Practical Advice for SMBs to Use ISO 27001

Monday, January 31, 2011

Danny Lieberman


ISO 27001 certifications are growing rapidly because of compliance regulation and increased awareness of information security risk.  

The ISO organization recently (October 2010) took measures to make ISO more accessible by “providing practical advice for small and medium-sized enterprises (SMEs) on how to achieve the benefits of implementing an information security management system (ISMS) based on the International Standard ISO/IEC 27001″ – see the ISO news release: ISO/IEC 27001 information security explained for small businesses

It gratifies me to see ISO running with the ball for SME (small to medium-sized) enterprises. IEC/ISO 27001:27005 is a vendor-neutral standard and arguably the most comprehensive set of security controls and best practices for an Information Security Management System (ISMS) that a business should adopt.  ISO 27001 states in section 4.2.1 of the standard that:

The organization shall do the following: 

a) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the organization, its location, assets and technology, and including details of and justification for any exclusions from the scope 

b) Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology that: 

1) includes a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security; 

2) takes into account business and legal or regulatory requirements, and contractual security obligations; 

3) aligns with the organization’s strategic risk management context in which the establishment and maintenance of the ISMS will take place; 

4) establishes criteria against which risk will be evaluated and 

5) has been approved by management.

The standard then goes on to require the business to define a risk assessment approach:

  • Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements.
  • Develop criteria for accepting risks and identify the acceptable levels of risk.
  • The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results.

Consistent with information security best practices, the standard also suggests how to identify the risks.

  • Identify the assets within the scope of the ISMS, and the owners of these assets.
  • Identify the threats to those assets.
  • Identify the vulnerabilities that might be exploited by the threats.
  • Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.

This is written in fairly clear language that the owner or manager of a small to medium sized enterprise can read and understand, perhaps with a bit of help from a security consultant.

The attentive reader has probably already noticed something missing in the ISO 27001 standard:  Money.

Money is not mentioned once in the entire standards document.  Financial value of assets is not mentioned . Cost of security countermeasures is a “kleinigkeit“: in German “Es ist das Detail, das unterhält und lebendig macht”  or in English – “God is in the details” or in American, “10 million here, 10 million there and pretty soon we’re talking real money”.

The word “value” is mentioned exactly twice in the 42 pages of the ISO 27001 standard – once (“an asset is anything that has value to the organization”) and a second time, as a control (A.7.2.1- ”Information shall be classified in terms of its value, legal requirements, sensitivity and criticality to the organization“).

ISO 27001 is missing the most important thing for an SME: the bottom line of business context expressed in dollars and cents, how much will it cost, how much can it save him in consulting and equipment support and how much can the business reduce its value at risk in dollars/euros/rupees etc.

In a small to medium sized enterprise, money spent on security is competing with  the basic needs of the business.  A company employing 25 people making high tech capacitors for solar cells  may want to protect sensitive IP from leaking, but if it comes down to choosing between making payroll or buying a DLP system, we know that the manager will choose making payroll.

There is a middle ground – and that is enabling you – the SME business manager –  to perform a threat analysis on your business taking the ISO 27001 standard as a baseline – injecting asset values and countermeasure costs and arriving at the right, most cost-effective security countermeasure plan for your business.

Any business can perform an ISO 27001-based risk assessment on their operation  with their business assets and their typical business  threats  in just a few minutes using the Software Associates PTA library for ISO 27001.  You can download the free Practical Threat Analysis library for ISO 27001 and our free risk assessment software – and upgrade your security today using ISO 27001, the most important vendor-neutral standard for data security available.

Cross-posted from Israeli Software

*   *   *

Complete ISO 27001/ BS-25999-2 Webinar Schedule:

February 2, February 14 - ISO 27001 Foundations Part 1: ISMS Planning Phase, Documentation and Records Control

February 15, February 21 - ISO 27001 Foundations Part 2: Implementation, Monitoring and Reviewing, Maintaining and Improving the ISMS

FREE WEBINAR - February 16 - ISO 27001 & BS 25999-2: Why is It Better to Implement Them Together?

February 16, February 22 - Internal Audit: How to Conduct it According to ISO 27001 and BS 25999-2

February 16, February 23 - ISO 27001 Lead Auditor Course Preparation Training

February 17, February 23 - BS 25999-2 Foundations Part 1: Business Impact Analysis

February 22, March 7 - ISO 27001 Foundations Part 3: Annex A Overview

FREE WEBINAR - February 23 - ISO 27001: An Overview of ISMS Implementation Process

February 24, March 9 - BS 25999-2 Foundations Part 2: Business Continuity Strategy

March 8, March 21 - Risk Management Part 1: Risk Assessment Methodology and Risk Assessment Process

FREE WEBINAR - March 9 - BS 25999-2: An Overview of BCM Implementation Process

March 9, March 22 - How to Become ISO 27001 / BS 25999-2 Consultant

March 10, March 23 - BS 25999-2 Foundations Part 3: Business Continuity Planning

March 22, April 4 - Risk Management Part 2: Risk Treatment Process, Statement of Applicability and Risk Treatment Plan

FREE WEBINAR - March 23 - ISO 27001 Implementation: How to Make It Easier Using ISO 9001

March 23, April 6 - ISO 27001 / BS 25999-2 Management Responsibilities: What Does Management Need to Know?

March 24, April 18 - How to Write Four Mandatory Procedures for ISO 27001 and BS 25999-2

April 5, April 19 - ISO 27001 A.6 & A.8: Organization of Information Security; External Parties; Raising Awareness, Training and HR Management

April 5, April 20 - ISO 27001 and ISO 27004: How to Measure the Effectiveness of Information Security?

FREE WEBINAR - April 6 - ISO 27001/BS 25999-2: The Certification Process

April 6, April 19 - ISO 27001 A.7: Asset Management and Classification


Possibly Related Articles:
Certification Compliance Small Business Training Security Audits ISO 27001
Post Rating I Like this!
Ben Keeley Thanks - very useful post!!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.