to hire specialist advice – for example from Overtis – to help them through the process.
Walters notes that many organisations initially certify just a portion of the business. “A lot start by certifying just the central core IT function, not the entire business,” he says, “or one group, one team, one department, or one operational function. Once that’s defined, the next piece is to come up with a statement of applicability – the key document that defines it for whoever audits later. It can really be as big or as small as you want it to be.” Vialtus went for ISO27001 certification for its data centres, for example.
However this does mean if you are choosing a company to deal with on the basis that it has ISO27001 certification, you need to check the scope it covers and the statement of applicability. But if you have to get certification quickly because a customer or client requires it, keeping the scope narrow can help speed things up. That can also help later not just with recertification but also with internal changes within the company.
In general, it’s been larger enterprises that have gone for certification but, Walters says, over the last 12 to 18 months the need for certification has begun appearing in tenders from smaller organisations as well. The smallest organisation where Overtis has taken the whole company through certification is about 50 people; it’s also helped departments within multinational companies as small as 20 people.
“A one- or two-man consultancy would find it hard to meet some of the physical security requirements, in particular,” warns Walters. “Making sure that computing facilities are in secure areas; they would struggle.”
The costs are often surprisingly modest. Vialtus’ Smith estimates that buying the certificate and getting through the initial audits for the company’s data centres cost well under £10,000. Vialtus, however, already had BS9001 certification and was used to dealing with on-going auditing requirements; the company even had two full-time employees in place to do nothing but work on certification, and a third who assisted them part-time.
“In man hours, it took us the best part of six months from deciding to do it to getting it – and with the assistance of a third-party security consultancy.” Without that help, he says, “it would have been more of a challenge to understand it.”
It pays also to be careful in choosing the source of such advice. The BSI’s Thrussell warns that it’s important to ask the right questions before hiring anyone and also vital to take up references from other organisations the consultancy you’re considering hiring has helped.
“A key piece is to use the organisations the BSI can refer them to,” he says, “or to take up the references the consultancy provides. Do it properly.”
And about those two CDs that HMRC lost in the post. “The ISO certification wouldn’t have helped HMRC,” says Pironti. “It would say ‘there’s a policy in place saying don’t do that’, but it doesn’t say to have controls to stop them from doing it or show how the capabilities work in the environment.”
Nonetheless, the certification was valuable for Vialtus, Smith says; “We feel we’re operating better now because of it.” !
The BSI Group on ISO27001:
ISACA’s advice on streamlining ISO27001 implementation: