IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives Book Proposal Guidelines IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives Book Proposal Guidelines
IT Today is brought to you by Auerbach Publications

IT Performance Improvement



Networking and Telecommunications

Software Engineering

Project Management


Share This Article

Free Subscription to IT Today

Powered by VerticalResponse

Cloud Computing Strategies
Implementing the Project Management Balanced Scorecard
Process-Centric Architecture for Enterprise Software Systems
Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World
Project Management Tools and Techniques for Success
Essential Project Management Skills
Healthcare Informatics: Improving Efficiency and Productivity

A Business Case for ISO 27001 Certification

by Tom Carlson and Robert Forbes

While your organization's marketing and sales teams attempt to leverage security as a market differentiator, information security leadership faces the daunting challenge of "doing more with less." This chapter sets out the benefits and provides a business case for an information security management system (ISMS) that conforms to the ISO 27001 standard.

ISO 27001, the internationally accepted and recognized standard for ISMSs, was developed and supported by the member nations of the International Organization of Standardization (ISO), an organization chartered by the United Nations. The ISO 27000 series of standards evolved from the British Standard BS 7799. Originally published in 1995, Part One of BS 7799, the Code of Practice (aka the implementation guide), is now the basis for ISO 27002 (formerly known as ISO 17799). Part Two of BS 7799, first published in 1998 is the auditable ISMS set of specifications, now embodied in ISO 27001. There are other standards in the series, both published and in progress, covering ISMS implementation guidance (27003), information security metrics (27004), risk management (27005), and a guide to Information Security Management auditing (27008).

Intended Use
ISO 27001 is intended to provide guidance on how to manage information security for an organization. To expand on this, the ISO standard is focused on an organization as a whole, including all information types, systems, people, policies, processes, and technologies.

An ISMS built and certified to ISO 27001, in addition to its internal benefits to the organization, can also provide defensible due diligence for potential clients, users, or other parties. The latter sections of this chapter will demonstrate a number of benefits resulting from implementation of the standard.

First, let us look in detail at the ISMS and how it can be used by an organization to "package for success." We can all agree that although we have been practicing information security for a long time, the management of information security has been inconsistent at best. The concept of a quality-based ISMS, codified in the ISO 27001 standard, is a classic example of interdiscipline synergy, porting proven quality management techniques into the security discipline.

What is a management system?

  • Management: direction or control
  • System: a collection of practices bundled to provide some form of service
  • Management System: that collection of practices to direct or control the provision of a service

Note that from the definitions above, the service provided could be any service from any program. For the purposes of this chapter, the services will be information security services.

Once an organization makes the decision to proactively direct or control its information security activities; i.e., managing rather than practicing, an ISMS can be crafted. This is where we can borrow valuable lessons from, believe it or not, the discipline of packaging.

What are some typical functions of packaging?

  • It presents the product to the end user in an appealing manner
  • It protects the product during transport and storage
  • It provides instructions on how to set up and use the product
  • It informs the end user on where to turn for help

With these functions in mind, let us look at some common scenarios with "bad" packaging. Any parent who has been severely challenged as they attempted to assemble a child's new toy, will understand the impact of "bad" packaging.

Packaging has vastly improved over the years, although bad examples certainly still exist. In contrast, let us look at an organization that is well known for their packaging-the Swedish modular furniture merchandiser, IKEA.

Note how IKEA and certainly others have overcome traditional packaging problems and derived a marketing benefit, as well as usable products. Through the use of focus groups and customer feedback, their products are attractively packaged, with a high probability of customer satisfaction.

By now, you are probably saying to yourself, "What does this have to do with information security?" As a tactical initiative to manage a strategic information security program, an ISMS must

  • Be supported by those that use or are bound by it
  • Be easy to use and maintain for those that are affected
  • Have a mechanism for stakeholder satisfaction

Returning to our packaging analogy, here are some typical "bad" packaging issues common in the security arena.

Here are some typical solutions enacting by nothing more than proper packaging of existing practices already being done by most information security organizations.

Note how effective ISMS packaging has overcome traditional management problems and creates both stakeholder appeal, as well as tangible management benefits. Through the inclusion of stakeholders in a facilitated process, as well as attention to stakeholder feedback, the ISMS is both comprehensive and comprehensible, with a high probability of stakeholder satisfaction.

Standards such as the ISO 27001 and ISO 9001 intentionally specify only the requirements of a management system, and are implementation-neutral. ISMS implementations may therefore vary both in look and feel. Proper packaging, however, makes a huge contribution to success.

Once the decision is made to do more than practice information security, the next logical conclusion is to create an ISMS based upon the proven quality concepts embedded in ISO 27001. But not all management systems are created equal. Although an ISMS may meet the requirements of ISO 27001, proper packaging can make the difference between a "lip service" management system and a true management system that brings actual added value to the organization.

