Packaging has vastly improved over the years, although bad examples certainly still exist. In contrast, let us look at an organization that is well known for their packaging-the Swedish modular furniture merchandiser, IKEA.
Note how IKEA and certainly others have overcome traditional packaging problems and derived a marketing benefit, as well as usable products. Through the use of focus groups and customer feedback, their products are attractively packaged, with a high probability of customer satisfaction.
By now, you are probably saying to yourself, "What does this have to do with information security?" As a tactical initiative to manage a strategic information security program, an ISMS must
Returning to our packaging analogy, here are some typical "bad" packaging issues common in the security arena.
Here are some typical solutions enacting by nothing more than proper packaging of existing practices already being done by most information security organizations.
Note how effective ISMS packaging has overcome traditional management problems and creates both stakeholder appeal, as well as tangible management benefits. Through the inclusion of stakeholders in a facilitated process, as well as attention to stakeholder feedback, the ISMS is both comprehensive and comprehensible, with a high probability of stakeholder satisfaction.
Standards such as the ISO 27001 and ISO 9001 intentionally specify only the requirements
of a management system, and are implementation-neutral. ISMS implementations may therefore
vary both in look and feel. Proper packaging, however, makes a huge contribution to success.
Once the decision is made to do more than practice information security, the next logical conclusion is to create an ISMS based upon the proven quality concepts embedded in ISO 27001. But not all management systems are created equal. Although an ISMS may meet the requirements of ISO 27001, proper packaging can make the difference between a "lip service" management system and a true management system that brings actual added value to the organization.
Then, and only then, will an organization yield the benefits as detailed below:
1. Market DifferentiationA greater potential to land business where touting your company's security is a critical element, including opportunities to work with clients seeking to do business with a company that has a certified security program already in place.
The ISO 27001 certification is accepted globally, and its adoption rate in the United States while still not comparable to some other nations, is on the rise. Organizations, large and small, have felt increasing pressure from current customers, potential customers, and regulators,
to adopt a defensible, risk-based ISMS, as opposed to abiding by the customary and vague reliance on "best practices" or other standards that are not specific to the discipline of information security; e.g., SAS 70 Type II. The effort involved in raising the maturity of the security program to a certifiable level is proof to clients and potential clients that your organization is actively maintaining its information security posture.
2. Proactive versus Reactive Security Management
ISO 27001 provides a set of criteria in the form of management system requirements and control objectives that are based on intelligent and risk-based practice from various industries and countries. Organizations can then use these criteria as the basis to determine what they should be doing to manage information security, and the flexibility to decide how. This allows the information security function to be proactive in developing, deploying, managing, and maintaining an information security program. Information security is no longer forced into a constant "fire-fighting" mode and the usual lack of efficiencies is avoided.
In turn, a proactive, defensible approach to information security yields a reduction in response effort to the rising volume of information security questionnaires that an organization receives from clients and potential clients. Given the increasingly cumbersome regulatory environment, detailed inquiries are often defended as "doing due diligence," even though such inquiries impose a significant time and workload burden on the receiving organization.
However, with proactive security management, the organization has a ready answer to any and all security questions, and has no need to "reinvent the wheel" every time a new inquiry is received. Often, customers are willing to accept the ISO 27001 certification in lieu of answering lengthy and proprietary questionnaires. Further, security-conscious organizations are hesitant to provide detailed information regarding implemented controls; thus, a comprehensive response such as "We are ISO 27001 certified" is preferred.
Benefit: Holding an ISO 27001 certification is widely accepted proof of a reliable, defensible, standards-based information security posture. It confirms to both management and clients that your organization is proactively managing its security control responsibilities.
Bottom Line Impact: Reduced effort and time to respond to inquiries, shortening the sales cycle, and reducing the number of audit or review cycles, thereby increasing efficiencies.
3. Information Risk Management
ISO 27001, with its process-based and risk-driven approach, provides a mechanism to integrate information security into your company's overall risk management strategy. Using the common language of risk management, business executives can now be presented with information security in its proper context of asset protection and risk mitigation, without a need to explain the intricacies or jargon of the discipline.
Benefit: By making information security decisions on the defensible basis of risk management, the information security practitioner and business manager can employ a common terminology. In addition, the information security function becomes more integrated with the organization as a whole.
Bottom Line Impact: Increased understanding and acceptance of the role of information security in the organization's overall risk management strategy.
4. Time-based Assurance
Adoption of the ISO standard requires implementation of an ongoing management component or "continuous process improvement." Organizations are required to not only identify what is in place now, but monitor, review, and change controls if the environment dictates such change. ISO 27001, like other ISO management standards, is based on the W. Edwards Deming model of Plan, Do, Check, Act (PDCA) to achieve continuous improvement.
If your organization must respond to customer security inquiries, there is nearly always a requirement for annual renewal or periodic review. Once certified under ISO, the ISMS will be subject to annual surveillance audits and recertification every 3 years. These independent audits performed by the certifying authority offer proof to your management and your clients that the ISMS is operating in a satisfactory manner with continuous improvement.
