When speaking with someone new to ISO 27001, very often I encounter the same problem: this person thinks the standard will describe in detail everything they need to do – for example, how often they will need to perform backup, how distant their disaster recovery site should be, or even worse, which kind of technology they must use for network protection or how they have to configure the router.
Here’s the bad news: ISO 27001 does not prescribe these things; it works in a completely different way. Here’s why…
Why is ISO 27001 not prescriptive?
Let’s imagine that the standard prescribes that you need to perform a backup every 24 hours – is this the right measure for you? It might be, but believe me, many companies nowadays will find this insufficient – the rate of change of their data is so quick that they need to do backup if not in real time, then at least every hour. On the other hand, there are still some companies that would find the once-a-day backup too often – their rate of change is still very slow, so performing backup so often would be overkill.
The point is – if this standard is to fit any type of a company, then this prescriptive approach is not possible. So, it is simply impossible not only to define the backup frequency, but also which technology to use, how to configure each device, etc.
By the way, this perception that ISO 27001 will prescribe everything is the biggest generator of myths about ISO 27001 – see also 5 greatest myths about ISO 27001.
Risk management is the central idea of ISO 27001
So, you might wonder, “Why would I need a standard that doesn’t tell me anything concretely?”
Because ISO 27001 gives you a framework for you to decide on appropriate protection. The same way, e.g., you cannot copy a marketing campaign of another company to your own, this same principle is valid for information security – you need to tailor it to your specific needs.
And the way ISO 27001 tells you to achieve this tailor-made suit is to perform risk assessment and risk treatment. This is nothing but a systematic overview of the bad things that can happen to you (assessing the risks), and then deciding which safeguards to implement to prevent those bad things from happening (treating the risks).
Figure: Method of safeguard selection in ISO 27001
The whole idea here is that you should implement only those safeguards (controls) that are required because of the risks, not those that someone thinks are fancy; but, this logic also means that you should implement all the controls that are required because of the risks, and that you cannot exclude some simply because you don’t like them.
IT alone is not enough
If you work in the IT department, you are probably aware that most of the incidents are happening not because the computers broke down, but because the users from the business side of the organization are using the information systems in the wrong way.
And such wrongdoings cannot be prevented with technical safeguards only – what is also needed are clear policies and procedures, training and awareness, legal protection, discipline measures, etc. Real-life experience has proved that the more diverse safeguards are applied, the higher level of security is achieved.
And when you take into account that not all the sensitive information is in digital form (you probably still have papers with confidential information on them), the conclusion is that IT safeguards are not enough, and that the IT department, although very important in an information security project, cannot run this kind of project alone.
Again, this fact that IT security is only 50% of information security is recognized in ISO 27001 – this standard tells you how to run the information security implementation as a company-wide project where not only IT, but also the business side of the organization, must take part.
Getting the top management aboard
But, ISO 27001 doesn’t stop with the implementation of various safeguards – its authors understood perfectly well that people from the IT department, or from other lower- or mid-level positions in the organization, cannot achieve much if the executives at the top don’t do something about it.
For instance, you may propose a new policy for the protection of confidential documents, but if your top management does not enforce such policy with all employees (and if they themselves do not comply with it), such a policy will never gain a foothold in your company.
So, ISO 27001 gives you a systematic checklist of what the top management must do:
- set their business expectations (objectives) for information security
- publish a policy on how to control whether those expectations are met
- designate main responsibilities for information security
- provide enough money and human resources
- regularly review whether all the expectations were really met
Not allowing your system to deteriorate
If you work in a company for a couple of years or more, then you probably know how the new initiatives/projects work – at the beginning they look nice and shiny and everyone (or at least most of the people) are trying to do their best to make everything work. However, in time, the interest and the zeal deteriorate, and with them, everything related to such a project also deteriorates.
For instance, you may have had a classification policy that worked fine initially, but in time the technology changed, the organization changed and people changed, and if no one has cared to update the policy, it will become obsolete. And, as you are well aware, no one will want to comply with an obsolete document, meaning that your security will grow worse.
To prevent this, ISO 27001 has described a couple of methods that prevent such deterioration from taking place; even more, those methods are used to improve the security over time, making it even better than it was at the time when the project was at its highest. These methods include monitoring and measurement, internal audits, corrective actions, etc.
Therefore, you shouldn’t be negative about ISO 27001 – it may seem vague at first reading, but it can prove to be an extremely useful framework for resolving many security problems in your company. What’s more, it can help you do your job more easily, and get more recognition from the top