ISO 27001 standard benefits, implementation tips and security controls

Dejan Kosutic is an expert in information security management and business continuity management. In this interview he talks about the key changes in the ISO 27001: 2013 revision, the new security controls, mandatory documentation, implementation challenges, and much more.

What are the key changes in the ISO 27001: 2013 revision, as well as the benefits?
The key benefit of this new ISO 27001 is that it can be more easily implemented in smaller companies – a greater degree of flexibility is allowed, and a smaller number of mandatory documents is needed. For instance, the risk assessment process is simplified, and there are no more requirements to document procedures like internal audit or corrective action.

What are the new security controls and how does the 2013 revision deal with new risks?
First of all, the number of suggested controls in the 2013 revision has actually decreased from 133 to 114 – therefore, it is easier now to find the controls that are really needed for a particular risk. The new controls are these: A.6.1.5 Information security in project management, A.14.2.1 Secure development policy, A.14.2.5 Secure system engineering principles, A.14.2.6 Secure development environment, A.14.2.8 System security testing, A.16.1.4 Assessment of and decision on information security events, and A.17.2.1 Availability of information processing facilities.

How much new mandatory documentation is there, and for certified companies is there lots of work involved in implementing these?
As I mentioned previously, there is actually less documentation required. If a company is already certified against the old 2005 revision of ISO 27001, only about 10-20% of the existing documents will need to be changed, and some of the documents may now be deleted. Therefore, the effort to make this transition to the 2013 revision won’t be too big.

What advice would you give to those who want to transition from ISO 27001:2005 to 2013?
This transition should be planned carefully – if doing it unplanned, one could spend double the time that would normally be needed. In my blog post, How to make a transition from ISO 27001 2005 revision to 2013 revision, I’ve explained what are, in my opinion, the optimal 12 steps to make this transition.

Let’s say you’re talking to a company that hasn’t implemented ISO 27001; how would you explain the benefits of this standard, the implementation program, and how this can help them in the long term?
The most important thing is to make the decision makers (i.e. the top management) interested in this project, because they are the ones who will approve the project or reject it. And to do this you have to find which business benefits could be achieved by implementing information security in your company.

I usually like to present the following benefits: (1) compliance – by implementing ISO 27001, a company will comply with all the information security legislation, but also with contractual requirements that clients are enforcing more and more; (2) marketing advantage – companies with this certificate might get some new clients who are looking for this kind of guarantee for the security of their information; (3) decreasing the costs – by implementing ISO 27001, many security incidents will be prevented, and the investment in implementing this standard is usually far less than the cost of remediation of the incidents; and (4) optimizing the business processes – since the standard requires defining exactly who needs to do what, when and how, this means that employees will be spending less time searching for ways to perform their tasks.

Unfortunately, too many IT and security professionals focus on IT benefits instead of focusing on business benefits – but by presenting the benefits like “We will be more secure,” or even worse, “We will have a nice secondary location,” this doesn’t really say anything to the top management on how it will increase their profits, decrease costs, achieve their strategic goals, or limit their business risks.

It sounds like once the initial work is complete, the rules and procedures ISO 27001 puts in place can reduce mistakes and make the IT department’s job easier?
Exactly! The problem is that very often IT professionals see this standard as unnecessary bureaucracy; but in reality, if the rules for using the information technology are clear for everyone in the company, the number of problems related to IT will decrease. This means IT departments will be dealing less with resolving the problems like “Why don’t I see this icon anymore,” and can focus on more strategic things.

What are the benefits of implementing ISO 27001 with other management standards?
If a company has already implemented, e.g., ISO 9001, it will decrease the time required for ISO 27001 implementation by 30% – this is because these two standards have a lot in common and, for instance, some of the documentation written for ISO 9001 can be used for ISO 27001 as well.

But there is one standard that is even more compatible with ISO 27001: the business continuity standard ISO 22301. When implementing ISO 27001, with 10% additional effort a company can implement ISO 22301 too, because these two standards are highly compatible and about 60% of their requirements are the same.