The Case for ISO27001:2013

The Case for ISO27001:2013

ALAN CALDER
Copyright Date: 2013
Edition: 2
Published by: IT Governance Publishing
https://www.jstor.org/stable/j.ctt5hh52r
  • Cite this Item
  • Book Info
    The Case for ISO27001:2013
    Book Description:

    This friendly guide, updated to reflect ISO27001:2013, presents the compelling business case for implementing ISO27001 in order to protect your information assets. This makes it ideal reading for anyone unfamiliar with the many benefits of the standard, and as a supporting document for an ISO27001 project proposal.

    eISBN: 978-1-84928-531-5
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-6)
  2. Table of Contents
    (pp. 7-8)
  3. INTRODUCTION
    (pp. 9-12)

    The replacement, in late 2005, of BS 7799-2:2002 by the international Information Security Management System Standard ISO/IEC 27001:2005 marked the beginning of the age of information security management. The update to ISO/IEC 27001 in 2013 was released to an ever-expanding information economy.

    In the first eight years that BS 7799 existed as a Standard against which organisations could gain an external certification, about 1,000 were successful, worldwide. This number doubled in the subsequent 12 months. Under ISO/IEC 27001, that number has grown geometrically. This book looks at why organisations are increasingly turning to this information security management Standard.

    By far...

  4. CHAPTER 1: INFORMATION ECONOMY, INTELLECTUAL CAPITAL
    (pp. 13-16)

    In the information economy, businesses depend on information and a substantial proportion of their value is made of intangible and information assets. The Board has a fiduciary duty to protect and preserve these assets.

    The information, or knowledge, economy is (as we all know) fundamentally different from the old manufacturing one. Information interchange has sped up the globalisation of markets, products and resourcing. This has led to increasingly similar shopping streets selling increasingly similar products throughout the developed world. All organisations now have an online presence; for many of them, the Internet is their primary or only method of business...

  5. CHAPTER 2: INFORMATION, IT AND COMPETITIVENESS
    (pp. 17-20)

    Information security is essential if your organisation’s productivity and competitive position is to be protected.

    Academic research¹ largely confirms the view that the growth in Western economies since 1995 can largely be linked to the deployment and use of information technology. Studies, and experience, suggest that – excepting the slowdown in the mid-2000s – this growth is sustainable.

    Other studies², examining and comparing specific industries (e.g. finance and manufacturing), concluded that there are circumstances where further IT investment will not provide competitive advantage over other firms in the sector, but that investment is nevertheless essential just to stay in the...

  6. CHAPTER 3: INFORMATION THREATS
    (pp. 21-24)

    All organisations possess information, or data, that is either critical or sensitive. This information is a substantial component of the organisation’s intellectual capital. Information is widely regarded as the lifeblood of modern business. More than 90 percent of businesses now identify themselves as ‘highly dependent’ on electronic information and the systems that process it. This information faces a range of threats, some simple, some complex, and all with the potential to significantly damage an organisation.

    ‘Cyber threat’ is now the most widely used term to describe threats in the digital world. As in the analogue one, cyber threats originate with...

  7. CHAPTER 4: INSECURITY IMPACTS
    (pp. 25-27)

    No organisation is immune to the complex range of threats to its information assets and technology infrastructure. The financial, reputational, operational and punitive impacts of successful cyber attacks or information security failures are significant.

    ‘Impact’ is the consequence of the realisation of a threat. It is usually quantified financially, in terms of the likely loss to the organisation. Estimation of likely loss is inexact, but should take into account both direct and indirect costs, including the likely business cost of reputational damage, loss of business, remedial advertising, investigating, closing the stable door and so on:

    Every organisation will suffer multiple...

  8. CHAPTER 5: ‘TRADITIONAL’ THREATS
    (pp. 28-32)

    All organisations face a range of threats that have been around – and getting progressively worse – for a number of years. Few organisations have taken adequate steps to deal with them. Even as far back as 2001, the CBI Cyber crime Survey recognised that ‘deployment of technologies such as firewalls may provide false levels of comfort unless organisations have performed a formal risk analysis and configured firewalls and security mechanisms to reflect their overall risk strategy.’

    Unless the organisation actually has a risk strategy, it’s not going to be able to ensure that its cyber defences will meet its...

  9. CHAPTER 6: INFORMATION RISK IN LARGE ORGANISATIONS
    (pp. 33-37)

    The information security risks and regulatory pressures faced by larger organisations are of a different league to those faced by smaller ones. Both the threats and the vulnerabilities are significantly different and, as a result, larger organisations suffer more security incidents than the average: ISBS 2013¹, for instance, reported that 93 percent of large companies had experienced an information security breach, compared to an overall rate of 87 percent.

