Dr Angelika Plate, Director Strategic Security Consulting at Help AG explains the standard and why SMEs need to obtain it.

What is the ISO 27001 standard? 

The international standard ISO/IEC27001 defines requirements for an information security management system (ISMS). The ISMS includes a set of typical management system requirements (such as internal audit, management review, competence, training and awareness, and continual improvement), and a set of requirements specifically related to information security (such as information security risk identification, analysis and evaluation, identification of controls for information security, and a statement of applicability). Like for any other management system (ISO9001, ISO14001, ISO22301, etc.), an organisation can be certified against ISO/ IEC 27001 by any accredited certification body. Any organisation that wishes to claimconformance to the ISO/IEC 27001 standard will need to fulfill each of the requirements contained in this standard. ISO/IEC 27001 is a very successful standard, more than 20,000 certificates have been issued against it and the numbers are constantly growing. ISO/IEC 27001 helps to improve the information security culture within the organisation, and demonstrates that the organisation works securely.

Why is ISO27001 important forSMEs? 

Like any other organisations,SME sstore and process information, and are dependent on this informationbeing correct, available when needed and not compromised, for example, by competitors. Whilst SMEs might not have the same possibilities from a resourcing and budgeting perspective as large organisations have, they should still consider information security to avoid losses, business interruptions and negative impacts on reputation. BSI has developed a self-assessment for SMEs, available on its website at www.bsigroup.com. Theself-assessment hasbeendesigned to assess organisation’s readiness for an ISO/IEC 27001 information security management system. By completing this questionnaire the results will showwhere the SME is compliant with ISO/IEC 27001, and where there are gaps and omissions. Based on this result, an SME can develop a staged approach to close the identified gaps one by one, as time, resources and budget allow. In addition, BSI has developed a more generic SME Guide to Standards, interested SMEs can download this brochure for free from the website.

What are the benefits of having ISO 27001? 

There aremultiple benefits in establishing, implementing, operating and improving an information securitymanagement system in accordancewith ISO/IEC 27001: Not all of these benefits apply to all organisations, each organisation has its own targets and business objectives to apply ISO/IEC 27001. The most common benefits are: w Providing independent assurance – this is provided by achieving certification from an independent certification body. The independent assessment, for which a successful outcome is demonstrated by a certificate, provides assurance that the organisation operates securely. w Achieving corporate governance – corporate governance is achieved by an accumulation of different activities; implementing ISO/IEC 27001 provides a major step in that direction. w Providing a competitive edge – this is achieved by the customer understanding that the organisation operates securely. w Meeting legal and contractual requirements and demonstrating to customers that the organisation is secure – compliance with legal and regulatory requirements is an element of the ISMS risk assessment and the associated controls. An ISMS correctly implemented will ensure that all applicable legal and regulatory requirements are complied with when dealing with information. w Independently verifies that the information security risks are properly identified, assessed and managed – the ISMS requirements include information security risk assessment and treatment, and only if this is done in line with the requirements of the standard, a certificate will be granted. w P r oves sen i o r managemen t commitment to information security – no ISMS can work without the commitment of top management, this is another requirement in ISO/IEC 27001. w Continually improving information security – monitoring the performance of the ISMS and improving it, where necessary, ensures that information security is not degrading but getting better where needed.

Do you think having the ISO 27001 standard gives customers more confidence inhowtheir data isbeing stored and the security around it? 

Yes! Customer data is valuable for all organisations, their confidentiality, integrity and availability needs to be maintained at all time. The process of establishing and implementing an ISMS includes an information security risk assessment, which will also identify and assess the risks that customer data is facing in the organisation. The risk assessment is followed by risk treatment, which will identify suitable options and information security controls to mitigate the risks that have been assessed. The certification process will include a check of the information security risk assessment and treatment that the organisation has used, as well as the implementation of the controls that identified for the risks. Customer data is part of this process, therefore the certification audit will also cover their protection. There is one caveat to mention: Customers that want confidence that their data is storedandprocessed securely should verify that customer data is within the scope of the ISMS certification!

There were some changes made to the standard in 2013, can you give an overview of what these changes are and how they affect a company? 

The most important changes are: 1. Removal of requirements overlapping with ISO/IEC 27002: some of the requirements, e.g. the requirement to identify attempted and successful security breaches and incidents relates more to an information security control than the management system – such requirements have been removed. 2. Introduction of new requirements, e.g. for information security objectives and communication – most of the new requirements resulted from the identical core text developed by ISO for all management systems. 3. Changes to the information security risk assessment – thenew requirements for information security risk assessment have been changed to be entirely compatible to ISO 31000, and the following requirements have been removed: a. Asset identification b. Identification of threats and vulnerabilities, and the link to existing controls The new requirements for information security risk assessment (in direct alignment with ISO 31000) simply refer to : wRisk identification wRisk analysis wRisk evaluation 4. Changes to information security risk treatment – the main concepts have been maintained, the risk treatment options have been aligned with ISO 31000, the Statement of Applicability is still required, but now as the pure comparison between the controls in Annex A and the actions identified for information security risk treatment. 5. It was also chosen to maintain the link to the ISO/IEC 270002 controls and to leave Annex A – with the necessary updates because of the ISO/IEC27002 revision – in the same way as before. 6. Introduction of “documented information” – this isaconcept from the identicalcoretexttoreplace“documents and records” by “documented information”; for anybody not in favour of this concept, a simple re-definition can solve the problem. 7. Removal of “preventive action” – the new ISO/IEC27001 does no longer use the concept of “preventive action” as it has been used before; this has been subsumed inotherpartsof thestandard. Overall, the changes should make it easier for an organisation to apply ISO/ IEC 27001, especially the changes of the requirements related to risk assessment and treatment. ISO provides templates highlighting the detailed changes.

How does an SME begin to apply for the ISO 27001 standard? 

There are several approaches an SME can take to apply ISO/IEC 27001, but it is always good to start with an understanding of the current status of information security in place. This helps to identify gaps, and also identifies all those activities that are in place already and can be re-used in later parts of the process. Basedon the results of the gapanalysis, an information security risk assessment should be conducted to identify risks by relating the potential damage of a risk occurring with the gaps that have been identified during the gap analysis. The risk assessment results help to rank the identified risks in order of magnitude, which will help the SME to identify the most serious risks.