1 / 16

Experience of Achieving ISO27001 Accreditation: Benefits & Costs

Learn about the Institute for Social and Economic Research's journey to ISO27001 accreditation, its impact, costs, benefits, and caveats. Discover how the standard enhances information security management practices.

ylopez
Download Presentation

Experience of Achieving ISO27001 Accreditation: Benefits & Costs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISO27001 Information Security Management Standard. Experiences of gaining accreditation Presented to an RSS Social Statistics Section/ASC Meeting, 20 May 2014 Data Privacy. Protecting Participant Identities. Randy Banks (randy@essex.ac.uk) Institute for Social and Economic Research http://www.iser.essex.ac.uk @iseressex

  2. Outline • ISER • Description of ISO27001 • Effects of achieving ISO27001 certification • Costs • Benefits • Caveats • Concluding thoughts

  3. Institute for Social and Economic Research • Interdisciplinary socio-economic research department at the University of Essex • ~80 staff, ~40 PhD students • Specialise in longitudinal research and methodology • Large number and variety of projects ranging from small, ad hoc studies to large, relatively permanent fixtures, e.g.: • British Household Panel Survey • Understanding Society • ESRC Research Centre on Micro-Social Change • EUROMOD • Completely dependent on research income from clients and funders. • ESRC, EC, Government Departments, foundations, commercial and charitable organisations, etc. • Certified to ISO27001 in April 2013

  4. ISO27001. What is it? • ISO/IEC 27001. Information technology – Security Techniques – Information security management systems – Requirements. Second Edition. 2013-10-01. • Information security – ‘preservation of confidentiality, integrity and availability [the CIA] of information’ (ISO27000) • Confidentiality important, butnot everything • An information securitymanagement standard, not an information security standard • Framework and process for developing an information security management system (ISMS) • Tells you how to go about protecting your information, not what you should do to protect it • Wide applicability • ISO27002 provides implementation guidance • BS ISO/IEC 27002:2013. Information technology. Security techniques. Code of practice for information security controls

  5. Structure • Preliminary clauses • Mandatory clauses • Information security controls

  6. Mandatory Clauses • N = 7 • Common to other ISO management standards

  7. Information Security Controls • Annex A. Reference control objectives and controls • N = 114 grouped into 14 sections • Maps to controls and references described in ISO 27002 • A.5.* to A.18.* • Selected as a result of the risk assessment process and recorded as applicable or not in Statement of Applicability (SOA) – clause 6.1.3

  8. ISO 27001. Annex A

  9. ISO27001. Costs • The standard(s) • 27001 is crucial, but also 27002 and others in 27* series • From British Standards Institute (50% discount for members) • Personnel • Designated person with overall IS responsibilities and other personnel with newly defined responsibilities • Additional meetings, e.g. regular management review, internal/external audits • Regular access/operational reviews, risk assessments • Training • New procedures created/some procedures now more formalised - more time consuming • Consultants • (Continued re-) Certification • (re) Certification Audit(s) • Certificate(s) • Surveillance audits

  10. ISO27001. Benefits • Competitive advantage • ISO27001 certification is increasingly required or positively encouraged by potential clients • Assists in establishing compliance with other standards and requirements, e.g. HMG Security Policy Framework • Culture change • Increasing awareness of importance of information security in an interconnected world • Expenditure on information security increasingly seen as business investment and enabler rather than technical overhead that inhibits achievement of business goals • Information security management increasingly seen as everyone’s responsibility and not solely within the purview of the IT department • More confidence that we are meeting our ethical, legal and contractual responsibilities

  11. ISO27001. Benefits (continued) • Improved – and continually improving - business and technical processes • Forced into better understanding of organisational functions and operations • Impossible not to improve – 27001 forces you to continually reassess and requires you to demonstrate improvement

  12. ISO27001. What are the costs? • Can’t completely distinguish marginal costs of achieving ISO27001 certification from: • Costs of achieving good information security practice and contribution of 27001 certification to that end • Efficiency gains from the formalisation and regular review of procedures • Costs of implementing contractual requirements (other than 27001 certification) that would otherwise be required

  13. Caveats • When speaking to suppliers • ISO27001 is not last word in information security • Certification verifies compliance with the standard, not with specific measures that you might feel necessary • Scope and SOA are critical • Beware of excessive claims by suppliers about the relevance of ISO27001 certification • Beware of compliance claims not backed up by (plans for) certification • Certification is marginal cost after achieving compliance and • When working towards certification • Beware of template solutions and consultants who offer them • Leads to unnecessary and irrelevant documentation • Don’t aim for perfection • ISO27001 expects continual improvement • Certification is long-term commitment • Initial certification is followed by (bi)annual surveillance audits and recertification every 3 years • Losing certification will cost a lot more than acquiring it in the first place

  14. Concluding Thoughts • Jump before you’re pushed

  15. Getting Help • Online resources • BSI – ISO/IEC 27001 Information Security resources (http://www.bsigroup.com/en-GB/iso-27001-information-security/Resources-for-ISO-27001/) • ECSC – ISO 27001 Executive Brief and email briefings (http://www.ecsc.co.uk/papers.cgi?id=3) • Information Security Standards (http://www.iso27001security.com/) • And others … • Training • BSI (http://www.bsigroup.com/) • SGS (http://www.sgs.co.uk/) • And others …

  16. Thank you for listening.

More Related