    The threats, both external and internal, are more significant, and this reflects the perceived depth, quantity and value of the larger organisation’s information assets, its reputation and profile, and the number...

  10. CHAPTER 7: ORGANISED CRIME
    (pp. 38-41)

    Organised crime has taken to the Internet in a big way. Cyber crime forms a significant ongoing risk for all organisations: if it is worth taking action to secure premises, it is even more worthwhile to secure digital business areas.

    A Detica report, in conjunction with the UK’s Office of Cyber Security and Information Assurance, estimated that the cost of cyber crime in the UK had reached £27bn per annum by 2011.¹ By way of contrast, a 2001 global study by the UK DTI found that lapses in security policy had cost European businesses alone more than £4.3 billion in...

  11. CHAPTER 8: TERRORISM
    (pp. 42-44)

    Cyber crime is a serious issue. It may be a lesser danger to organisations than the effects of what is called ‘cyber war’: cyber war is even less discriminate than criminal activity, but potentially more devastating. Every organisation has a role to play in securing cyber space against terrorist attacks.

    In 2009, the US President announced that, ‘America’s economic prosperity in the 21stCentury will depend on cybersecurity.’¹ This statement was supported by the US General Accounting Office (GAO) in a report on cyber security in February 2013, stating, ‘The evolving array of cyber-based threats facing the nation pose threats...

  12. CHAPTER 9: EVOLVING THREAT ENVIRONMENT
    (pp. 45-47)

    The current situation is not good, and is unlikely to get better. All boards need to take action to deal with current risks; they also need to ensure that they are able to cope with future ones.

    A number of significant trends mean that information security will become even more challenging in the years ahead:

    The use of distributed computing is increasing. Computing power has migrated from centralised mainframe computers and data processing centres to a distributed network of desktop, laptop and micro computers, and this makes information security much more difficult.

    Cloud computing has expanded massively throughout the business...

  13. CHAPTER 10: REGULATORY COMPLIANCE
    (pp. 48-50)

    Today’s regulatory environment is increasingly complex, the penalties for failure unattractive and the route to effective compliance not clear. ISO27001 provides a best-practice solution to the range of regulatory issues faced by directors.

    Organisations have traditionally responded to regulatory compliance requirements on a law-by-law, or department-by-department basis. That was, last century, a perfectly adequate response. There were relatively few laws, compliance requirements were generally firmly established and well understood, and the jurisdictions within which businesses operated were well defined.

    In the 21stCentury, all that has changed. Rapid globalisation, increasingly pervasive information technology, the evolving business risk and threat environment,...

  14. CHAPTER 11: DATA PROTECTION AND PRIVACY
    (pp. 51-58)

    Privacy and data protection are linked business issues that are now a global business imperative. Failure to comply with privacy and data protection regulations can have expensive commercial and punitive consequences.

    There are also good business reasons for protecting personal privacy. A successful business in the information economy depends on users having confidence in the confidentiality, availability and integrity of electronic information and communications systems. No trust, no custom.

    Personal information is increasingly subject to regulation. There is international, foreign and industry-specific legislation and regulation. All OECD countries have some form of data protection and privacy legislation, and national regulations...

  15. CHAPTER 12: ANTI-SPAM LEGISLATION
    (pp. 59-62)

    Unsolicited commercial e-mail is a threat to the availability of networks and information, because of the extent to which it can clog up the arteries of the Internet; it is also the subject of regulation. When it is carrying a payload (virus, spyware and so on) it can also be a threat to the confidentiality and integrity of that information. Organisations need to take action to defend themselves against spam and also to ensure that their own electronic marketing is not treated as spam.

    One person’s spam is another’s useful e-mail marketing – and most companies are interested in e-mail...

  16. CHAPTER 13: COMPUTER MISUSE LEGISLATION
    (pp. 63-66)

    Computer misuse legislation is relevant in two ways: authorities and organisations can take action under it against cyber criminals, and organisations have to ensure they comply with it themselves. Directors can be personally accountable for any compliance failures.

    Computer crime legislation is relatively new. An OECD expert committee recommended, in 1983, that member countries ensure their penal legislation also applied to computer crime. The Council of Europe in 1989 adopted a recommendation from its own expert committee that identified the offences – which should be dealt with in computer-related legislation. Meanwhile, in 1990, the UK passed the Computer Crime Act...

  17. CHAPTER 14: HUMAN RIGHTS
    (pp. 67-68)

    Human rights are an increasingly important issue in the information economy. They are, of course, important in every other sense as well; however, directors need to ensure that their organisational policies and procedures are compliant.

