Brian Honan, information security consultant and blogger, and founder and head of Ireland's computer security incident response team, looks at the benefits and practicality of implementing ISO27001.
According to the website iso27001certificates.com there are now over 6,000 organisations worldwide that have attained certification against the ISO27001:2005 Information Security Standard. So what are the real business benefits these organisations have seen as a result of implementing ISO27001? Have there been any other benefits apart from those directly associated with information security that have arisen as a result of these projects? And what should others consider before embarking on the journey to implement the ISO27001:2005 information security standard?
We discuss these issues with a number of people who have real life experience of the impact ISO27001 has had on their organisation. The three people who have agreed to share their experiences are:
Han Van Thoor (HVT) managing director of Jumper CSIRT (http://www.jumper.ie/) that provides clients with managed information security incident response services.
Michael Brophy (MB), managing director of Certification Europe (http://www.certificationeurope.com/home/default.asp) that provides assessment and certification services against international management system standards.
What were the main drivers for you to seek certification to the standard?
PN Our proposition is predicated upon security and many potential clients see it as an endorsement of good security practice, as do we.
HVT The main driver was achieving a professional standard that is internationally recognised, facilitating a strong market presence for us. The security of information should be a core attribute of any business. Adoption of the ISO27001 standard demonstrates that emphasis.
MB Over the last two years the motives for organisation's seeking certification have moved from wanting to be ‘the best in class' to far more business orientated reasons. While the reasons for seeking certification differ from business sector to business sector, the common theme is that it is becoming a market norm in many circumstances.
What do you see as the biggest challenges companies face in achieving certification?
PN Understanding the information security management system and how it would apply to your business and thereafter and implementing it.
MB The biggest challenge seems to have remained unchanged over the years, it is all about getting sufficient resources and having information security recognised as a priority so that a proper system of controls can be implemented.
HVT At Jumper the challenge was less daunting from the perspective that the organisation is relatively young, so culturally the management of change was much simpler.
What are the main costs involved in implementing and maintaining ISO27001?
PN The costs of internal resources to produce the relevant policies and procedures. Getting guidance from external consultants need to be also factored in.
MB External consultancy support can help shortcut many issues, but at the end of the day the company has to spend time developing and using its information security system, and this all comes with a cost.
HVT As part of our start up plan it was identified that ISO27001 certification was an organisational objective so this was considered in all business and strategic plans. Having this vision allowed us full visibility of the costs, which were primarily resourcing and infrastructure related.
What are the main benefits you have seen as a direct result of implementing ISO27001?
PN Improvements in many management practices leading to efficiencies. We also have won business directly as a result of having the standard.
HVT Development of the organisation – increased focus on providing professional, service centred solutions to our clients - increased visibility and comprehension of IT security issues - preparedness of our response teams.
MB Many of the most significant benefits come from unexpected directions. Our financial and software clients are often subject to customer audits. Certification to ISO27001 will often negate the need for customer security audits. One such company calculated that in 2009 alone they reduced the number of external customer audit days by 49.
A change in company culture is often quoted as a benefit, which is rarely prioritised at the start of the process. Employees understand the risks that may occur and embrace security controls as a result.
What are the top three tips that you would give to anyone thinking about seeking certification?
PN (1) Own it from the top and ensure all senior managers are on board and involved.
(2) Prioritise the process within the organisation; this is something that is going to happen and explain why to get company wide buy in.
(3) Engage an experienced third party to drive the process from outside the organisation to ensure progress continues even when the pressure is on.
MB 1. If implementing an ISO27001 system for the first time try to ensure that you have a team (ideally drawn from different departments in the organisations) to co-ordinate actions
2. If stuck on how to implement parts of the standard, seek external help.
3. Do your risk assessment first and then base all your security controls on the risks you have identified. Do not start implementing controls because they sound good, otherwise you will tie yourself up in knots and do a lot of unnecessary work.
HVT 1 Start as early as possible in an organisation – if ISO27001 is an organisational objective, ensure that it is present in all strategic plans, budgets and resource allocations.
2. Obtain senior management commitment and ensure focus is maintained throughout the certification process. Keep communication lines open and maintain transparency of the entire process
3 Communicate the importance of the work – make it visible with the organisation, the more information you share the more the organisation will appreciate the value it brings.