Planning for an industry standard compliant information security management system — in brief: carrying out an ISO 27001 project — can break cover from various starting points. Some organizations have already familiarized themselves with the standard, some have even written the first mandatory documents. Yet for many, this article could be the first contact with any form of security work at all.
A common nominator and motivator for kicking off a project of this kind is a requirement from a customer or within the operating environment, that is difficult to fulfill by any other means than implementing a documented information security management system. At the beginning of the project it is also typical to have thoughts and understanding of the owner organization’s own abilities and scheduling.
The initial workshop
Workshops provide an effective way of working, virtually or within the same physical space. However, it is good to have the right kind of facilities – which in a virtual context means at least a functioning webcam for everyone and proper tools for shared notes or online whiteboarding.
So, what should be addressed in the workshops? The set as a whole is often built on several workshops with different themes, but we have to start somewhere.
Below is a list of common starting and talking points:
- What is ISMS and what is ISO 27001 ?
- Objectives for security
- Roadmap and achieving the set security goals, within the desired time
- What should and must be documented
- Industry standards and frameworks that guide the company’s operations
- Company’s certification goals — whether the goal is certification or otherwise specific activities
- Minimum requirements set by the ISMS and how to achieve them
- Annual clock and organization
Once we have the basics under control, we can also discuss following topics in more detail at the workshops.
- Risk register, risk management and how they relate to information security
- Audits, audit planning and audit objectives
- The role of continuity in information security
- Application development and product development information security requirements and objectives
- Information security requirements and objectives for ICT infrastructure, cloud services and other production facilities and environments
- Technical solutions; log management, risk register, incident management, vulnerability scanning, code scanning
- Identifying customer’s own abilities and reflecting on what can/should be purchased as a service now and later on
The topics of the workshops vary according to the industry and the implementation is carried out by the terms of customer’s maturity
"The mandatory documentation" discussion
Workshopping also helps in building the management system scope. There is no need to apply all security activities into the management system at once. This is relevant in companies with a wide range of activities that are fundamentally different. For example: physical commerce and logistics, as well as the development and management of information systems, together within one and the same company.
But what about those mandatory documents? Mandatory documents are frustratingly often a rather vague ensemble. Mandatory documents and their mandatory content is built on — surprisingly not of a ready-made templates — but of the needs and requirements of the company and it’s business. Third-party certification audits eye and contemplate at things from the perspective of assessing the realistic and necessary responses and measures of the information security management system, down to the specific issues that are critical and dependent on information security in the company. Whether you’re in software or marine propulsion business has a significant impact on how your security management system will be set up.
Business and technical controls – how do they relate?
The way in which a company produces or is intended to create value to its owners
All the tangible and intangible assets that are essential for doing business and for the target state of information security
Listed and assessed risks that, if realized, threaten the tangible and intangible assets on which the business and the target security areas rest and rely upon
Each control of Annex A, i.e. ISO27002, must be made responsible to protect assets appropriately and in accordance with the assessed risks
As we can see, detaching individual controls out of context (“passwords must consist of 16 characters”) may not answer any of the right questions in the value chain above. Why does it have to be defined, into which systems must the control be present as it is determined to be, what does the control protect as such and what is the factual risk that is tackled here.
What if we identify an asset that has no risks? What if we recognize the risk but haven’t listed the asset? If we do business with assets that are not known, we practically do not know the risks involved and we may have no idea of specific security goals.
Everything is interconnected. The iterative process must be given time. The business is probably more complicated than you remember, as you enter the workshop. Consultants are often able to ask questions that have not been considered at that time — also about business. Great risks can be taken for granted that don’t even come to mind on weekdays.
Do we still need consultants?
There are no requirements for use of consultant as organizations can also work on things themselves within the agenda outlined above. However, workshops are usually held in a consultancy manner for the following reasons:
- You get an outside and neutral view into your situation
- We have a lot of experience in “whether to do this or that”
Action plans for the next steps will be obtained quickly and on time
- The activities are organized immediately
- There is simply no time to do things on your own
- Ready-made views and blanks, fried in fine butter, for further processing
Total workload required by the project is often difficult to estimate. The more the client company invests and does on it’s own, the less of course the task sets burden on the consultant. Some do their projects without consultants, some outsource just writing and process modeling. However, the ownership of management system is always on the customer. Similarly, as we discussed about the mandatory documents, there is also a discussion of mandatory owners in the project.
If a company produces a single service and application, the company’s HR as a whole is the CEO and the CEO is entirely the CISO and security function, the situation is very different as when a company delivers many products to many countries with many technologies and delivery methods, using a complex organization and de-centralized corporate cultures. Good estimates for the amount of consulting work can be “more than a day and less than five days a week”. It is worth striving for a flexible model in which the work of the consultant adapts to the customer’s capacity to receive information.
After the beginning
Next step is to get organized, create some kind of a project plan and decide what the deliverables of the project work should be. It is worth preparing for the fact that the development of the management system and its implementation — to become a part of the company’s operations from cabinets to factory floors — will take time. In calendar time, it takes at least half a year of effort if we are to achieve a certified entity; again, depending on the complexity of the organization and the current maturity level. However, even if documents and processes are created faster, the recipients are the employees (humans!) whose main task often is not information security work, but rather the core business or supporting processes and functions.
In addition to business, incident management, continuity and also the maintenance of competence, ie training must become part of everyday life. Little bit of everything is required; doing, organizing and continuous improvement.