In this presentation I’ll show you why ISO 27001 doesn’t have to be just another bureaucratic compliance job – I’ll show you how it can help you do your job.
The main point is – information security can be very useful – not only for our company, but also for you personally.
ISO = International Organization for Standardization
Developed by leading information security experts – the point is, ISO 27001 is the summary of best information security practices worldwide
Confidentiality = only the authorized persons can access the information
Integrity = only the authorized persons or systems can change the information
Availability = the information is available when needed
The point is: information security is not only about confidentiality, it is also about preserving the integrity and availability
How can we protect the confidentiality, integrity and availability? Let's say, you leave your laptop frequently in your car, on the back seat. Chances are, sooner or later it will get stolen.
So, what can you do to decrease the risk to your information? First of all, you can make a rule (by writing a procedure or a policy) that laptops cannot be left in a car unattended, or that you have to park a car where some kind of physical protection exists. Second, you can protect your information by setting a strong password and encrypting your data. Further, you can require your employees to sign a statement by which they are legally responsible for the damage that may occur. But all these measures may remain ineffective if you didn’t explain the rules to your employees through a short training.
QUESTION: Can you think of any other risks in our company, and the ways to mitigate them?
So what can we conclude from the laptop example?
The controls are never only IT-related – they always involve organizational issues, human resources management, physical security and legal protection.
Therefore, information security is a set of combined controls, very diversified in nature.
Now, since our company has [use real number here] laptops, [number] servers, a complex network, lots of sensitive information in databases and on paper, many contractors, etc. - if protecting the information on a single laptop was easy, managing the security of all of these assets in an organization is certainly not.
For that you need a system, and ISO 27001 defines the Information Security Management System or ISMS. So, what is it that you need to do to set your ISMS? First you need to find out what can go wrong with your information – that is, how can the confidentiality, integrity and availability of each and every piece of information in your company be endangered – this is done through a process called risk assessment; once you know where the risks are, you need to select appropriate controls (or safeguards) for each risk you find unacceptable.
“This is an IT job” – this is wrong because security is everyone’s job – e.g., everyone needs to protect his or her laptop
“It’s all about writing policies and procedures” – this is wrong because the point is not in writing documents, but in applying them in practice – e.g., if the procedure says that backup needs to be done daily even for laptops, then this is something that everyone needs to do
“We’ll get lost in all those documents” – wrong because we will write only the documents that are really needed – we will try to keep the number of documents to a minimum; besides, we will present you with the documents before they are published
“ISO 27001 will only make our job more difficult” – this standard may require some new things from you, but it will help you with other things – e.g., implementation of ISO 27001 will decrease the number of IT incidents, meaning that employees in the IT department won’t have to lose time on resolving those incidents; also, it will decrease the chance of someone abusing your account and performing fraud (for which you would be held accountable)
“It will be implemented in 2 months” – this is wrong because implementation of ISO 27001 requires changes in behavior, and we cannot make several changes at the same time (imagine if we published 20 new policies and procedures in a single day). This is why these documents need to be introduced gradually
“We do it only because of the certification” – certification is one of our goals, but not the only one… [go to the next slide]
[choose the benefits that fit your company – for detailed explanation of each of these read this article: Four key benefits of ISO 27001 implementation http://blog.iso27001standard.com/2010/07/21/four-key-benefits-of-iso-27001-implementation/]
Project manager – write here the person who will coordinate the implementation of ISO 27001
Project sponsor – write here someone from the top management who will provide you with support for your project
Project duration – calculate the time needed using this free calculator: http://www.iso27001standard.com/en/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation
Suggest which process to document – if you think some process is important, but it is not clear who has to perform the tasks in this process, when and how
So to conclude – this standard enables you to take into account all the information in various forms and all the potential problems, and gives you the methodology how to keep the information secure. And in it will even make your job easier in some cases.
However, to be effective, ISO 27001 needs to be implemented for real, not just because of an auditor and not just by printing documents without applying them.