ISO 27001 standard: Breaking the documentation myth

Dejan Kosutic is the founder of the Information Security & Business Continuity Academy. In this interview he discusses the future of compliance, ISO 27001 documentation, audit preparation, and much more.

Many entering the information security industry wonder about the basics, so what does it mean to be compliant? What are the pros and cons of making sure you adhere to a certain standard?
If speaking about ISO 27001 (the leading international information security management standard) being compliant means that an organization has adapted its internal processes so that they protect the confidentiality, integrity and availability of their most critical information.

And this is where most misconceptions about ISO 27001 come from – first of all, information security is not all about IT, because usually the weakest link in security are the people. Firewalls and anti-virus software are necessary, but they are not enough. An organization has to figure out how to protect its information in all the other cases, and that includes someone from the inside wanting to do damage. A comprehensive approach is therefore needed, and this is what ISO 27001 defines.

Further, ISO 27001 does not prescribe which type of firewall an organization must use or how it must configure it – this is something the organization needs to define by itself, based on the potential incidents that could happen. Those potential problems are called risks, and their identification (called “risk assessment”) is the foundation of any information security management. It’s only after you find out where the risks are that can you define what kind of security controls you need, and how much you must invest.

I’ve seen too many times how top management, thinking that information security equals IT security, pushes this kind of project onto the IT department. But the IT department usually doesn’t have the knowledge of the business side of the organization or the authority to make necessary changes, so those project often run into trouble.

Regarding pros and cons – I would say that the main benefit is that you don’t have to reinvent the wheel. The standard is written by leading information (and IT) security experts, so basically you don’t have to learn from your own mistakes.

The biggest negative side when it comes to the use of this standard is that it won’t work as it should if there are no business benefits to its implementation. Many companies try to implement it because someone from the middle-management thinks it’s quite fancy, but they don’t get the support from the top management. After a while they realize they have invested a great deal of energy into something that isn’t needed.

With standards evolving to keep up with the threat landscape, what type of changes can organizations expect in the next five years?
I expect that in next 5 to 7 years it will be commonly understood that the biggest security problems lie in people and organization, and that technology is just a tool.

The other big trends are cloud computing and social networking. This means that you cannot protect your information on your company’s perimeter, because your information is being stored and processed beyond it. This challenge will certainly require new approach from both organizational and technological point of view.
Finally, we’re witnessing a flood of various security certifications, both for organizations and for individuals. I expect the market to clear out, and only a few of them to remain as the mainstream. Of course, I bet on ISO 27001.

Based on the feedback you get from your clients who begin writing the ISO 27001 documentation, what do they struggle with the most?
Most of them struggle with what I call the “documentation myth”. Before they start implementing the standard, they think it will be enough to write a couple of documents, show them to the certification auditor, and that’s it – as simple as that, just a couple of days of work.

However, the reality is much different – first of all, they realize that writing the documentation is not that easy. For example, when you have to write the Risk Assessment methodology, not only must you know how to perform risk assessment, but you also need to know how to adapt it so that is suits your organization. After all, you don’t want to spend the next 6 months wasting resources doing only risk assessment, and this process is determined mainly by your methodology. Therefore, writing it requires quite a lot of experience, and enough time to figure out what is best for the organization.

Secondly, once they have made quite an effort in writing a particular document, they realize that such a document doesn’t make any sense if it is not implemented. But the problem is that changing habits is not easy – e.g. if a password policy requires that everyone changes passwords every 6 months, it is not something the employees are going to be very happy about. This is a point where training and awareness programs need to be performed, because without them such a change will fail.

What advice would you give to an organization preparing for an audit?
It really depends on the type of an audit – whether it is internal or external. Internal audits are often perceived as an overhead, as something that needs to be done “because the standard says so”. A very small number of companies use it for its real purpose, which is to help improve their security. The thing is – if an auditor is experienced and has the right approach, he will be in the best position to find out where the security problems are. So the main point of internal audit is to uncover all those nonconformities and initiate a structured approach to resolving them (also called “corrective actions”).

I consider external audits to be quite useful because they set a concrete deadline to finish all the implementation work, which urges companies to give priority to this kind of a project. The main difference when compared to an internal audit is that you need to be ready – and being ready means that you can’t write the documentation in the week prior to the audit. As I mentioned earlier, this step takes time and it has to be planned. Of course, this change in attitude is impossible without the understanding and direct support from the top management.

What advice would you give to an auditor set to examine an organization from the inside out?
Certification auditors also need to get away from the “documentation myth”. That is, they shouldn’t issue the certificate only because the company has perfect documentation. They should check whether the appropriate security actions and processes are really in place, compliant with the documentation.

But not every auditor is capable of doing it. In my opinion, auditors must particularly focus on answering two questions:

1. Does the Information Security Management System (ISMS) really protect the confidentiality, integrity and availability of most critical information, throughout all the processes and all the organization? Auditors often get lost in some detail related to particular control and fail to see a big security issue on the other end of a process/organization.

2. Does the ISMS fit for this particular industry? The flow of information – and, therefore, the requirements for its security – is completely different in a bank as opposed to in a manufacturing company.

To be able to do this, auditors must gain experience in particular industries, and learn to think holistically as well as analytically.