The basic logic of ISO 27001: How does information security work? Benefits & Steps

When speaking with someone new to ISO 27001, very often I encounter the same problem: this person thinks the standard will describe in detail everything they need to do – for example, how often they will need to perform backup, how distant their disaster recovery site should be, or even worse, which kind of technology they must use for network protection or how they have to configure the router.

Here’s the bad news: ISO 27001 does not prescribe these things; it works in a completely different way. Here’s why…

Why is ISO 27001 not prescriptive?

Let’s imagine that the standard prescribes that you need to perform a backup every 24 hours – is this the right measure for you? It might be, but believe me, many companies nowadays will find this insufficient – the rate of change of their data is so quick that they need to do backup if not in real time, then at least every hour. On the other hand, there are still some companies that would find the once-a-day backup too often – their rate of change is still very slow, so performing backup so often would be overkill.

The point is – if this standard is to fit any type of a company, then this prescriptive approach is not possible. So, it is simply impossible not only to define the backup frequency, but also which technology to use, how to configure each device, etc.

By the way, this perception that ISO 27001 will prescribe everything is the biggest generator of myths about ISO 27001

Risk management is the central idea of ISO 27001

So, you might wonder, “Why would I need a standard that doesn’t tell me anything concretely?”

Because ISO 27001 gives you a framework for you to decide on appropriate protection. The same way, e.g., you cannot copy a marketing campaign of another company to your own, this same principle is valid for information security – you need to tailor it to your specific needs.

And the way ISO 27001 tells you to achieve this tailor-made suit is to perform risk assessment and risk treatment. This is nothing but a systematic overview of the bad things that can happen to you (assessing the risks), and then deciding which safeguards to implement to prevent those bad things from happening (treating the risks).

Method of safeguard selection in ISO 27001

The whole idea here is that you should implement only those safeguards (controls) that are required because of the risks, not those that someone thinks are fancy; but, this logic also means that you should implement all the controls that are required because of the risks, and that you cannot exclude some simply because you don’t like them.

See below: ISO 27001 risk assessment & treatment – 6 basic steps.

IT alone is not enough

If you work in the IT department, you are probably aware that most of the incidents are happening not because the computers broke down, but because the users from the business side of the organization are using the information systems in the wrong way.

And such wrongdoings cannot be prevented with technical safeguards only – what is also needed are clear policies and procedures, training and awareness, legal protection, discipline measures, etc. Real-life experience has proved that the more diverse safeguards are applied, the higher level of security is achieved.

And when you take into account that not all the sensitive information is in digital form (you probably still have papers with confidential information on them), the conclusion is that IT safeguards are not enough, and that the IT department, although very important in an information security project, cannot run this kind of project alone.

Again, this fact that IT security is only 50% of information security is recognized in ISO 27001 – this standard tells you how to run the information security implementation as a company-wide project where not only IT, but also the business side of the organization, must take part.

Getting the top management aboard

But, ISO 27001 doesn’t stop with the implementation of various safeguards – its authors understood perfectly well that people from the IT department, or from other lower- or mid-level positions in the organization, cannot achieve much if the executives at the top don’t do something about it.

For instance, you may propose a new policy for the protection of confidential documents, but if your top management does not enforce such policy with all employees (and if they themselves do not comply with it), such a policy will never gain a foothold in your company.

So, ISO 27001 gives you a systematic checklist of what the top management must do:

• set their business expectations (objectives) for information security
• publish a policy on how to control whether those expectations are met
• designate main responsibilities for information security
• provide enough money and human resources
• regularly review whether all the expectations were really met

Not allowing your system to deteriorate

If you work in a company for a couple of years or more, then you probably know how the new initiatives/projects work – at the beginning they look nice and shiny and everyone (or at least most of the people) are trying to do their best to make everything work. However, in time, the interest and the zeal deteriorate, and with them, everything related to such a project also deteriorates.

For instance, you may have had a classification policy that worked fine initially, but in time the technology changed, the organization changed and people changed, and if no one has cared to update the policy, it will become obsolete. And, as you are well aware, no one will want to comply with an obsolete document, meaning that your security will grow worse.

To prevent this, ISO 27001 has described a couple of methods that prevent such deterioration from taking place; even more, those methods are used to improve the security over time, making it even better than it was at the time when the project was at its highest. These methods include monitoring and measurement, internal audits, corrective actions, etc.

Therefore, you shouldn’t be negative about ISO 27001 – it may seem vague at first reading, but it can prove to be an extremely useful framework for resolving many security problems in your company. What’s more, it can help you do your job more easily, and get more recognition from the top. 

Four key benefits of ISO 27001 implementation

Have you ever tried to convince your management to fund the implementation of information security? If you have, you probably know how it feels – they will ask you how much it costs, and if it sounds too expensive they will say no.

