Skip to main content

ISO 27001 : Steps to Certification

Am asked many a times , hey, we need to get ISO 27001 certified and then asked to make themselves compliant within a few weeks. I go through the long process of explaining the steps required and the terminology that is often used as part of the compliance exercise. In this ramble, I will try to capture the salient requirements as to what constitutes the process and the time lines generally applicable (I am generalizing here) to get compliant or to go for certification.

Before taking it further, I will say this " YOU CANNOT GET ISO 27002 certified" ISO 27001 is the management standard that details on the processes - THE ISMS - and you certify against this standard. The Annexure to the standard details the controls that are recommended to achieve the objective. These are brief details as to the nature of controls required. However, a detailed version of the controls in the ISO 27001 annexure is found in ISO 27002. ISO 27002 can help the organization to achieve ISO 27001 certification. Well enough of the caveats, now to the various elements that needs to be done to achieve the certification.

The major driver for the ISO 27001 standard is the risk assessment programs, the idea is to ensure that the controls explained well in detail in ISO 27002 can be selected as applicable to organization A or organization B based on the risk assessment processes practiced by the organization. There exists a separate standard ISO 27005 that deals with risk assessment.

What would be the approach that needs to be taken to achieve certification? As in any organization, or any project the major push should come from the top. I have worked with many organizations that want ISO 27001 to be pushed as an IT effort. The most likely result of such an endeavor would be failure. So we will write the first rule of an ISO 27001 effort.

" HAVE ISO 27001 CERTIFICATION EFFORT SUPPORTED BY THE TOP MANAGEMENT"

All your efforts would go waste and even though, it looks obvious, it needs to be emphasized. Without the top management providing resources as well as the necessary blessings the project is doomed to fail. However, convincing management about the need for ISO 27001 is another ball game. This blog assumes that you have already done your selling.

Well, you might be wondering why the word "project" is highlighted in the last statement, the reason is for the organization to take the Certification process as a project. A project has a clearly defined scope and therefore has milestones, resources allocated and results collated and due correction to the process initiated as the project veers of course.  All the problems associated with a project are inevitable in an all encompassing initiative like ISO 27001. It covers all aspects of business, it needs resources, it has time lines, it has clear needs to coordinate various aspects of bringing together a team to deliver a result. We will put down another statement - Number 2

" ISO 27001 COMPLIANCE is a PROJECT with clear scope, milestones and deliverables"

Now that we have the backing of the management and have a PMO (Project Management Office for the uninitiated), it is time to start working the details of the project.

STEP ONE : Define ISMS (Information Security Management System) as a policy. A policy is an intent to do something or achieve something (an objective). The idea behind the certification process is to have a policy to ensure that, ISMS is something that is desired in the organization. Since the project is driven by the Management, the definition of the intent and object of the organization and top management is to be conveyed in a statement that is simple, easy and understood by all. A base set of policies that would govern the collective thinking of the organization is the step to evolve. These are not detailed tomes running pages, that are difficult to enforce, defend and implement. But intentional statements that effectively ensures that as an organization, an objective needs to be reached as a goal. For example. we can have detailed password policies and identity management rules. But, the idea here is to ensure that identity if protected as a policy, not the nitty-gritties of the technology controls or the way the objective is  achieved.

Now since we are working towards certification, and considering that , the policies are not an overhead, but an as improvement int he governance of the organization, bringing down the overall costs of operations, we need to now discuss the content of the policy. The ISMS a short few pages (in preferably single digits) should cover the following
1. How the objective of the policy would align the policy to the strategic business objectives?
2. How information security is important to the organization?
3. How the organization wants to identify risks?
4. How the organization wants to fix risks?
5. How the organization wants to improve upon their Governance structure? 

Though the above questions are high level objectives for the ISMS, these are the documents that would govern the build up of other policies. These policies may include data classification policy, remote access policy, password policy and others that are more operational in nature and needs to be evolved based on the Risk Assessment. A ISO 27001 certification process will based on the Risk Assessment exercise, decide on the requirement for the different operational policies. 

"The ISO 27001 does not mandate that you have all the policies"

For example, if I have a system that is isolated and is not connected to the Internet or does not allow remote connections. Does it require a REMOTE CONNECTIONS POLICY? No.

