Nine Steps to Success: An ISO27001:2013 Implementation Overview

INTRODUCTION

The International Standard ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements has now replaced the earlier 2005 version. Information security has always been an international issue, and this new version of the Standard reflects eight years of improvements in the understanding of effective information security management. It also takes account of the evolution in the cyber threat landscape over that period, and allows for a new range of best practice controls.

Information security is also a management issue, a governance responsibility. The design and implementation of an Information Security Management System (‘ISMS’) is a management role, not a technological one. It requires the full range of managerial skills and attributes, from project management and prioritisation, through communication, sales skills and motivation, to delegation, monitoring and discipline. A good manager who has no technological background or insight can lead a successful ISMS implementation, but without management skills, the most technologically sophisticated information security expert will fail at the task.

This is particularly so if the organisation wants to derive maximum, long-term business value from the implementation of an ISMS. Achieving external certification is an increasingly necessary cost of doing business. Achieving the level of information security awareness and good internal practice that enables an organisation to safely surf the stormy, cruel seas of the information age, requires a level of culture change no less profound than that required to shift from industrial to post-industrial operations.

I know all this because my background is as a general manager, not as a technologist. I came to information security in 1995 because I was concerned about the information security exposures faced by acompany of which I was CEO. When you’re the CEO, and you’re interested in it, you can make an ISMS happen – as I’ve proved a number of times. While this book will shorten the learning curve for other CEOs in my position, it is really aimed at the manager – often an IT or information security manager – who is charged with tackling an ISO27001 implementation, and who wants a sure routeto a positive outcome. It identifies what the experience of many ISO27001 implementations has taught me are the nine key steps to ISMS success. The lessons seem to apply in any organisation, public sector or private, and anywhere in the world. They start with recognising the challenges usually faced by anyone concerned to improve their organisation’s security posture.

The second biggest challenge that, in my experience, is faced by information security technologists everywhere in the world, is gaining – and keeping – the Board’s attention. The biggest challenge is gaining – and keeping – the organisation’s interest and application to the project. When boards do finally become aware of their need to act – and to act systematically and comprehensively – against information security threats, they become very interested in hearing from their information security specialists. They even develop an appetite for investing organisational poundsintohardware and software solutions, and to mandate the development of a new ISMS – or the tightening up of an existing one.

Of course, there’s usually no better than a 50:50 chance that the‘solution’ they want is anything more than the security flavour of the month – for instance, penetration testing sales increased when hacktivist successes hit the headlines. Once deployed, any single solution is unlikely to alter the overall security posture of an organisation by more than one degree, not least because anyeffective security solution requires an integrated combination of technology, procedure and user application. Integration of this order also requires more than just a knee-jerk reaction to a current threat.

The even greater certainty is that most initiatives to develop an ISMS are likely to be seen as either a current management ‘fad’ or, even worse, as an IT department ‘initiative’. Either branding meansthe ISMS will be still born. Almost everyone who works in any business believes that management fads just have to be endured until they go away, and that IT department initiatives just create more problems and barriers for people trying to do their everyday work. Scott Adams, the creator of Dilbert, does say after all that most of the ideas for his sketches are sent to him by people who are simply describing their daily working lives.

An ISMS project does slightly better if it is seen as having a credible business need: to win an outsourcing contract, for instance, or to comply with a public funding requirement. In fact, such short-term justifications for introducing an ISMS, for seeking external certification, infrequently bring the company any real long-term benefit, because the project rarely develops the sort of sustained momentum that will drive user awareness and good practice into all the reaches of the organisation.

When we first decided to tackle information security, way back in 1995, my organisation was required – as a condition of its branding and trading licence – to achieve both ISO9001certification and Investors in People (IiP) recognition. We intended to sell information security and environmental management services as well and, out of a desire to practice what we preached, as well as from a determination to achieve the identifiable business benefits of tackling all these components of our business, we decided to pursue both BS7799 and ISO14001 at the same time.

BS7799 existed then in only an unaccredited form and it was, essentially, a Code of Practice. There was only one part to it and, while certification was technically not possible, a statement of conformity was. The other standards that we were interested in did all exist but, at that time, it was generally expected that an organisation would approach each standard on its own, developing standalone manuals and processes. This was hardly surprising, as it was unusual for any organisation to pursue more than one standard at any time!

We made the momentous decision to approach the issue from primarily a business perspective, rather than a quality one. Wedecided that we wanted to create a single, integrated management system that would work for our business, and that was capable of achieving multiple certifications. While this seemed to go in the face of much of that time’s actual practice around management system implementation, it seemed to be completely in line with the spirit of the Standards themselves.

We also decided that we wanted everyone in the organisation to take part in the process of creating, and developing, the integrated management system that we envisioned, because we believed that was the fastest and most certain way of getting them to become real contributors to the project, both in the short and the long term. We used external consultants for part of the ISO9001 project but there simply was no BS7799 expertise available externally.

This lack of BS7799 experts was a minor challenge in