LRQA Guidance

Why is ISO 27001 good for you?And what you should be aware of when implementing it!

LRQA Business AssuranceImproving performance, reducing risk

2 LRQA Guidance ISO 27001

Whether you manage internalinformation management systems,are responsible for informationsecurity or develop IT products andservices for your customers, effectiveinformation security managementsystems (ISMS) are essential. Theywill help ensure you develop theright controls, systems and productsto meet the ever increasing anddemanding requirements of yourcustomers and partners.

ISO 27001 aims to ensure that adequatecontrols (addressing confidentiality,integrity and availability of information)are in place to safeguard the informationof ‘interested parties’. These include yourcustomers, employees, trading partnersand the needs of society in general.

Whether you manage internalinformation management systems, areresponsible for information security ordevelop IT products and services for yourcustomers, effective information securitymanagement systems (ISMS) areessential. They will help ensure youdevelop the right controls, systems andproducts to meet the ever increasing anddemanding requirements of yourcustomers and partners.

ISO 27001 aims to ensure that adequatecontrols (addressing confidentiality,integrity and availability of information)are in place to safeguard the informationof ‘interested parties’. These include yourcustomers, employees, trading partnersand the needs of society in general.

An ISMS compliant to ISO 27001 canhelp you demonstrate to trading partners and customers alike that youtake information security seriously.Accredited certification to ISO 27001 is apowerful demonstration of anorganisation’s commitment in managinginformation security.

This article provides some practicalguidance and advice for those who have been tasked in gaining certificationfor their organisation with regards to an ISMS.

This article has been updated by Phil Willoughby, LRQA Technical Services Manager.

Why is ISO 27001 good for you? And what you should be aware of when implementing it!

LRQA Guidance ISO 27001 3

Introduction to Implementing an ISMSThe UK FSA (Financial Services Authority)in its publication ‘Operational risk systemsand controls’ (CP 142, page 57) refers toISO 27001 in the context that ‘a firmshould consider the adequacy of itssystems and controls used to protect the processing and security of itsinformation...’

In addition to the normal commercialneed to protect confidential information,such as contractual and pricinginformation, intellectual property rights,etc.; there are recent events in theregulatory and corporate governancefields (Sarbanes-Oxley, Cobit, etc.) thathave placed ever more demandingrequirements on the integrity of yourcorporate and financial information.

Implementing an Information SecurityManagement System (ISMS) provides an assurance that security issues arebeing addressed in accordance withcurrently accepted best practice. Havingyour management system certified to ISO 27001 by an accredited third partycertification body (such as LRQA) givesyou an independent and unbiased view ofthe appropriateness and effectiveness ofyour ISMS and demonstrates yourcapability to the outside world.

The OECD GuidelinesThe OECD (Organisation for EconomicCo-operation and Development)Guidelines aim to raise awareness aboutthe risk to information systems andnetworks; the policies, practices,measures and procedures available toaddress those risks; and the need for theiradoption and implementation. The nineprinciples of the guidelines apply to allpolicy and operational levels that governthe security of information systems and networks.

ISO 27001 provides an ISMS frameworkfor implementing these principles usingthe PDCA (‘Plan - Do - Check - Act’) cycleand management system processes:

• Awareness - Participants should beaware of the need for security ofinformation systems and networks,plus what they can do to enhancesecurity.

• Responsibility - All participants areresponsible for the security ofinformation systems and networks.

• Response - Participants should act in atimely and co-operative manner toprevent, detect and respond to securityincidents.

• Risk assessment - Participants shouldconduct risk assessments.

• Security design andimplementation - Participants shouldincorporate security as an essentialelement of information systems andnetworks.

• Security management - Participantsshould adopt a comprehensiveapproach to security management.

• Reassessment - Participants shouldreview and reassess the security ofinformation systems and networks,plus make appropriate modifications tosecurity policies, practices, measuresand procedures.

Getting startedWhatever the current state of yourorganisation, the starting point forimplementing an ISMS is to obtainmanagement commitment and support.Ideally, the motivation and direction willcome from top management, but successwill come more easily if, at the very least,management understand the reasons forimplementing an ISMS and fully supportits design and operation.

Planning for successJust like any project you take on, successis all the more likely if you develop ameaningful and realistic plan, measureperformance against the plan and thenbe prepared to change it in the event ofunforeseen circumstances.

The plan should recognise thatdeveloping the management system willrequire time and effort and shouldprovide adequate resources. Overallresponsibility for information security isoften given to the IT Manager, butinformation security has a wider impactthan just IT systems, including personnel,security, physical security and legalcompliance. If your organisation alreadyhas an established quality managementsystem in place then as ISO 27001 isaligned with ISO 9001, this experienceshould be harnessed to provide afoundation for the ISMS.

