Information Security Relief is Spelled ISO-27001

Wednesday, February 15, 2012

John Verry


The rise of virtualization technology coupled with the economic downturn of the late 2000’s has resulted in a tremendous surge in the use of “the cloud” (Software, Platform, or Hardware as a Service) to reduce costs and increase business agility. 

However, this also means increased risk as cloud service providers are often handling sensitive data on our behalf. 

Complicating the issue is the rise of regulations governing the data we are pushing to the cloud.  Sarbanes Oxley (financial), 47 state PII regulations (personally identifiable information), HIPAA (medical), and PCI (credit card) have dramatically increased our responsibility to ensure that third parties handle our data in a manner consistent with our security requirements. 

This has resulted in a tremendous burden for cloud service providers to be able to “prove” they are secure and compliant – and for us the consumers of cloud services, to make certain that they are.

Interestingly, perhaps even conveniently, both problems share the same answer – Relief is spelled: I-S-O-2-7-0-0-1.

What is ISO-27001?

Simply put, ISO- 27001 is an internationally recognized standard that makes it easy to know you are secure and to be able to prove it.  It defines a systematic approach to managing information security risk, often referred to as an Information Security Management System (ISMS).

The ISO-27001 “story” began in 1987 when Ronald Reagan was President, CompuServe was king, and HTML was still a gleam in Tim Berners Lee’s [1] eye.  At that time the British government had the foresight to realize that the growth of digital information and its flow across networks and systems posed a new-found and significant risk. 

In order to address this risk they developed BS-7799 “a code of good security practice” (actually a collection of 127 good security practices) to define the “controls” necessary to keep critical government information secure.  By 1995, with the internet driving new risk, BS-7799 had evolved to be the de-facto guidance on information security.  At that time it was formally adopted by the International Standards Organization as ISO-17799 (now referred to as ISO-27002).

The only challenge with ISO17799/27002 was that it was a “code of practice” -- not a “standard” – so it wasn’t possible for an organization to be sure they had leveraged it optimally or for an auditor to formally opine with a traditional pass or fail verdict.  

That challenge was solved by the development of BS-7799-2 which spelled out what an organization needed to do to best leverage the code of practice and what an auditor needed to do to validate that the organization was compliant with the standard.  In 2005 BS-7799-2 became ISO-27001 - and the world’s first internationally recognized Information Security standard was born.

An unexpected realization of the development of BS-7799-2 / ISO-27001 is that the ISMS itself is of far greater (and more fundamental) importance than the Code of Practice itself.  As Stephen Covey [2] often says: “If the ladder is not leaning against the right wall, every step we take just gets us to the wrong place faster.”

ISO-27001 for the Service Provider

No matter the industry (e.g., debt collection, eDiscovery, hosting) or service offering (e.g., managed services, Software as a Service, Hardware), organizations processing data on behalf of their clients are experiencing the pain of proving they are secure and compliant with client standards and/or the myriad of regulations to which their clients are obligated.

Their challenge is exacerbated by their market success, as each new client has “their” security/regulatory requirements and means of assessing the same.  This results in the “successful” service provider enduring dozens of penetration tests, control questionnaires, on-site client audits, and/or an independent SAS-70 (now SSAE-16).  Several of our clients have small teams dedicated to addressing these “attestation” requirements year-round – a costly and time-consuming process.

The logical response to these disparate demands is to “simplify”: Prove you are secure to all of your clients with a single standard– ISO-27001.  Once you have developed your Information Security Management System (ISMS) you undergo a “certification audit” performed by an ISO validated registrar who issues a certificate demonstrating that you are compliant with the standard. At that point, proving you are secure and compliant becomes as simple as providing a copy of your certificate.

Sound promising?  It is. That’s why worldwide organizations like SalesForce, Microsoft, and Amazon have chosen ISO-27001 to demonstrate they are secure to the clients that entrust critical data to them.

ISO-27001 for Everyone Else (Two Sides of the Same Coin)

Consumers of cloud services also feel the “pain” associated with cloud usage: How do they verify that they themselves are keeping their data secure?  How do they prove the same to key stakeholders? How do they know that the third party service providers they are leveraging are keeping their data secure? 

These issues are especially relevant in situations where organizations are processing Personally Identifiable Information (PII) and the cost of a third party breach may be measured in millions of dollars [3].

ISO-27001 can be leveraged in two distinct ways by the “non-service provider”.

Vendor Risk Management Simplified

Managing vendor risk is a problem for many:

  • Determining and formally documenting the risk controls required to ensure the security of your data for third party can be a challenging task.
  • Communicating these requirements to (and adapting them for) each third party in a non-ambiguous way is even more challenging.
  • Ensuring that the requirements remain up to date each time a new threat, vulnerability, or regulation emerges is virtually impossible.

ISO-27001 simplifies Vendor Risk Management. Rather than detailing 100+ controls (across hundreds of contract pages) your ISO 27001 focused organization only needs to communicate a handful of key risks.  As long as the third party incorporates these as an input into their ISMS (remember ISO-27001 is a risk based approach) you can be confident that your risks are being appropriately managed.

Information Security Simplified

As data becomes increasingly mobile, network borders become fuzzier, third party handling of your data becomes more prevalent, and regulatory requirements multiply, the process of managing internal and external information security risk becomes even more challenging.  These “worries” are exacerbated by the need to provide assurance to key organizational “shareholders” (e.g., CXO, Audit committee, Board) that these risks are under control.

Therefore, the idea of leveraging a “cookbook” that has been vetted by tens of thousands of other organizations over a 15 year period is an appealing one.  Better yet, this approach aligns with your existing enterprise risk management principles, and it’s relatively straightforward to execute; thus, security becomes “simplified.”

Looking for Information Security Relief?

If the challenges of proving that you and/or key service providers are keeping your data secure and complying with key laws/regulations -- join the nearly 7,500 certified companies that have chosen to spell relief: I-S-O-2-7-0-0-1.

[1] Tim Berners-Lee invented the World Wide Web in 1989. He wrote the first web client and server in 1990. His specifications of URIs, HTTP and HTML were refined as Web technology spread.

[2] Stephen Richards Covey is the author of the best-selling book, "The Seven Habits of Highly Effective People"

[3] The average cost of a corporate data breach reached $7.2 million in 2010, up from $6.8 million in 2009, according to the 2010 Annual Study: U.S. Cost of a Data Breach conducted by the Poneman Institute.

Cross-posted from Pivot Point Security via NJTC's February 2012 issue of TechNews (pg. 20-21)

Possibly Related Articles:
Information Security
Certification Compliance Cloud Security Risk Management ISO 27001 Managed Services Personally Identifiable Information Information Security ISO Standards vendors ISMS John Verry
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.