Actually, you shouldn’t blame them – after all, their ultimate responsibility is profitability of the company. That means, their every decision is based on the balance between investment and benefit, or to put it in management’s language – ROI (return on investment).

This means you have to do your homework first before trying to propose such an investment – think carefully how to present the benefits, using language the management will understand and will endorse.

I’ll try to help you – the benefits of information security, especially the implementation of ISO 27001 are numerous. But in my experience, the following four are the most important:

1. Compliance

It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way.

2. Marketing edge

In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information.

3. Lowering the expenses

Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.

The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.

4. Putting your business in order

This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc.

ISO 27001 is particularly good in sorting these things out – it will force you to define very precisely both the responsibilities and duties, and therefore strengthen your internal organization.

To conclude – ISO 27001 could bring in many benefits besides being just another certificate on your wall. In most cases, if you present those benefits in a clear way, the management will start listening to you.

ISO 27001 risk assessment & treatment – 6 basic steps

Risk assessment (often called risk analysis) is probably the most complex part of ISO 27001 implementation; but at the same time risk assessment (and treatment) is the most important step at the beginning of your information security project – it sets the foundations for information security in your company.

The question is – why is it so important? The answer is quite simple although not understood by many people: the main philosophy of ISO 27001 is to find out which incidents could occur (i.e. assess the risks) and then find the most appropriate ways to avoid such incidents (i.e. treat the risks). Not only this, you also have to assess the importance of each risk so that you can focus on the most important ones.

Although risk assessment and treatment (together: risk management) is a complex job, it is very often unnecessarily mystified. These 6 basic steps will shed light on what you have to do:

1. Risk assessment methodology

This is the first step on your voyage through risk management. You need to define rules on how you are going to perform the risk management because you want your whole organization to do it the same way – the biggest problem with risk assessment happens if different parts of the organization perform it in a different way. Therefore, you need to define whether you want qualitative or quantitative risk assessment, which scales you will use for qualitative assessment, what will be the acceptable level of risk, etc.

2. Risk assessment implementation

Once you know the rules, you can start finding out which potential problems could happen to you – you need to list all your assets, then threats and vulnerabilities related to those assets, assess the impact and likelihood for each combination of assets/threats/vulnerabilities and finally calculate the level of risk.

In my experience, companies are usually aware of only 30% of their risks. Therefore, you’ll probably find this kind of exercise quite revealing – when you are finished you’ll start to appreciate the effort you’ve made.

3. Risk treatment implementation

Of course, not all risks are created equal – you have to focus on the most important ones, so-called ‘unacceptable risks’.

There are four options you can choose from to mitigate each unacceptable risk:

1. Apply security controls from Annex A to decrease the risks – see this article ISO 27001 Annex A controls.
2. Transfer the risk to another party – e.g. to an insurance company by buying an insurance policy.
3. Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
4. Accept the risk – if, for instance, the cost for mitigating that risk would be higher that the damage itself.

This is where you need to get creative – how to decrease the risks with minimum investment. It would be the easiest if your budget was unlimited, but that is never going to happen. And I must tell you that unfortunately your management is right – it is possible to achieve the same result with less money – you only need to figure out how.

4. ISMS Risk Assessment Report

Unlike previous steps, this one is quite boring – you need to document everything you’ve done so far. Not only for the auditors, but you may want to check yourself these results in a year or two.

5. Statement of Applicability

This document actually shows the security profile of your company – based on the results of the risk treatment you need to list all the controls you have implemented, why you have implemented them and how. This document is also very important because the certification auditor will use it as the main guideline for the audit.

6. Risk Treatment Plan

This is the step where you have to move from theory to practice. Let’s be frank – all up to now this whole risk management job was purely theoretical, but now it’s time to show some concrete results.

This is the purpose of Risk Treatment Plan – to define exactly who is going to implement each control, in which timeframe, with which budget, etc. I would prefer to call this document ‘Implementation Plan’ or ‘Action Plan’, but let’s stick to the terminology used in ISO 27001.

Once you’ve written this document, it is crucial to get your management approval because it will take considerable time and effort (and money) to implement all the controls that you have planned here. And without their commitment you won’t get any of these.

And this is it – you’ve started your journey from not knowing how to setup your information security all the way to having a very clear picture of what you need to implement. The point is – ISO 27001 forces you to make this journey in a systematic way.

Further Reading: 

ISO 27001:2013 (ISMS)

ISO 27001 implementation checklist

Implementing an ISMS: what you need to know

How to Approach Cyber Security for Industrial Control Systems

What is a DMZ? DMZ or demilitarized zone in Computing terms

For more information regarding iFluids Engineering Services & Past Project Track Record please visit here

Disclaimer: All information and content contained in this website are provided solely for general information and reference purposes. TM information, Images & any copyrighted material inadvertently published or depicted belong to rightfull owner and iFluids doesnt claim to be its own