STEP TWO: The obvious step next is to run the risk assessment methodology derived and having found it adequate (In line with business objectives) to identify the assets (Information Assets) and map their values as well as to understand and assign values based on the business impact. The details of the process as to how detailed mathematical models would be used or a simple set of rules that are qualitative based on the stakeholder valuation is for the business to decide. The risk assessment methodology adopted is better if it takes into consideration the fact that consistent results can be achieved irrespective of who the initiator of the exercise. We will make another bold statement here.

" ENSURE THAT THE RESULTS OF THE RISK ASSESSMENT METHODOLOGY ADOPTED IS CONSISTENT IRRESPECTIVE OF THE INITIATOR"

STEP THREE: Based on the results of the Risk Assessment , we have valuable information, having identified the assets that has been identified and needs protection, we can start building a profile for the different assets and protect them based on the value the business has perceived for each of the assets. For example , we assign different values to what we have, we lock in our jewelery in a locker, we keep our phones safe, we keep our documents in a locked cabinet, we let our newspapers on the coffee table. A similar profile would emerge. And in ISO 27001 parlance we have a name for this " THE STATEMENT OF APPLICABILITY". This would contain both the results of the risk assessment and then apply the controls prescribed in the ISO 27002 and find those controls that are needed to achieve the objective (Of protecting the information security assets)

" MAKE SURE ALL ASSETS ARE IDENTIFIED AND CONTROLS IDENTIFIED TO EFFECT THE OBJECTIVE"

STEP FOUR: Whats the use of the document that we generated in the earlier step, if we do not conjure magic to ensure that we can implement the set of controls. We have identified the risk and according to our ISMS policy we need to ensure that they are addressed in such a way that the risk is mitigated to a level that the residual risk is acceptable to the organization. 

"RISK subjected to CONTROLS = RISK RESIDUE, RISK ACCEPTANCE"

Now is the time to get the budget approved for the implementation of the controls, to evolve architectural changes if required, make operational changes and ensure that the risk levels are within the parameters specified as acceptable to the organization. 

STEP FIVE: We need to know how well we would be able to implement the measures to contain risks. To ensure that we take care of the process to improve the risk scores, the set of controls we implement need to measure parameters, that can, reliably measure the effectiveness of a control to assure the objective as having met. This is a critical phase, as the measures selected should be easy to measure, should convey a clear message as well as provide valid inputs at times for correction as well as improvements. A set of well defined measures would ensure that a clear mandate is out, when the controls are implemented.

MEASURE, MEASURE, without WHICH YOU  NEVER KNOW WHERE YOU ARE

STEP SIX: We have completed all the planning, all the excel sheets, number crunching, measurement parameters and all the tools have been assembled. Now is the time to start work, Now is the time to fold the cuffs and start working in the field. The controls are addressed one by one and implemented with due cognizance to the measures. Small iterative steps to address the high risks and move down to address the medium and lower risks is a model that is practiced by many, it has its merits and demerits. Many a times, the system as a whole is a subject of multiple controls, and the set of low risk controls add up to address a high risk control. It is more a culture as to how various aspects are addressed, the Project Management Skills of the organization comes to the fore and this process would take the maximum time of the certification process. To have sufficient data to see the effectiveness of the controls as well as the satisfaction to the see the effort producing results.

As a ISO 27001 standard the implementation should document and address the following
  • CONTROL OF DOCUMENTS
  • INTERNAL AUDITS
  • CORRECTIVE ACTIONS
  • PREVENTIVE ACTIONS

OFF TO TH FIELD, TO IMPLEMENT.

STEP SEVEN: Training and Security Awareness: What is the use of controls , procedures, standards , if they are communicated and the expectations as to what needs to be protected clearly enunciated. To ensure that the population subject to the controls are manned by people, who are aware and understand the implications of the policies as well as controls, they are to undergo training, this training would cover aspects of the policies, the way to do things the organization way, the need for the controls as well as good practices to ensure information is protected across the organization. As the adage goes " The Chain is as strong as the Weakest Link", training ensures that the weakest link, people are properly training to become strong enough, that they do not compromise the security of the organization.

