The recent security breaches on the Fine Gael and DUP websites has once more brought information security to the fore with extensive coverage of both incidents in the media. One of the questions I keep getting asked after such incidents is “how to I ensure my company is secure?”. Making your company, or website, secure is a matter of ensuring the appropriate information security risks have been properly identified and managed. The ISO 27001:2005 Information Security standard provides companies with a structured and proven way to implement and manage an Information Security Management System and provide management and the business with confidence in the security measures that are in place.
Last year I blogged on the SC Magazine site about the real world benefits that many organisations have seen as a result of implementing the ISO 27001:2005 Information Security Standard. In preparing that post I interviewed Michael Brophy who is CEO of Certification Europe. Certification Europe are an approved certification body for the standard, in other words they are the people who will audit you against the standard and decide on the results of that audit whether you or not your ISMS can be certified to the standard.
The following figure from the International Register of ISMS Certificates highlights the 37 Irish companies that have achieved certification to the ISO 27001:2005 Information Security Standard (which I am happy to say includes BH Consulting). As you can see Certification Europe have certified the majority of those companies so are in a perfect position to comment on the value the standard to organisations.
So without further ado here are Michael’s thoughts;
BH – What are the main drivers you see for companies currently seeking the ISO 27001 standard?
MB – Over the last two years we have seen that the motives for many organisation’s seeking certification have moved from wanting to be ‘the best in class’ to far more business orientated reasons. Up to 2007, many organisations saw certification to 27001 as an opportunity to be the first in their relevant fields to achieve the standard. This was reflected in press releases of the time which tended to focus on the uniqueness of having achieved the standard and how the organisation in questions was leading the way ahead of its competitors.
The last few years have seen a shift. While the reasons for seeking certification differ from business sector to business sector, the common theme is that it is becoming a market norm in many circumstances.
It is worth looking at a couple of examples. The Data Centre marketing is becoming increasingly competitive, and after price, security is a prime concern for many customers, particularly in the semi-state sector. In 2003 two significant tenders for hosting Government infrastructure specifically mentioned ISO 27001 (or IS 17799 as it then was) as a contractual requirement, and that set the ball in motion. By 2009 most of the larger Data Centres in Ireland have achieved ISO 27001 including Eircom, BT, Vodafone and Servcentrix, and it is clear that if a Data Centre wants to be in serious contention for State or Semi-State hosting contracts, they are going to have to step up to the mark and gain certification, or else find themselves in a shrinking pool of business.
Another good example of the standard becoming the market norm is in the secure print industry. In 2005 APACS (UK Payment Administration) mandated that any security printer which wished to print cheques for UK Banks had to achieve ISO 27001 or else be excluded from the UK market. This has subsequently set a trend for any form of secure printing (e.g. passports, credit cards, personalised information, sensitive data) where ISO 27001 is the benchmark by which acceptable security standards are judged. Secure printers who are not certified are finding it increasingly awkward to explain why they do not have the standard when questioned by customers.
Other drivers include:
Due corporate governance. IT Departments in particular, when handling sensitive, valuable or personal information, want to reassure themselves that they are doing so to an acceptable standard, and look to certification to provide that endorsement and reassurance. Often such reassurance is also welcomed by senior management/the Board, who may not understand the technical aspects of good information security, but as very aware of the liabilities which may arise.
Supply chain pressure. When issues of security and continuity of supply are raised by multinational customers, the implication can often be that the customer will look to broaden their supplier base to ensure that they spread their exposure. Suppliers have in response sought certification to ISO 27001 (and are now considering BS 25999) as mechanisms to allay the customers concerns are retain their preferential status.
BH – Given the current drive to reduce costs have you had seen any issues with companies maintaining the certification?
MB – Perhaps somewhat surprisingly no – this has not been a trend to date. Less than 5% of the clients currently certified to the standard have either gone out of business or been unable to maintain certification. Naturally there is a potential risk in an economic downturn that budgets will be slashed and security controls will be weakened as a result, however, this has not been an issue to date. While there is no great increase in expenditure in information security most organisation appear to have been able to maintain their budgets, or have been innovative in terms of getting more value for money, particularly when dealing with third parties.
BH – What do you see as the biggest challenges companies face in achieving certification? What would you advise companies do to overcome those challenges?
MB – The biggest challenge seems to have remained unchanged over the years, it is all about getting sufficient resources and having information security recognised as a priority so that a proper system of controls can be implemented. There is a trail of organisations over the years who have told an IT Manager or Project Manager to implement ISO 27001, but given no extra time or allocated any other staff resources in order to get it done. Asking someone to implement ISO 27001 in addition to all the normal aspects of their day job is a recipe for failure.
How do you overcome this… the same as any dedicated project, management buy-in and support from the start, and an appreciation of the resources required. Implementing 27001 always seems to progress more smoothly when a cross functional team (e.g. IT, HR, Finance, Facilities etc.) is involved in the early phases rather than tasking one individual to implement the whole system.
BH – What are the main costs involved in implementing and maintaining ISO 27001?
MB – The main costs are undoubtedly the time and internal resources required to implement a system. Developing policies, procedures and ensuring end-user training and awareness all taken time even when using internal resources. External consultancy support can help shortcut many issues, but at the end of the day the company has to spend time developing and using its information security system, and this all come with a cost.
BH – What are the main benefits you have seen customers achieve as a direct result of implementing ISO 27001?
MB– The easiest ones to quantify are always the business ones. Servcentrix announced for example that they won a $1m hosting contract and that their ISO 27001 certification was pivotal in winning the business. A range of secure printers in Ireland have won tenders which they would have been excluded from without ISO 27001.
However, many of the most significant benefits come from unexpected directions. Our financial and software clients are often subject to customer audit. Certification to ISO 27001 will often negate the need for customer security audits or as a minimum ensure that all the information being sought in an audit is available and reliable. One such company calculated that in 2009 alone they had reduced the number of external customer audit days by 49 by simply having certification to ISO 27001.
A change in company culture is often quoted as a benefit which is rarely prioritised at the start of the process. Employees understand the risks that may occur and embrace security controls as a result, in fact, many of the suggested improvements in security often come from staff who become converted to information security. Policies take effect and the process work more smoothly and with greater control. Perhaps the best quote to typify the unexpected benefits that can arise from 27001 was from an IT Manager who after gaining certification noted that “me and the rest of the IT Team can now take our lunch in the canteen with the rest of the company” and no longer felt the need to hide away as problems became an increasing rarity.
BH – What are the top three tips that you would give to anyone thinking about seeking certification?
If implementing an ISO 27001 system for the first time try to ensure that you have a team (ideally drawn from different departments in the organisations) to co-ordinate actions.
If stuck on how to implement parts (or all) of the standard, seek help from the wider information security community, there are plenty of people in Ireland who have done it before and would be only too happy to provide ideas and guidance.
Do your risk assessment (see Page 4 of the standard) first and then base all your security controls on the risks you have identified. Do not starti implementing controls because they sound good, otherwise you will tie yourself up in knots and do a lot of unnecessary work.
I would like to thank Michael for taking the time to answer the questions and take part in this exercise.
If you are interested in looking into ISO 27001 further for your company don’t hesitate to contact us, alternatively you can always buy my book “ISO 27001 in a Windows Environment“. If your organisation employs Microsoft technologies such as Windows then the book also provides you with guidance on how you can leverage your existing investment in those technologies to successfully implement the controls supporting the standard.