Then, and only then, will an organization yield the benefits as detailed below:

1. Market Differentiation
The ISO 27001 certification is accepted globally, and its adoption rate in the United States while still not comparable to some other nations, is on the rise. Organizations, large and small, have felt increasing pressure from current customers, potential customers, and regulators, to adopt a defensible, risk-based ISMS, as opposed to abiding by the customary and vague reliance on "best practices" or other standards that are not specific to the discipline of information security; e.g., SAS 70 Type II. The effort involved in raising the maturity of the security program to a certifiable level is proof to clients and potential clients that your organization is actively maintaining its information security posture.

Benefit: The ability to stand apart from your competition. Attaining ISO 27001 certification means joining an exclusive group of companies and is a highly effective market differentiator for your company. Your competitors are most likely already looking at or moving toward ISO 27001 certification. You can get there first.

Bottom Line Impact:

  • Increased selling opportunities by offering a mature and capable ISMS, certified to an international standard.
  • A greater potential to land business where touting your company's security is a critical element, including opportunities to work with clients seeking to do business with a company that has a certified security program already in place.

    2. Proactive versus Reactive Security Management
    ISO 27001 provides a set of criteria in the form of management system requirements and control objectives that are based on intelligent and risk-based practice from various industries and countries. Organizations can then use these criteria as the basis to determine what they should be doing to manage information security, and the flexibility to decide how. This allows the information security function to be proactive in developing, deploying, managing, and maintaining an information security program. Information security is no longer forced into a constant "fire-fighting" mode and the usual lack of efficiencies is avoided.

    In turn, a proactive, defensible approach to information security yields a reduction in response effort to the rising volume of information security questionnaires that an organization receives from clients and potential clients. Given the increasingly cumbersome regulatory environment, detailed inquiries are often defended as "doing due diligence," even though such inquiries impose a significant time and workload burden on the receiving organization.

    However, with proactive security management, the organization has a ready answer to any and all security questions, and has no need to "reinvent the wheel" every time a new inquiry is received. Often, customers are willing to accept the ISO 27001 certification in lieu of answering lengthy and proprietary questionnaires. Further, security-conscious organizations are hesitant to provide detailed information regarding implemented controls; thus, a comprehensive response such as "We are ISO 27001 certified" is preferred.

    Benefit: Holding an ISO 27001 certification is widely accepted proof of a reliable, defensible, standards-based information security posture. It confirms to both management and clients that your organization is proactively managing its security control responsibilities.

    Bottom Line Impact: Reduced effort and time to respond to inquiries, shortening the sales cycle, and reducing the number of audit or review cycles, thereby increasing efficiencies.

    3. Information Risk Management
    ISO 27001, with its process-based and risk-driven approach, provides a mechanism to integrate information security into your company's overall risk management strategy. Using the common language of risk management, business executives can now be presented with information security in its proper context of asset protection and risk mitigation, without a need to explain the intricacies or jargon of the discipline.

    Benefit: By making information security decisions on the defensible basis of risk management, the information security practitioner and business manager can employ a common terminology. In addition, the information security function becomes more integrated with the organization as a whole.

    Bottom Line Impact: Increased understanding and acceptance of the role of information security in the organization's overall risk management strategy.

    4. Time-based Assurance
    Adoption of the ISO standard requires implementation of an ongoing management component or "continuous process improvement." Organizations are required to not only identify what is in place now, but monitor, review, and change controls if the environment dictates such change. ISO 27001, like other ISO management standards, is based on the W. Edwards Deming model of Plan, Do, Check, Act (PDCA) to achieve continuous improvement.

    If your organization must respond to customer security inquiries, there is nearly always a requirement for annual renewal or periodic review. Once certified under ISO, the ISMS will be subject to annual surveillance audits and recertification every 3 years. These independent audits performed by the certifying authority offer proof to your management and your clients that the ISMS is operating in a satisfactory manner with continuous improvement.

    Benefit: ISO 27001 certification is a dynamic process, requiring at least annual audits and periodic renewal of the certification. This offers independent proof of ISMS adequacy and the ongoing benefit of continuous process improvement. It offers clients and management proof that the ISMS continues to meet due diligence.

    Bottom Line Impact:

    • Proves to management that the program is operating effectively and has a positive return on investment.
    • Reduces the effort to provide ongoing compliance assurance to customers and regulators.

    5. Process Definition and Metrics
    Another benefit of ISO 27001 is its requirement to define information security services and the supporting processes. For some organizations, it will be the first time they have thoroughly addressed and defined the structure of their information security group. In other cases, the implementation of the standard yields defined process flows and assigned responsibilities for services delivered both to "customers" within the organization and for services delivered to information security by other parts of the organization, such as Information Technology, Human Resources, Audit and Legal Counsel.

