Monday, January 12, 2009

ISO 27001 - The auditor’s perspective

Hello readers,

Wish you all a very happy and prosperous 2009.

During the 2nd last week of 2009, I had a meeting with a prospective client who was interested in implementing an ISO 27001 compliant ISMS and getting it certified. One question which they asked was, “Can I see an ISO 27001 system?”. When I requested them to be specific, they said “You know..all the documents, policies, guidelines etc.”. What I could infer from the discussion was that they clearly thought it was a system which was documented.

Tangibles and intangibles in an ISO 27001 ISMS

I spend some time to explain to them that the ISO 27001 system consisted of tangibles and intangibles. There are things that you can see, touch and feel, but there are a lot of components that you cannot see, touch or feel. This prompted me to go back to some of my earlier experiences with ISO 27001 customers. In most cases, during the initial discussions, most customers were asking the question, “Can I see the ISO 27001 policies that you have created?” During ISO 27001 training sessions, they would invariably ask the question, “Can you give us some sample policies and sample templates using which we can create the policies?” And, when asked, why they were always asking for the policies upfront, the answer invariably would be, “Well, that is what we need to pass the audits and get certified right?” This prompted me to think more about this from the customers’ perspective and ask the question, “Are ISO 27001 audits (especially from a certification process) being misinterpreted for their purpose?”

The smart ISO 27001 auditor looks for..

No doubt, documentation is a very important component from a certification process, but from my perspective, an ISO 27001 auditor, will look for two things,

1 - The existence of the ISMS
2 - The functioning of the ISMS

Let us examine, “Point 1 - The existence of the ISMS”. This essentially means whether the P-D-C-A (Plan-Do-Check-Act) model is in place and all the required components of the P-D-C-A model exists. This would start from the Scope, the security forum, the asset classification list, risk analysis approach, the actual risk analysis reports, acceptance of risk, risk treatment and actual proof of risk treatment, audits, reviews etc. Some of these components are tangibles and some of them are intangibles. The smart auditor will spend his time first verifying this.

Let us examine, “Point 2 - The functioning of the ISMS”. The functioning of the ISMS is verified through the review and improvement processes, which comes in the CHECK and ACT phase. The smart auditor will check the internal audit reports, and often ask the question “Have you done a root cause analysis?” This is a very important question because the auditor is probing whether the organization has not just identified the problem, but has gone deep inside to check the root cause of the problem and then solve it. This proves that the ISMS is not just existing, but also functioning.

The broad picture or the Top-level view

So, anyone who is getting ready for an ISO 27001 Implementation and Certification process, please keep the broad picture in mind. This will help you not to get off-track and will help you when you are in a dilemma at certain junctions of the ISO 27001 implementation cycle.

You will have a great ISO 27001 implementation, maintenance and certification experience if you focus on proving two factors.

1) I have an ISMS in my organization
2) My ISMS is functioning well

& if you care to come and check, I shall prove both the above points to you. With this attitude you have a winner ISMS in your hands.

Warm regards,

Anup Narayanan (Learning ISO 27001 through storytelling)

Key Strategies for Implementing ISO 27001

In 1995, the British Standard Institute (BSI) published British Standard (BS) 7799, a widely adopted set of best practices that help organizations implement effective information security management systems (ISMSs) and establish security controls for specific business areas. In October 2005, the standard was adopted by the International Organization for Standardization (ISO). As a result, implementing BS 7799 — now ISO 27001: 2005 — has become a major focus of attention for European-based companies and those working in the region.

Depending on the organization's size, the nature of its business, and the maturity of its processes, implementing ISO 27001 can involve a substantial investment of resources that requires the commitment of senior management. In addition, because of its emphasis on data security, many internal auditors perceive the standard to be focused solely on technology and often recommend that IT departments comply with the standard's requirements without understanding the amount of time and resources required for compliance. To ensure across-the-board acceptance and success, initial analyses and planning are vital. Because internal auditors are in the perfect position to add value to an organization's IT processes, they can help IT departments prepare the groundwork for an effective and efficient ISO 27001 implementation strategy during the initial planning phase. This will help companies ensure their IT processes are better aligned with the standard's requirements and ensure long-term compliance.


Implementing ISO 27001 can take time and consume unforeseen resources, especially if companies don't have an implementation plan early in the compliance process. To enhance compliance efforts, internal auditors can help companies identify their primary business objectives and implementation scope. Auditors should work with IT departments to determine current compliance maturity levels and analyze the compliance process' return on investment. These steps can be conducted by a team of staff members or external consultants who have prior experience implementing the standard. External consultants should work in collaboration with an internal team of representatives from the company's major business units. Below is a description of each recommendation.

Identify Business Objectives

Plans to adopt ISO 27001 must be supported by a concrete business analysis that involves listing the primary business objectives and ensuring a consensus is reached with key stakeholders. Business objectives can be derived from the company's mission, strategic plan, and existing IT goals and may include:

  • Ensuring effective risk management, such as identifying information assets and conducting accurate risk assessments.
  • Maintaining the company's competitive advantage, if the industry as a whole deals with sensitive information.
  • Preserving the organization's reputation and standing among industry leaders.
  • Providing assurance to customers and partners about the organization’s commitment to protecting data.
  • Increasing the company's revenue, profitability, and savings in areas where protective controls operate well.