Trade associations and organisations thathave already achieved certification can begood sources of information on gettingstarted and can provide opportunities tocompare experiences. You may also liketo consider attending an LRQA trainingevent, where you will be able to discussinformation security issues with otherdelegates and your tutor.

Why is ISO 27001 good for you?And what you should be aware of when implementing it!

4 LRQA Guidance ISO 27001

Understanding the standardThe first step is to familiarise yourself withthe standard, understand the criteria thatyou have to meet, the structure of thestandard and hence the structure of yourISMS and associated documentation. Thestandard is in two parts:

• ISO 27002 is not a standard itself, buta code of practice that describessecurity objectives and controls thatmay be selected and implemented tomanage specific risks to informationsecurity.

• ISO 27001 is the management systemspecification that defines therequirements you need to address toimplement an ISMS and against whichyour certification body will audit youduring the certification assessment.The specification includes the commonelements of all management systems;management review, internal auditand improvement, etc. It also contains a section specifically aimed at identifying risks to your information and the selection ofsuitable controls defined in Annex A tomanage those risks.

Where next...?There are two main elements to an ISMSand these can be tackled as two distinctactivities. ISO 27001 requires theestablishment of an ISMS to identify anddocument the security requirementsspecific to your business. The standardalso requires the management processesneeded to demonstrate managementcommitment and control to be defined,i.e., management responsibility,management review of the ISMS andISMS improvement.

Management processesThese processes are critical to theeffective implementation of an ISMS. Ifyour organisation already operates an ISO 9001 management system, theseprocesses will be familiar to you. If this isthe case, then the most efficient wayforward is often to integrate theinformation security requirements intoyour existing management system,ensuring that appropriate informationsecurity expertise is available when andwhere required.

If you are implementing these processesfor the first time, consider the overallintent of these management elements ofthe standard. Top management havesignificant impact on the effectiveness ofthe management system. Adequateresources (people, equipment, time andmoney) should be allocated todevelopment, implementation andmonitoring of the ISMS. Internal auditsverify that the management system isoperating as intended and identifiesopportunities for improvement.Management review provides theopportunity for top management toassess how well the management systemis operating and supporting the business.

You may find it useful to link thesemanagement processes to the ControlObjectives in Annex A; as many of thecontrols complement the managementelements of ISO 27001.

Much of the advice given in the LRQAGuidance for implementing a QMS isequally valid for the implementation of the management processes for ISO 27001.

Define the scopeIt is essential that the logical andgeographical scope of the ISMS isaccurately defined, so that the boundaries of your information securitysystem and security responsibilities can beidentified. The scope should identify thepeople, places and information coveredby the ISMS.

Once you have defined the scope, thenthe information assets covered by thescope can be identified, along with theirvalue and owner.

ISMS policyThe requirements relating to the ISMSpolicy are addressed in both ISO 27001(4.2.1 b) and ISO 27002. There are alsoreferences to the policy in otherrequirements of ISO 27001 and in AnnexA controls which provide indications ofwhat the policy should contain. Forinstance, the ISMS policy requires criteriafor risk evaluation to be defined,supported by details requirements in4.2.1c) and 5.1f). Other policies will berequired to meet certain controlobjectives.

Risk assessment and riskmanagementRisk assessment is the foundation onwhich an ISMS is built. It provides thefocus for the implementation of securitycontrols and ensures that they are appliedwhere they are most needed, are costeffective and, just as importantly, are not applied where they are least effective.The risk assessment helps to answer the question, ‘How much security do we need?’

The risk assessment involves all owners ofinformation assets. You are unlikely to beable to conduct an effective riskassessment without them.

Why is ISO 27001 good for you?And what you should be aware of when implementing it!

LRQA Guidance ISO 27001 5

The first step is to decide on, thendocument, a method of risk assessment.There are proprietary methods available,normally computer-based, such asCRAMM. ISO 27005/ ISO/IEC TR 13335-3and give more information to enable anorganisation to select or develop amethod suitable to their own structureand complexity of information systems.

The risk assessment process involvesidentifying and valuing the informationassets. The valuation may be other thanfinancial and take into account suchthings as reputational damage andcompromise of regulatory compliance.The process should then consider thethreats and vulnerabilities associated withthe assets and the impact of theirexploitation. Finally, determine the levelof risk and identify the controls to beimplemented to manage those risks.

The identification of threats, vulnerabilitiesand their impacts must take into accountthe security environment. For example,the threat of denial of physical access tothe premises is greater for an organisationbased on an industrial estate next to apetrochemical plant than it is for an officeon a small urban office park. Likewise, thethreat of credit card data theft is greaterthan theft of daily production data of asmall engineering company.

Risk treatmentThe risk assessment identifies risk levelswhich are then compared to theacceptable level of risk determined by theorganisation’s security policy. Appropriateactions are taken to manage risks whichare above the acceptance level, with thepossible actions being:

• Implementing security controls selectedfrom Annex A to reduce the risk to anacceptable level. The risk level shouldbe recalculated to confirm that theresidual risk is below the acceptancelevel. The selected controls are recordedin the Statement of Applicability, whichshould include the justification for theinclusion or exclusion of each control,status and provide traceability to therisk assessment.