    By defining processes, inputs, outputs, and responsibilities, the role of information security is emphasized and awareness is increased across the organization. Process definition also yields an unambiguous basis for security metrics. These metrics are essential to measure both the effectiveness of the program and its progress through the PDCA or continuous improvement cycle.

    Benefit: Management gains a clear window into the results of its security investment, and better insight info which security processes are working well and which need improvement. This increased visibility helps to make the case for the information security group and often can serve as a model for other parts of the organization.

    Bottom Line Impact: Concrete results and metrics help to justify security budgets. Better management understanding of the challenges and opportunities faced by the information security function leads potentially to both a larger role in the organization and the ability to at least sustain and possibly increase management funding. Moreover, metrics can be used to demonstrate opportunities to streamline processes and make more efficient use of available resources.

    6. Consistent Third-party Governance, Risk, and Compliance (GRC) Management
    Consistency between internal and external parties is another challenge organizations face today, and the problem is only getting worse. How can you make sure that your requirements are being implemented, measured, managed, and communicated? Contract or service agreement language often does not address specific requirements for the preservation of information confidentiality, integrity, and availability. A supplier risk assessment or audit can check to see if security expectations are adequately met, but by itself, this activity does not communicate the actual requirements or criteria.

    With an ISO 27001-based ISMS, third-party requirements, specifications, empowerment, and communication are an integral part of the system. These elements can then be provided to the third parties or service providers. What does this mean? It means that you can raise your level of assurance by knowing that the third parties are "on the same page" as your company. Suppliers are able to deliver services at desired levels and with processes and security measures which are defined, visible, and accountable to you.

    Benefit: Clear communication of security requirements to third parties and scheduled periodic reviews of compliance with such requirements.

    Bottom Line Impact: Third parties with a full understanding of requirements can provide more accurate pricing for services and are not "surprised" near the end of the contract process with unanticipated demands. Periodic compliance assessments become a scheduled part of third-party governance with specific, stated objectives and increased focus on defined remediation tasks where necessary.

    7. Legal and Regulatory Compliance
    The legal and regulatory environment is increasingly more rigorous, and unfortunately, increasingly more burdensome. Recently introduced law and regulation often requires a risk-based approach and informed-choice decision making to achieve compliance. Both of these qualities are inherent in an ISO 27001 ISMS, along with a defined responsibility for the Legal department to advise security of pending legislation. A risk-based, structured approach to security management, policies and standards, means accommodating shifts in the regulatory environment can often be accomplished as part of the normal review and update cycle rather than an ad hoc, reactive mode. When changes are required, they can be accomplished incrementally rather than as a major overhaul.

    Benefit: The risk-based decision making inherent in an ISO 27001 ISMS means the system shares a common basis with many new legal requirements. Changes to the ISMS can be made in an orderly, incremental fashion.

    Bottom line impact:Legal and regulatory compliance is accomplished through an ongoing change process, often using maintenance cycles rather than unplanned efforts or forced reaction. Disruption to the business is lessened, and compliance is achieved through simple alignment rather than repetitive and unplanned reengineering of security policies, standards, and practices.

    8. Defensibility
    ISO 27001 begins by requiring organizations to define a risk methodology, then to perform an assessment of their security practices based on this methodology. With the risk assessment in hand, information security and management together make informed choices regarding which controls must be applied, and justify these choices. The list of controls in Annex A of the standard are not simply "best practices" but rather a set of independent, reasoned choices formulated and signed off on by more than 170 countries. Within the context of the ISMS, each choice can be defended on the basis of evaluated risks and defined controls. There is no "gray area" and no reliance on individual interpretation of security practices, no matter how well intended.

    Benefit: Referencing decision making to an independent standard and valid risk assessment means the organization can easily defend and justify its choices to management, customers, and regulators.

    Bottom Line Impact: Using a defined and defensible set of information security controls means reduced effort and confusion in explaining security choices. This can shorten audit cycles and provide important reassurance to both management and clients that information security is based on informed-choice decisions, not just common practices.

    The future of assurance for information security and security risk management lies with the utilization of proactive frameworks, based upon internationally recognized standards. By providing defensible, risk-driven, and process-based information security practices in a manner that is packaged for success, the organization can achieve the following goals:

    • Increased ability to earn and maintain business from its customers
    • The ability to differentiate its services from those of its competitors
    • Speed to compliance in the legal and regulatory environment
    • Better alignment with management requirements and allotted resources
    • More comprehensive and ongoing governance over third-party services
    • Concrete metrics to justify security budgets

    About the Author

    Healthcare Informatics
    From Healthcare Informatics: Improving Efficiency and Productivity, Edited by Stephan P. Kudyba. Auerbach Publications, 2010.

  • © Copyright 2010 Auerbach Publications