Benefit: ISO 27001 certification is a dynamic process, requiring at least annual audits and periodic renewal of the certification. This offers independent proof of ISMS adequacy and the ongoing benefit of continuous process improvement. It offers clients and management proof that the ISMS continues to meet due diligence.
Bottom Line Impact:
- Proves to management that the program is operating effectively and has a positive return on investment.
- Reduces the effort to provide ongoing compliance assurance to customers and regulators.
5. Process Definition and Metrics
Another benefit of ISO 27001 is its requirement to define information security services and the supporting processes. For some organizations, it will be the first time they have thoroughly addressed and defined the structure of their information security group. In other cases, the implementation of the standard yields defined process flows and assigned responsibilities for services delivered both to "customers" within the organization and for services delivered to information security by other parts of the organization, such as Information Technology, Human Resources, Audit and Legal Counsel.
By defining processes, inputs, outputs, and responsibilities, the role of information security is emphasized and awareness is increased across the organization. Process definition also yields an unambiguous basis for security metrics. These metrics are essential to measure both the effectiveness of the program and its progress through the PDCA or continuous improvement cycle.
Benefit: Management gains a clear window into the results of its security investment, and better insight info which security processes are working well and which need improvement. This increased visibility helps to make the case for the information security group and often can serve as a model for other parts of the organization.
Bottom Line Impact: Concrete results and metrics help to justify security budgets. Better management understanding of the challenges and opportunities faced by the information security function leads potentially to both a larger role in the organization and the ability to at least sustain and possibly increase management funding. Moreover, metrics can be used to demonstrate opportunities to streamline processes and make more efficient use of available resources.
6. Consistent Third-party Governance, Risk, and Compliance (GRC) Management
Consistency between internal and external parties is another challenge organizations face today, and the problem is only getting worse. How can you make sure that your requirements are being implemented, measured, managed, and communicated? Contract or service agreement language often does not address specific requirements for the preservation of information confidentiality, integrity, and availability. A supplier risk assessment or audit can check to see if security expectations are adequately met, but by itself, this activity does not communicate the actual requirements or criteria.
With an ISO 27001-based ISMS, third-party requirements, specifications, empowerment, and communication are an integral part of the system. These elements can then be provided to the third parties or service providers. What does this mean? It means that you can raise your level of assurance by knowing that the third parties are "on the same page" as your company. Suppliers are able to deliver services at desired levels and with processes and security measures which are defined, visible, and accountable to you.
Benefit: Clear communication of security requirements to third parties and scheduled periodic reviews of compliance with such requirements.
Bottom Line Impact: Third parties with a full understanding of requirements can provide more accurate pricing for services and are not "surprised" near the end of the contract process with unanticipated demands. Periodic compliance assessments become a scheduled part of third-party governance with specific, stated objectives and increased focus on defined remediation tasks where necessary.
7. Legal and Regulatory Compliance
The legal and regulatory environment is increasingly more rigorous, and unfortunately, increasingly more burdensome. Recently introduced law and regulation often requires a risk-based approach and informed-choice decision making to achieve compliance. Both of these qualities are inherent in an ISO 27001 ISMS, along with a defined responsibility for the Legal department to advise security of pending legislation. A risk-based, structured approach to security management, policies and standards, means accommodating shifts in the regulatory environment can often be accomplished as part of the normal review and update cycle rather than an ad hoc, reactive mode. When changes are required, they can be accomplished incrementally rather than as a major overhaul.
Benefit: The risk-based decision making inherent in an ISO 27001 ISMS means the system shares a common basis with many new legal requirements. Changes to the ISMS can be made in an orderly, incremental fashion.
Bottom line impact:Legal and regulatory compliance is accomplished through an ongoing change process, often using maintenance cycles rather than unplanned efforts or forced reaction. Disruption to the business is lessened, and compliance is achieved through simple alignment rather than repetitive and unplanned reengineering of security policies, standards, and practices.
ISO 27001 begins by requiring organizations to define a risk methodology, then to perform an assessment of their security practices based on this methodology. With the risk assessment in hand, information security and management together make informed choices regarding which controls must be applied, and justify these choices. The list of controls in Annex A of the standard are not simply "best practices" but rather a set of independent, reasoned choices formulated and signed off on by more than 170 countries. Within the context of the ISMS, each choice can be defended on the basis of evaluated risks and defined controls. There is no "gray area" and no reliance on individual interpretation of security practices, no matter how well intended.
Benefit: Referencing decision making to an independent standard and valid risk assessment means the organization can easily defend and justify its choices to management, customers, and regulators.
Bottom Line Impact: Using a defined and defensible set of information security controls means reduced effort and confusion in explaining security choices. This can shorten audit cycles and provide important reassurance to both management and clients that information security is based on informed-choice decisions, not just common practices.
The future of assurance for information security and security risk management lies with the utilization of proactive frameworks, based upon internationally recognized standards. By providing defensible, risk-driven, and process-based information security practices in a manner that is packaged for success, the organization can achieve the following goals:
- Increased ability to earn and maintain business from its customers
- The ability to differentiate its services from those of its competitors
- Speed to compliance in the legal and regulatory environment
- Better alignment with management requirements and allotted resources
- More comprehensive and ongoing governance over third-party services
- Concrete metrics to justify security budgets