In our world of commodified data, cybersecurity standards need to be sky-high and razor-sharp. Most companies, even if not immediately tech-related, will eventually run into the need to gird themselves from within.
More than a decade ago, the International Organization of Standards adopted a specification called ISO 27001. So what exactly is it? What can an ISO 27001 audit tell us about an organization's inner machinations? And how do you decide whether your company should be audited?
What Is an Information Security Management System (ISMS)?
An Information Security Management System (ISMS) is an organization's main line of defense against data breaches and other types of cyberthreats from the outside.
An effective ISMS ensures that the information being protected remains confidential and secure, faithful to the source, and accessible to the people who have the clearance to work with it.
A common mistake is to assume that an ISMS amounts to no more than a firewall or other technical means of protection. Instead, a fully-integrated ISMS is just as present in the culture of the company and in each employee, engineer or otherwise. It goes far beyond the IT department.
More than merely official policy and procedure, the scope of this system also includes the team's ability to manage and refine the system. Execution and the way that the protocol is actually applied are paramount.
This involves taking a long-term approach to risk management and mitigation. A company's principals need to be intimately familiar with any risks associated with the industry that they work in specifically. Armed with this insight, they will be able to build the walls around themselves accordingly.
What Is ISO 27001, Exactly?
In 2005, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) revamped the BS 7799, a security management standard first established by the BSI Group 10 years previously.
Now officially known as ISO/IEC 27001:2005, ISO 27001 is an international standard of compliance awarded to companies who are exemplary in information security management.
Essentially, it's a rigorous collection of standards that a company's information security management system can be held against. This framework allows auditors to then evaluate the tenacity of the system as a whole. Companies may choose to have an audit when they want to reassure their customers and clients that their data is safe within their walls.
Included in this collection of provisions are: specifications regarding security policy, asset classification, environmental security, network management, system maintenance, and business continuity planning.
The ISO condensed all of these facets from the original BSI charter, distilling them into the version that we recognize today.
Digging Into the Policy
What exactly is being evaluated when a company undergoes an ISO 27001 audit?
The standard's aim is to formalize effective and secure information policy internationally. It incentivizes a proactive stance, one that seeks to avoid trouble before it happens.
The ISO emphasizes three important aspects of a secure ISMS:
1. Constant analysis and acknowledgment of risk: this includes both current risks and risks that may present themselves in the future.
2. A robust and secure system: this includes the system as it exists in a technical sense, as well as any security controls that the organization uses to protect itself against the aforementioned risks. These will look very different, depending on the company and the industry.
3. A devoted team of leaders: these will be the people actually putting controls to work in defense of the organization. The system is only as effective as those working at the helm.
Analyzing these three key contributing factors helps the auditor paint a more complete picture of a given company's ability to operate securely. Sustainability is favored over an ISMS that relies only on brute technical force.
There is an important human element that must be present. The way that people within the company exert control over their data and their ISMS is held above all else. These controls are what actually keep the data safe.
What Is Annex A of ISO 27001?
Specific examples of "controls" depend on the industry. Annex A of ISO 27001 offers companies 114 officially-recognized means of control over the security of their operations.
These controls fall into one of fourteen classifications:
A.5—Information and Security Policies: the institutionalized policies and procedures a company follows.
A.6—Organization of Information Security: the assignment of responsibility within the organization in regard to the framework of the ISMS and its implementation. Included here, oddly enough, is also policy governing teleworking and the use of devices within the company.
A.7—Human Resource Security: concerns onboarding, offboarding, and employees changing roles within the organization. Screening standards and best practices in education and training are outlined here, as well.
A.8—Asset Management: involves the data being handled. Assets must be inventoried, maintained, and kept private, even across departmental lines in some cases. Ownership of each asset must be established clearly; this clause recommends that companies draft out an "Acceptable Use Policy" specific to their line of business.
A.9—Access Control: who is allowed to handle your data, and how will you limit access to only authorized employees? This can include conditional permission-setting in a technical sense or access to locked buildings on your company's campus.
A.10—Cryptography: primarily deals with encryption and other ways of protecting data in transit. These preventative measures must be managed actively; the ISO discourages organizations from considering encryption to be a one-size-fits-all solution to all of the the deeply-nuanced challenges associated with data security.
A.11—Physical and Environmental Security: assesses the physical security of wherever sensitive data is located, whether in an actual office building or in a small, air-conditioned room full of servers.
A.12—Operations Security: what are your internal rules of security when it comes to the operation of your company? Documentation explaining these procedures should be maintained and revised frequently to meet new, emerging business needs.
Change management, capacity management, and the separation of different departments all fall under this heading.
A.13—Network Security Management: the networks that connect each system within your company need to be airtight and carefully looked after.
Catch-all solutions like firewalls are made even more effective when supplemented with things like frequent verification checkpoints, formalized transfer policies, or by forbidding the use of public networks while handling your company's data, for example.
A.14—System Acquisition, Development, and Maintenance: if your company doesn't already have an ISMS in place, this clause explains what an ideal system brings to the table. It helps you ensure that the scope of the ISMS covers every aspect of your production lifecycle.
An internal policy of secure development gives your engineers the context that they need to build a compliant product from the day that their work begins.
A.15—Supplier Security Policy: when doing business with third-party suppliers outside of your company, what precautions are taken to prevent leaks or breaches of the data shared with them?
A.16—Information Security Incident Management: when things go wrong, your company likely provides some framework for how the problem should be reported, addressed, and prevented in the future.
The ISO looks for retaliatory systems that enable figures of authority within the company to act quickly and with great prejudice after a threat has been detected.
A.17—Information Security Aspects of Business Continuity Management: in the event of a disaster or some other unlikely incident that disrupts your operations irrevocably, a plan will need to be in place to preserve the well-being of the company and its data until business resumes as normal.
The idea is that an organization needs some way of preserving the continuity of security through times like these.
A.18—Compliance: finally, we come to the actual contract of agreements that a company must subscribe to in order to meet the requirements for ISO 27001 certification. Your obligations are laid out before you. All that's left for you to do is sign on the dotted line.
The ISO no longer requires that compliant companies employ only controls that fit into the categories listed above. The list is a great place to start if you're just beginning to lay the foundation of your company's ISMS, however.
Should My Company Be Audited?
That depends. If you're a very small start-up working in a field that is not sensitive or high-risk, you can probably hold off until your plans for the future are more certain.
Later, as your team grows, you could find yourself in one of the following categories:
- You may be working with an important client who asks your company to be assessed in order to ensure that they will be safe with you.
- You might want to transition to an IPO in the future.
- You have already fallen victim to a breach and need to re-think the way that you manage and protect your company's data.
Forecasting for the future may not always be easy. Even if you don't see yourself in any of the above scenarios, it doesn't hurt to be proactive and to begin incorporating some of the ISO's recommended practices into your regime.
The Power Is In Your Hands
Preparing your ISMS for an audit is as simple as taking due diligence, even as you work today. Documentation should always be maintained and archived, giving you the evidence that you'll need to back up your claims of competency.
It's just like in middle school: you do the homework, and you get the grade. The customers are safe and sound, and your boss is very happy with you. These are simple habits to learn and keep. You'll thank yourself later when the man with a clipboard finally comes calling.