• Accepting the risk in accordance withthe management’s policy and criteriafor risk acceptance. There may beinstances where residual risk is abovethe acceptance level after action hasbeen taken, in which case the residualrisk should also be subject to the riskacceptance process. A record of themanagement’s acceptance of riskshould be maintained.

• Removing the risk by changing thesecurity environment. For example,installing secure applications wherevulnerabilities have been identified indata processing applications or maybemoving physical assets to a higherfloor, if there is a risk of flooding. Such decisions need to take account of business and financialconsiderations. Again, the residual riskshould be recalculated following riskremoval actions.

• Transferring the risk by taking outappropriate insurance or outsourcingthe management of physical assets orbusiness processes. The organisationaccepting the risk should be aware of,and agree to accept, their obligations.Contracts with outsourcingorganisations should address theappropriate security requirements.

The risk treatment plan is used to managethe risks by identifying the actions takenand planned, plus the timescales for thecompletion of outstanding actions. Theplan should prioritise the actions andinclude responsibilities and detailed action plans.

CertificationNot all certification bodies are made thesame. When selecting the body you wantto work with ensure they are accreditedby a national body. In the UK, this is theUnited Kingdom Accreditation Service(UKAS). Visit its website (www.ukas.com)for further information on accreditation.

Certification is an external validation ofyour management system, to ensure that it meets the requirements of ISO 27001:2005, the internationallyrecognised, information securitymanagement system standard.

Your choice of certification body will also say a lot to your customers abouthow seriously you take managementsystems. You need to choose acertification body that can help youdevelop your management system torealise its potential.

All LRQA assessors go through a rigorousselection and training programme,followed by continual professionaldevelopment. This gives you theassurance that by choosing LRQA as yourcertification body, you will get a thoroughbut fair assessment, supporting theongoing development of yourmanagement system. In addition, as theLRQA brand is recognised globally, it willprovide purchasers, anywhere in theworld, with the confidence that yourmanagement system meets therequirements of ISO 27001.

Why is ISO 27001 good for you?And what you should be aware of when implementing it!

Lloyd's Register Quality Assurance LimitedHiramford, Middlemarch Office Village, Siskin Drive, Coventry, CV3 4FJ, UK

Lloyd’s Register Quality Assurance Limited is a member of the Lloyd’s Register GroupRegistered office: 71 Fenchurch Street, London EC3M 4BSRegistered number: 1879370

Care is taken to ensure that all information provided is accurate and up to date. However, LRQA accepts no responsibility for inaccuracies or changes to information.© LRQA 2011. Lloyd’s Register Quality Assurance Limited. All rights reserved. Pub. Nov 2011

Lloyd’s Register and LRQA are trading names of the Lloyd’s Register Group of entities.Services are provided by members of the Lloyd’s Register Group. For details, see www.lr.org/entities

LRQA is dedicated to supporting our clients to help them make the most oftheir management systems. Our website: www.lrqa.co.uk contains usefuladvice to organisations looking at implementing management systems.

Contact usT 0800 783 2179 E enquiries@lrqa.co.uk W www.lrqa.co.uk

Why choose LRQA?LRQA Business Assurance helps you manage your systems and risks to improve and protect the current and future performance of yourorganisation.

By understanding what really matters to your organisation and stakeholders, wehelp you improve your management system and your business at the same time.

Thought leadershipOur experts are recognised voices in the industry and regularly participate in thetechnical committees that improve and develop standards.

Technical expertiseThe technical know-how and project management expertise of our globallyrenowned experienced and highly trained ISMS experts ensures that we adopt ourassurance services to your business needs.

We bring international expertise and deep insight into information security backedwith first class project management and communication skills.

Acting with integrityWith no shareholders of our own, we are independent and impartial in everythingthat we do. We are committed to acting with integrity and objectively at all times.

Training Whether you are just beginning to implement your system, looking to improvewhat you have or an experienced practitioner wanting to gain a formalqualification, we have a course to meet your objectives.

Our public events are held throughout the UK and give you the added benefit ofsharing experiences with other delegates while our in-company courses are tailor-made to suit.

For more information on LRQA services visit www.lrqa.co.uk

Training Courses ISO 27001 Appreciation andInterpretation 28 February 2012Scarman Training and Conference Centre, Warwickshire

ISO 27001 Implementation30 January – 1 February 2012 Theobalds Park, Hertfordshire

ISO 27001 Internal Auditor29 February – 1 March 2012 Scarman Training and Conference Centre, Warwickshire

ISO 27001 Auditor/Lead Auditor2 – 6 April 2012Theobalds Park, Hertfordshire

23 – 27 April 2012Theobalds Park, Hertfordshire