The ISO27000 series consists of a number of standards that apply to information security. The main standard that you can actually certify against is ISO 27001. The remaining standards are mainly supporting standards that help you address specific areas of information security.
ISO27001 is an information security management standard. The main objective of which is to make sure that an organisation has the processes in place to manage information security within the organisation. Unlike the Payment card Industry Data Security Standard (PCIDSS, more on that in a later diary) ISO 27001 is not prescriptive. It doesn't tell you exactly what to do, it provides high level guidance and you have to work the rest out yourself. This is where the supporting standards come into play. ISO27002 for example provides more information on implementing specific controls and provides examples. If you are stuck on how you should be assessing risk, then you need to take a look at ISO27005 (ISO31000 is also excellent it is the old AS/NZS 4360).
One of the main difficulties of complying with the standard is the first realisation that you are complying with sections 4 through to 8 whereas many people concentrate on the controls in annex A (Annex A BTW is 27002 with less detail provided). Sections 4 through to 8 outline the system that needs to be in place. The Plan, Do Check, Act cycle. The standard is risk based, the idea being that you identify your assets, assess the risk, based on those risks select controls that you are going to implement, monitor how it is all going and then rinse lather and repeat the cycle. The other key idea is that it is a system for the security of information. So not specifically computer systems, but the information it manages and holds as well as the information used to manage the environment. Many ISO27001 systems initially concentrate on the technical aspects of ITsecurity, do Ihave a firewall, do Ihave AV, do Ihave processes to manage it, etc. As the system matures the system tends to go up a level and looks at the processes that are being performed by a group or division and the information they need to successfully do this. For Example, the CISOneeds to report on the status of information security in the organisation. What information is needed? They might need stats from various systems, pentest results, vulnerability analysis results, risk assessments, and so on. All are information assets that the CISOneeds to do their job. How is that information generated, by whom? How reliable is it? So in ISO 27001 world there are a number of different levels that your system can work at.
Just going back to sections 4 through to 8 for a little bit. One of the first things you will be doing is to define the scope of the system you are about to implement. Typically this will be phrased along the lines of management of information security for system/group/division/product/application/service by responsible group. Usually it will be a little bit prettier than that, but you get the general idea. Like a quality system (ISO9000 series) you define the scope of the environment. If you have a scope that doesn't include a HRfunction, then the HRfunction will become an input into your system, but not part of it. CYou may have to request them to do certain check prior to hiring, but in my experience those types of processes are usually mature. Good scoping can be your saviour if you are going for certification.
So certify or just comply? That is one of the main questions we get when talking about 27001. The choice is quite simple. If you are going to use it as a marketing tool to improve confidence in your organisation's ability to manage information security, then certify. If you just want to make sure that you are covering the bases that should be covered, then complying but not certifying may be the right choice for you.
Where to start. Well after you have bought your copy of the standard you could perform a gap analysis on what you currently do and what the standard expects to be done. Be brutally honest. You can use this mechanism to monitor your progress and show improvement as thing change. Expect to fail miserably and make sure that management understands this before you start. You haven't needed to comply with the standard before, therefore there are going to be gaps. If you've never run a 5km race previously, the chances of you finishing it on your first go are pretty slim. Once you have your gaps you will have a starting place and you can start working on progressing and improving security.
In order to certify you must have what are called the documented processes in place (Sorry Ican't really list them as without the standard to provide context they won't make sense). Without these processes, written down, being followed and maintained, you cannot pass a certification audit. Likewise it will be difficult to pass a certification audit if you do not have an information security policy, change control, Business Continuity Plan, Incident response plan, Acceptable usage policy and more. However what you do or don't have will come out in the gap analysis.
As a management system ISO27001 is quite reasonable. If you do it correctly the overhead on your scarce resources won't be too bad. It makes you document those processes that are actually important to the organisation, which is never a bad idea. It forces you to think about issues that you may not have thought about previously. In fact that probably goes for most standards.The standard forces the engagement of management in information security matters and this often results in better understanding of what you really do and possibly even more funding. The main thing to remember is don't work for the standard, make the standard work for you. If you are doing it to tick a box, you will likely fail
It is a brief overview of ISO27001. If you have anything specific, let us know via the comments, or contact form.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.