TRAIN, TRAIN, Strengthen the WEAKEST LINK

STEP EIGHT: Now that the ISMS has been implemented, it is time to operationalize, every aspect of the implementation has to be operationalized that it becomes a daily routine. Every task undertaken, every action implemented are subjected to the ISMS. It is time to put to practice all the processes, procedures, standards and ensure that they are in line with the organization expectations. It is also important to address issues in the business function because of the controls, address new emerging risk vectors.  The continual process is kicked in and data collected to take the security posture on a regular basis.

OPERATIONALIZE or PERISH

STEP NINE: Internal Audits, Many a times it is important to ensure that Internal audits identify problems and address them as and when they are found. The importance of independent insight into the functioning of the organization cannot be less emphasized, It is mandatory and an very important function whether it is outsourced (Internal audit can be outsourced, since the function is sponsored by the organization) or have an internal team to address the issues as they evolve and implement compensatory controls as required. This is an important function, that provides the Governance to the Information Security Function. However, many a organization , consider this as a overhead and is more a mandate from a certification perspective, than the real value that such a function provides.

INTERNAL AUDIT IS IMPORTANT even WITHOUT CERTIFICATION. THEY ARE THE WATCHFUL EYES 

STEP TEN: Ensure that the management is aware of what is being done in the name of ISMS. The management is the sponsor of the ISMS, they need to know the progress, the major changes, the technology direction. The management may not be worried about the technology deployed in your Wireless LAN, but they need to know the risk factors in allowing a wireless network. Same is the case as to what is being done, a major breach or anything that it detrimental to the functioning of the organization, this is an area that the management should also show interest to understand that information is protected and due diligence applied when it comes to protection of such assets.

Labels:

Comments

Post a Comment

Popular posts from this blog

The Cybersecurity Certification Landscape

What does a typical Cybersecurity Professional need to buttress his credentials. Certifications should be thought of as our ability to present the credentials in a manner that makes it easy for the person to understand and note that the person has the ability and understand cybersecurity jargon and best practices to put to practice the various options as to how we protect our assets. The table was built to provide a set of certifications, what they test you for and the training that is requried to achieve the objective. As said the certificate is only a part of the story, it is the skills in addition to the understanding of the concepts that would be important for the cybersecuity professional to prove to his peers and his team as to his ability to protect the organization against threats. Certification Skills Tested Roles Certified Information Systems Security Professional (CISSP) Security and risk management, asset security, security architecture and engineering, communication and ne
Post a Comment
Read more

Are you a CISO in the making? What it takes to become one?

  A good CISO is a strategic leader who can articulate the business value of cybersecurity and build a strong security program that aligns with the organization's overall goals. They have a deep understanding of the latest cybersecurity threats and technologies, and they are able to translate this knowledge into actionable insights that can be used to protect the organization. A good CISO also has strong communication and interpersonal skills. They are able to build relationships with key stakeholders, including the board of directors, the CEO, and other senior executives. They are also able to communicate effectively with employees at all levels of the organization, and they are able to build a culture of security within the organization. In terms of technical skills, a good CISO should have a strong understanding of the following areas: Network security: This includes knowledge of firewalls, intrusion detection systems, and other network security technologies. Application securit
Post a Comment
Read more

Where are we headed ... A crystal ball into Cybersecurity in the next five years .. Are we ready?

  The future of Cyber Security: Trends and Predictions for the Next 5 years The field of cybersecurity is constantly evolving, and the threats are only getting more sophisticated. In the next five years, we can expect to see a number of trends emerge in the field of cybersecurity, including: The rise of artificial intelligence (AI). AI is already being used by cybercriminals to develop more sophisticated and targeted attacks. As AI continues to develop, it is likely that cybercriminals will be able to use it to even greater effect. The increasing use of cloud computing. Cloud computing has many benefits, but it also introduces new security challenges. Cloud-based data is often more vulnerable to attack than data that is stored on-premises. The growth of the Internet of Things (IoT). The IoT is connecting billions of devices to the internet, which creates a vast new attack surface for cybercriminals. IoT devices are often poorly secured, making them easy targets for attack. The shortage
Post a Comment
Read more