    The HRA was enacted in October 2000. It incorporated into UK law the principles of the European Convention for the Protection of Human Rights and Fundamental Freedoms (the Convention). Most of the rights within the Convention are qualified, in that they are subject to limitations if the employer can show necessity to protect the rights and freedom of others. In particular, an employee could argue...

  18. CHAPTER 15: RECORD RETENTION AND DESTRUCTION
    (pp. 69-70)

    Legislation, regulation, business contracts and prudence mandate the retention of specific records. These records are largely electronic (including e-mail) and their confidentiality and integrity needs to be protected throughout the period of retention, and they need to be accessible – in spite of intervening technology upgrades and system changes.

    An increasingly wide range of organisational and individual records (including e-mail, voice mail and Instant Message communications) must be retained to meet statutory or regulatory requirements, while others may be needed to provide adequate defence against potential civil or criminal action or to prove the (current and historic) financial status of...

  19. CHAPTER 16: INFORMATION SECURITY GOVERNANCE
    (pp. 71-77)

    The availability, integrity and confidentiality of its data are fundamental to the long-term survival of any 21stCentury organisation. Unless the organisation takes a top down, comprehensive and systematic approach to protecting its information, it will be vulnerable to the wide range of threats identified in this book. These threats are a ‘clear and present danger’ to organisations of all sizes and in all sectors; responsibility for information risk management, for ensuring that the organisation appropriately defends its information assets, can no longer be abdicated or palmed off on the Head of IT. The Board has to take action. It’s...

  20. CHAPTER 17: BENEFITS OF AN ISO27001 ISMS
    (pp. 78-83)

    The benefits for an organisation in adopting and deploying an ISO27001 Information Security Management System are threefold:

    1. Cost-effective, fit-for-purpose information security and regulatory compliance.

    2. Out-performance vis-à-vis its competitors.

    3. Competitive advantage.

    Information security is a complex issue. Every information asset is subject to multiple threats and the interwoven mesh of related compliance regulation is such that there are no simple solutions. Information security has three key components: technological controls, procedural controls and user behaviour.

    The Board has to prioritise its approach to information security and commit the investment and resources necessary to achieve its information security goals. It will need to...

  21. CHAPTER 18: ISO27001 IN THE PUBLIC SECTOR
    (pp. 84-88)

    Many public-sector organisations usually face more significant threat levels than the private sector. All the threats identified earlier in this book apply, but in spades. In addition, many public-sector organisations are subject to very specific requirements in terms of information security structures.

    The OCSIA (Office of Cyber Security and Information Assurance) is the UK Government’s Cabinet Office unit that is charged with working with the public and private sectors, and its international counterparts, to safeguard the UK’s IT and telecommunications services. Specifically, the CSIA role is to provide a central, national focus for information security and its mission includes encouraging...

  22. CHAPTER 19: IS ISO27001 FOR YOU?
    (pp. 89-91)

    Unless you’re a tiny organisation (of say two or three people) or you do not use information or information technology inside the business, ISO27001 is an appropriate Standard for you to deploy to safeguard your IT infrastructure investments, protect your competitive position and ensure you comply with current and future national and international laws and regulations.

    If you do, you need to have a structured approach to protecting it against multiple external and internal threats. Such an approach requires a mix of technology and procedure, as well as informed and well-trained computer users. The Standard contains best practice guidelines on...

  23. CHAPTER 20: HOW DO YOU GO ABOUT ISO27001?
    (pp. 92-95)

    Once the Board has recognised the need to deploy a structured information security management system, the steps to implementation are relatively straightforward. There are three preparatory steps that should be taken in every instance.

    The first is to obtain, and study, copies of both ISO27001 and ISO27002. It is against these Standards specifically that compliance will be measured and they, therefore, have precedence over any other guidance or commentary. Copies of the Standards can be obtained from your national standards body or fromwww.itgovernance.co.uk(IT Governance Ltd is an authorised BSI international distributor).

    The second is to obtain, and study,...

  24. CHAPTER 21: SELECTION OF A CERTIFICATION BODY
    (pp. 96-98)

    Any organisation seeking accredited certification will want to be sure that there is a cultural fit between itself and its supplier of certification services, and there will certainly be all the normal issues of ensuring that there is alignment between the desires of the buyer and the vendor’s offering, including pricing and service. It is completely appropriate to treat the selection of a certification body with the same professionalism as the selection of any other supplier.

    There are three key issues that do need to be taken into account when making this selection: the first is generic, the second is...

  25. APPENDIX: ISO27001 – PAST, PRESENT AND FUTURE
    (pp. 99-102)
  26. USEFUL WEBSITES
    (pp. 103-106)
  27. ITG RESOURCES
    (pp. 107-110)