When speaking with someone new to ISO 27001, very often I encounter the same problem: this person thinks the standard will describe in detail everything they need to do – for example, how often they will need to perform backup, how distant their disaster recovery site should be, or even worse, which kind of technology they must use for network protection or how they have to configure the router.
But, the fact is ISO 27001 does not prescribe these things; it works in a completely different way.
Let’s imagine that the standard prescribes that you need to perform a backup every 24 hours – is this the right measure for you? It might be, but believe me, many companies nowadays will find this insufficient – the rate of change of their data is so quick that they need to do backup if not in real time, then at least every hour. On the other hand, there are still some companies that would find the once-a-day backup too often – their rate of change is still very slow, so performing backup so often would be overkill.
The point is – if this standard is to fit any type of a company, then this prescriptive approach is not possible. So, it is simply impossible not only to define the backup frequency, but also which technology to use, how to configure each device, etc.
By the way, this perception that ISO 27001 will prescribe everything is the biggest generator of myths about ISO 27001 – you’ll find these myths in this article: 5 greatest myths about ISO 27001.
So, you might wonder, “Why would I need a standard that doesn’t tell me anything concretely?” Because ISO 27001 gives you a framework for you to decide on appropriate protection. The same way, e.g., you cannot copy a marketing campaign of another company to your own, this same principle is valid for information security – you need to tailor it to your specific needs.
And, the way ISO 27001 tells you to achieve this tailor-made suit is to perform risk assessment and risk treatment. This is nothing but a systematic overview of the bad things that can happen to you (assessing the risks), and then deciding which safeguards to implement to prevent those bad things from happening (treating the risks). Learn more here: ISO 27001 risk assessment & treatment – 6 basic steps.
The requirements of interested parties are a second crucial input when selecting the safeguards. As you’ll see in article How to identify interested parties, interested parties could be government agencies, your clients, partners, etc. – all of them probably expect you to protect the information, and this is reflected in the laws and contracts you have with them. Therefore, your safeguards have to comply with all these requirements as well.
The whole idea here is that you should implement only those safeguards (controls) that are required because of the risks and requirements of interested parties, not those that someone thinks are fancy; but, this logic also means that you should implement all the controls that are required because of the risks or because of these requirements, and that you cannot exclude some simply because you don’t like them.
If you work in the IT department, you are probably aware that most of the incidents are happening not because the computers broke down, but because the users from the business side of the organization are using the information systems in the wrong way.
And, such wrongdoings cannot be prevented with technical safeguards only – what is also needed are clear policies and procedures, training and awareness, legal protection, discipline measures, etc. Real-life experience has proven that the more diverse safeguards are applied, the higher level of security is achieved.
And, when you take into account that not all the sensitive information is in digital form (you probably still have papers with confidential information on them), the conclusion is that IT safeguards are not enough, and that the IT department, although very important in an information security project, cannot run this kind of project alone.
This fact that IT security is not enough for implementing information security is recognized in ISO 27001 – this standard tells you how to run the information security implementation as a company-wide project where not only IT, but also the business side of the organization, must take part.
About the Author: Dejan Košutić
Expert at 27001 Academy. Author at 27001Academy, the leading online resource for ISO 27001 & ISO 22301/BS 25999 implementation.
Consultant with focus on information security and business continuity management, with broad experience in financial and government sector, as well as with small and medium-sized businesses.
As ISO 27001 Lead Auditor and Approved Tutor he has delivered certification audits and many courses (including the ISO 27001 Lead Auditor Course) throughout Europe.
Specialties: ISO 27001 implementation, ISO 22301/BS 25999 implementation, risk assessment, risk treatment, business impact analysis, documentation writing, auditing, workshops, seminars, E-learning courses, webinars.
If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.
(Security Affairs – ISO 27001, security)