Back in 1993, the DTI assembled seven companies to write a standard for information security. David Lacey, a founder member of The Jericho Forum and The Institute for Information Security Professionals (IISP), worked with others in the industry, and wrote the introduction, and many of the ten chapters that made up the British Standard BS 7799. The Standard was launched in 1993, and Shell (David’s company at the time), gained the world’s first certification, awarded by KPMG under the Dutch scheme for Shell’s IT services across Europe.
The International Standard ISO 27001 is the international standard for information security and is based largely upon BS 7799. It represents a clearly defined set of requirements (and best practice in ISO27002) in information security for an organisation. It covers: outlining requirements for security policies, procedures, risk analysis, and specifies technical, physical and procedural controls that should be considered in the context of the organisation. Looking at high-publicised breaches in information security over the last few years in the UK, a number of breaches occurred because whilst there were appropriate technical controls in place (in some cases), there wasn’t the corresponding security policies, procedures and user security awareness training in place; or technical controls had been considered for one area of the business (e.g. laptop encryption) only to lose the data via another route (unencrypted removable media); or a data centre well-guarded in terms of technical controls, had poor physical access security (an unsecured door propped open by the cleaners).
A company going through the ISO 27001 certification process allows them to consider all these aspects, in the context of their relevance to the organisation. A few years ago, I wrote a white paper for a vendor, mapping the use of their technology to the controls specified in the standard. It raised the profile of ISO 27001: for those not considering certifying their organisation to the standard, it raised the awareness of it, and encouraged them to at least research further and purchase a copy of the standard. For those already considering, or certifying to the standard, it clearly mapped out how the use of our technology helped meet (either wholly or partially) the particular control in the standard. It also helped raise our profile as a vendor by demonstrating we were passionate about information security, and offered value beyond the supply and implementation of our own technology. It was very much a win-win situation for all concerned.
SMEs (Small and medium sized Enterprises) are defined by headcount, turnover and balance sheet by the EU, but are typically 250 employees or less. In these organisations, information security has historically been seen as a “grudge purchase”, and “someone else’s problem” yet the legislation and regulatory compliance affecting large organisations apply as much to SMEs as they do to global, multi-national corporates. To illustrate this, a recent study by Eclipse Internet discovered 62 per cent of the 154 small and medium-sized enterprises (SMEs) polled did not know that changes were due to come into force in on 6th April 2010 regarding the Data Protection Act in the UK. While most had at least heard about the Data Protection Act, only 22% were aware that its powers were being extended in April 2010, giving the Information Commissioner’s Office the ability to hand out fines of up to £500,000 to firms for breaches of the Act.
Similarly, any SME offering payment via credit card transactions needs to think about PCI DSS compliance. Many SMEs will most likely fall under Level 4 compliance (under 20,000 transactions a year) or possibly Level 3 compliance (20,000 to 1,000,000 transactions a year). The broad outline for PCI DSS compliance are: to build and maintain a secure IT network; to protect cardholder data; to maintain a vulnerability management program; to implement strong access control measures; to regularly monitor and test networks; and maintain an information security policy. All of these are covered in ISO 27001.
Why do many SMEs take the view that information security is an onerous task or a grudge purchase? To account for the difference in thinking between big business and SMEs, one needs to take into account the key business drivers that acutely drives SMEs: the drive to secure new customers and win new business; a close eye on expenditure and not anything deemed to be “unnecessary”; and for many a short-term outlook which is driven by events today and the current quarter, rather than a holistic, long-term view. This view is also compounded by a lack of purchase of security solutions by other SMEs (which in turn drives up the low volume per seat purchase price) and by the security vendors who historically have seen the SME market place as a high effort/low revenue ratio and thus not focused on selling to this market as strongly as say multinationals, and local and central government. Thus the low volume (“entry level”) purchase remains high, and thus remains a blocker for SMEs to purchase. Special pricing for SMEs typically does not exist.
The irony is that whilst many SMEs need to ensure their legal and regulatory compliance, and currently do so (if at all) on a piecemeal basis currently, the framework provided by the ISO 27001 standard sets out the controls necessary for information security. PCI-DSS, for example, whilst not specifically written to map to the ISO27001 standard (or indeed ISO27002: Best code of practice guidance for the standard), anyone who has used the guidance provided in ISO 27002, should, with very minor additional work, be able to demonstrate their conformance to the PCI standard. Thus the ISO 27001 standard and the ISO27002 best practice, form the basis of compliance across PCI DSS and many other areas regarding information security.
The process of going through the ISO27001 preparation and certification ought not to be an onerous one for an SME. Clearly regarding security policies and awareness training, your requirements are going be very different from those of a 30,000 employee multi-national corporation. Similarly, controls regarding physical security are going to be different (and less costly) for an organisation employing 5 people to one which employs thousands and needs to address controls in place for say, a datacenter to cover DR, and address risks from fire, flooding and physical access. At a recent chapter meeting of the ISSA, David Lacey proposed a workshop to produce a new “streamlined” version of the standard for SME guidance, so that there is less paperwork for the SME to go through, both in the preparation for, (and subsequent auditing of) ISO27001. This is to ensure that the standard is not seen to be onerous, since some of it will not be appropriate for the SME organisations. ISSA members, including myself, will be working to produce a new streamlined version specifically for the SME market.
The benefits of going through the certification process are numerous for an organisation. Not only will certifying to the ISO 27001 standard afford the framework for legal and regulatory compliance across a number of areas with regards to information security, but also a number of definable business benefits, including: key differentiation from competitors; systems interoperability (systems are more likely to work together if viewed as a whole rather than individually); security awareness (implementation of the policy results in a workforce more aware of the risks and their obligations regarding information security), and business alignment (because the implementation of ISO 27001 requires the involvement of both business and technical management, greater Information Technology and Business alignment often results) and of course improved information security (adopting the standard reduces the risk).
Phil Stewart is director of Excelgate Consulting and holds the Certified ISO27001 Implementation Practitioner (CIIP) certification