Very often I hear things about ISO 27001 and I don't know whether to laugh or cry over them.
Actually it is funny how people tend to make decisions about something they know very little about - here are the most common misconceptions:
"The standard requires..."
"The standard requires passwords to be changed every 3 months." "The standard requires that multiple suppliers must exist." "The standard requires the disaster recovery site to be at least 50 km distant from the main site."
Really? The standard doesn't say anything like that. Unfortunately, this kind of false information I hear rather often - people usually mistake best practice for requirements of the standard, but the problem is that not all security rules are applicable to all types of organizations.
And the people who claim this is prescribed by the standard have probably never read the standard.
"We'll let the IT department handle it"
This is the management's favorite - "Information security is all about IT, isn't it?" Well, not really - the most important aspects of information security include not only IT measures, but also organizational issues and human resource management, which are usually out of reach of IT department. See also Information Security or IT Security.
"We'll implement it in a few months"
You could implement your ISO 27001 in 2 or 3 months, but it won't work - you would only get a bunch of policies and procedures no one cares about. Implementation of information security means you have to implement changes, and it takes time for changes to take place.
Not to mention that you must implement only those security controls that are really needed, and the analysis of what is really needed takes time - it is called risk assessment and risk treatment.
"This standard is all about documentation"
Documentation is an important part of ISO 27001 implementation, but the documentation is not an end in itself. The main point is that you perform your activities in a secure way, and the documentation is here to help you do it.
Also, the records you produce will help you measure whether you achieve your information security goals and enable you to correct those activities that underperform.
"The only benefit of the standard is for marketing purposes"
"We are doing this only to get the certificate, aren't we?" Well, this is (unfortunately) the way 80 percent of the companies think.
I'm not trying to argue here that ISO 27001 shouldn't be used in promotional and sales purposes, but you can also achieve other very important benefits - like preventing the case of WikiLeaks happening to you.
The point here is - read ISO 27001 first before you form your opinion about it; or, if it's too boring for you to read it (which I admit it is), consult with someone who has some real knowledge about it. And try to get some other benefits, other than marketing.
In other words, increase your chances to make a profitable investment in information security.
Cross posted from ISO 27001 & BS 25999 blog - http://blog.iso27001standard.com
Complete ISO 27001/ BS-25999-2 Webinar Schedule:
February 2, February 14 - ISO 27001 Foundations Part 1: ISMS Planning Phase, Documentation and Records Control
February 15, February 21 - ISO 27001 Foundations Part 2: Implementation, Monitoring and Reviewing, Maintaining and Improving the ISMS
FREE WEBINAR - February 16 - ISO 27001 & BS 25999-2: Why is It Better to Implement Them Together?
February 16, February 22 - Internal Audit: How to Conduct it According to ISO 27001 and BS 25999-2
February 16, February 23 - ISO 27001 Lead Auditor Course Preparation Training
February 17, February 23 - BS 25999-2 Foundations Part 1: Business Impact Analysis
February 22, March 7 - ISO 27001 Foundations Part 3: Annex A Overview
FREE WEBINAR - February 23 - ISO 27001: An Overview of ISMS Implementation Process
February 24, March 9 - BS 25999-2 Foundations Part 2: Business Continuity Strategy
March 8, March 21 - Risk Management Part 1: Risk Assessment Methodology and Risk Assessment Process
FREE WEBINAR - March 9 - BS 25999-2: An Overview of BCM Implementation Process
March 9, March 22 - How to Become ISO 27001 / BS 25999-2 Consultant
March 10, March 23 - BS 25999-2 Foundations Part 3: Business Continuity Planning
FREE WEBINAR - March 23 - ISO 27001 Implementation: How to Make It Easier Using ISO 9001
March 24, April 18 - How to Write Four Mandatory Procedures for ISO 27001 and BS 25999-2
April 5, April 19 - ISO 27001 A.6 & A.8: Organization of Information Security; External Parties; Raising Awareness, Training and HR Management
FREE WEBINAR - April 6 - ISO 27001/BS 25999-2: The Certification Process
April 6, April 19 - ISO 27001 A.7: Asset Management and Classification