Any organisation wanting trust necessarily commits to withstanding information security scrutiny. For a security leader to best support his or her brand, win customers, and avoid negative publicity, an approach that proactively answers security questions is essential. Even with information security breaches becoming commonplace, each new one can result in plunging stock prices, customer vitriol, and increased scrutiny for years to come.
While few would say "Demonstrating my security is a bad idea," most organisations are paralysed by indecision or lack of internal resources. After all, they have many options on exactly how to demonstrate their approach to security. With complex IT infrastructures with hundreds or thousands of components, business leaders must determine the best value for their information security certification time and budget.
Of the myriad options, ISO (International Organisation for Standardisation) has stood above other information security frameworks. ISO 27001 was created to give organisations a clear and reachable goal for information security best practices rather than being limited to the experience of the persons in the organisation. ISO 27001, whose roots go back to 1995, has been a benchmark for good information security management for decades. It is regularly updated (most recently in 2013) and universally recognized in the information security community. It's not a surprise that as of 2015, 30,000 businesses worldwide had achieved certification. Many others provide a self-attestation of their compliance.
Organisations can choose several routes to announce to the world that they are compliant. The two major routes are: self-certification and outside certification. Self-attesting (or, a bit confusingly, self-certification) is one route, where an organisation follows the principles of ISO 27001 carefully and attests to their capabilities. Many others go the ISO 27001 certification route, where an outside consultant provides an outside stamp of approval.
Self-attestation is where many organisations' leaders start. She or he simply goes through the ISO requirements, infers a checklist, and goes through each list. For example, when Section 7.5.3 (Control of Documented Information) asks that ISMS documentation is protected against confidentiality, integrity and availability issues, that seems quite clear. He or she writes up a policy that addresses Confidentiality, Integrity, and Availability, declares it be followed, and moves on to 7.5.4.
For organisations with a abundance of personnel time and a lack of budget, self-attestation is a natural fit. There are many options available for those going this route. There are high quality templates available that dissect the process into manageable chunks. With definitions, tables, guidance and more, self-attestation gains a roadmap when using these templates. The heavy lifting - writing, adapting to real practices, and ensuring completeness, remain the responsibility of the diligent self-attestation seeker.
The benefits are largely for governing bodies and security leaders. For a security leader with self-attestation of ISO certification, he or she has lowered their risk profile significantly. This allows a more open flow of information with fewer concerns about data theft along the way. Legal obligations that may be in place are often served by this level of ISO self-attestation.
The more common route is seeking assistance from an ISO 27001 Consultant to achieve compliance. In this model, a consulting firm with experience oversees the entire process. Depending on the readiness of the organisation, this can take weeks to months. Readiness includes both the ability to produce the required documentation and the ability to create and sustain new processes as needed. For example, an organisation lax on password strength must genuinely have and deploy a more stringent policy to earn certification to the ISO 27001 standard. Consulting firms may charge by the hour or a lump sum for the project. Either may be right depending on organisational security maturity, and how many internal resources are free to assist the consultant.
An emerging method for achieving certification is structured ISO compliance services. In this method, there is a fixed-time component added as well, to ensure that projects do not stall or run over time and budget. Compliance Council's 8-step process pioneers this emerging model. It offers structure and predictability compared to hourly consulting. Each week has a goal that advances the overall project. For example, week one starts with a necessary gap analysis vs. the standard in question. By week 3, documentation emerges - with documents drafted to best suit the organisation. By week 8, training, awareness, and audit are all in the rear view mirror, leaving only the certification itself.
By breaking down the full ISO 27001 compliance needs into discrete chunks, it makes the process digestible for an organisation, without disrupting existing business processes.
Complementary ISO standards
ISO 27001 is just one of the ISO family of management system standards. Notable ones include ISO 9001 for Quality Management, ISO 14001 for Environmental Management and ISO 45001 for Health and Safety Management. Compliance Council's 8 step process to be applied to a project involving one of these standards or all of them together.
Outside certification brings several benefits with it, including the ability to more easily tender bids requiring it, brand benefits of an outside endorsement, and trust building from going through the process with external and internal parties. Any organisation with an outside certification has an advantage over their competitors who do not, especially in tender situations.
While ISO 27001 is not for every organisation, it is for an increasing number of them. With options to fit every team size and budget, Australian organisations can easily understand their options, including getting structured help to achieve ISO certification quickly with a good foundation to improve upon over time.