Why ISO 27001 is not enough

Hard disk drive with 'Information Security' written on it Since its publication in October 2005, ISO 27001 has been implemented in many organisations as the best practice for information security management, with over three hundred UK organisations independently certified against the standard.

So if these organisations, which range from small and medium to large enterprises, have implemented ISO 27001, why are we still hearing about lapses in information security? Neil O'Connor, principal consultant, Activity asks what lessons are there to be learnt from every organisation, whatever its size, using ISO 27001 as a benchmark?

Introduction

Information security, and in particular the handling of personal information, has regularly been in the headlines over the last few months. There have been notable incidents at HM Revenue and Customs, the Ministry of Defence, Nationwide Building Society and Marks and Spencer among others. 

These are all large organisations implementing information security management systems at least compliant with, if not certified against, the international standard for information security management, ISO 27001.

ISO27001

A key issue is that ISO 27001 is a management standard, not a security standard. It provides a framework for the management of security within an organisation, but does not provide a 'Gold Standard' for security, which, if implemented, will ensure the security of an organisation.

ISO 27001 takes a risk assessment based approach. An information security risk assessment is used to identify the security requirements of the organisation, and to then identify the security controls needed to bring that risk within an acceptable level for the organisation. 

Once the security controls have been identified, ISO 27001 defines processes to ensure that a) these controls are implemented and are effective; and b) that the controls continue to meet the organisation's security needs.

The key points here are that:

  • The organisation decides what level of security it needs. The level of risk acceptable to the organisation is a management decision - ISO 27001 does not impose an acceptable level of risk. If management decides that a high risk of compromise of personal information is acceptable to the organisation, then ISO 27001 will provide a management framework to implement that.
  • A risk assessment is used to identify the controls required by the organisation.  However, ISO 27001 does not define the risk assessment method to be used. All that the standard requires is that you document the method, and use it.
  • It is up to the organisation to select the security controls it needs, based on the risk assessment and the organisation's acceptable level of risk (its 'risk appetite').

What does ISO 27001 give you?

ISO 27001 gives you a best practice management framework for implementing and maintaining security. It also gives you a baseline against which to work - either to show compliance or for external certification against the standard.

So what's missing?

You need to decide on a risk method and implement a risk assessment, select your security controls and ensure that these are adequate to meet the security needs of your organisation. This requires information risk management and security expertise to implement. ISO 27001 does not tell you how to do this, but rather provides a framework within which to do it.

Furthermore, whilst ISO 27001 provides a list of controls in Annex A, this list is not meant to be exhaustive. In conjunction with ISO 27002 (ISO 17799) it provides guidance on the controls that you should consider. 

However, it does not provide detailed guidance for your organisation, the information that you handle, and the systems that you use. Again, security expertise is required both to implement an information security risk assessment and to define the required security controls.

It is perfectly possible to implement an ISO 27001-compliant information security management system (ISMS) without adequately addressing information security. This can either be 'designed in' to the ISMS by management accepting high risks (rare); or can arise from inadequate risk assessment or poor selection or implementation of security controls (common).

Compliance or external certification to ISO 27001 does not mean you are secure - it means that you are managing security in line with the standard, and to the level you think is appropriate to the organisation. 

If your risk assessment is flawed, you don't have sufficient security and risk assessment expertise, or you do not have the management and organisational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.

In the end, an organisation will only implement information security effectively if there is a culture of understanding the value of information and protecting it. This requires visible management commitment and individual ownership and responsibility, backed up with effective security education and awareness. Without this, an ISO 27001 ISMS is unlikely to be effective, and hence information will not be appropriately protected.

Conclusion

ISO 27001 gives you a best practice management framework for implementing and maintaining security.  It also gives you a baseline against which to work - either to show compliance or for external certification against the standard.

However, compliance or external certification to ISO 27001 does not mean you are secure - it means that you are managing security in line with the standard, and to the level you think is appropriate to the organisation.

If your risk assessment is flawed, you don't have sufficient security and risk assessment expertise, or you do not have the management and organisational commitment to implement security then it is perfectly possible to be fully compliant with the standard, but be insecure.

Implementing ISO 27001 is the right way forward to ensure the security of an organisation. However, to actually be secure, it is necessary to develop a culture of valuing information and protecting it, through:

  • A strong management commitment to information security;
  • Individual ownership and responsibility for information security; and
  • Effective information security education and awareness.

June 2009