The standard also emphasizes compliance with contractual obligations, which might be considered another key business objective. For instance, for an online banking division, implementing the standard would provide customers and partners greater assurance that risks stemming from the use of information systems are managed properly.

Select the Proper Scope of Implementation

Identifying the scope of implementation can save the organization thousands of dollars and time. In many instances, it is not necessary for an organization to adopt companywide implementation of a standard. The scope of compliance can be restricted to a specific division, business unit, type of service, or physical location. In addition, once successful compliance has been achieved for a limited, but relevant scope, it can be expanded to other divisions or locations.

Choosing the right scope is one of the most important factors throughout the compliance cycle, because it affects the feasibility and cost of the standard's implementation and the organization's return on investment. As a result, it is important for the selected scope to help achieve the identified business objectives. To do this, the organization may evaluate different scope options and rank them based on how well they fit with each objective.

Organizations also may want to sign memorandums of understanding (MOU) or service level agreements (SLAs) with vendors and partners to implement a form of indirect compliance to the standard. For example, a garment manufacturing company may have a contract with a software provider for application maintenance and upgrades. Therefore, the manufacturing company will not be responsible for the application’s system development life cycle compliance with the standard, as long as it has a relevant MOU or SLA signed with the software vendor.

Finally, the organization's overall scale of operations is an integral parameter needed to determine the compliance process' complexity level. To find out the appropriate scale of operations, organizations need to consider their number of employees, business processes, work locations, and products or services offered.

Determine ISO 27001 Maturity Levels

When assessing the organization’s compliance maturity level, auditors should determine whether or not the implementation team is able to answer the following questions:

Does a document exist that specifies the scope of compliance?
According to ISO 27001, a scope document is required when planning the standard's implementation. The document must list all the business processes, facilities, and technologies available within the organization, along with the types of information within the ISMS. When identifying the scope of compliance, companies must clearly define the dependencies and interfaces between the organization and external entities.

Are business processes and information flows clearly defined and documented?
Answering this question helps to determine the information assets within the scope of compliance and their importance, as well as to design a proper set of controls to protect information as it is stored, processed, and transmitted across various departments and business units.

Does a list of information assets exist? Is it current?
All assets that may affect the organization's security should be included in an information asset list. Information assets typically include software, hardware, documents, reports, databases, applications, and application owners. A structured list must be maintained that includes individual assets or asset groups available within the company, their location, use, and owner. The list should be updated regularly to ensure accurate information is reviewed during the compliance certification process.

How are information assets classified?
Information assets must be classified based on their importance to the organization and level of impact, and whether their confidentiality, availability, and integrity could be compromised.

Is a high-level security policy in place?
Critical to implementing an information security standard is a detailed security policy. The policy must clearly convey management's commitment to protecting information and establish the business' overall security framework and sense of direction. It should also identify all security risks, how they will be managed, and the criteria needed to evaluate risks.

Has the organization implemented a risk assessment process?
A thorough risk assessment exercise must be conducted that takes into account the value and vulnerabilities of corporate IT assets, the internal processes and external threats that could exploit these vulnerabilities, and the probability of each threat. If a risk assessment methodology is in place, the standard recommends that organizations continue using this methodology.

Is a controls' list available?
Necessary controls should be identified based on risk assessment information and the organization's overall approach for mitigating risk. Selected controls should then be mapped to Annex A of the standard — which identifies 133 controls divided in 11 domains — to complete a statement of applicability (SOA) form. A full review of Annex A acts as a monitoring mechanism to identify whether any control areas have been missed in the compliance planning process.

Are security procedures documented and implemented?
Steps must be taken to maintain a structured set of documents detailing all IT security procedures, which must be documented and monitored to ensure they are implemented according to established security policies.

Is there a business continuity (BC) management process in place?
A management process must be in place that defines the company's overall BC framework. A detailed business impact analysis based on the BC plan should be drafted and tested and updated periodically.

Has the company implemented a security awareness program?
Planning and documentation efforts should be accompanied by a proper IT security awareness program so that all employees receive training on information security requirements.

Was an internal audit conducted?
An internal audit must be conducted to ensure compliance with the standard and adherence to the organization’s security policies and procedures.

Was a gap analysis conducted?
Another important parameter to determine is the organization's level of compliance with the 133 controls in the standard. A gap analysis helps organizations link appropriate controls with the relevant business unit and can take place during any stage of the compliance process. Many organizations conduct the gap analysis at the beginning of the compliance process to determine the company's maturity level.

Were corrective and preventive actions identified and implemented?
The standard adheres to the Plan-Do-Check-Act" (PDCA) cycle (PDF, 62KB) to help the organization know how far and how well it has progressed along this cycle. This directly influences the time and cost estimates to achieve compliance. To complete the PDCA cycle, the gaps identified in the internal audit must be addressed by identifying the corrective and preventive controls needed and the company's compliance based on the gap analysis.

Are there mechanisms in place to measure control effectiveness?
Measuring control effectiveness is one of the latest changes to the standard. According to ISO 27001, organizations must institute metrics to measure the effectiveness of the controls and produce comparable and reproducible results.

Is there a management review of the risk assessment and risk treatment plans?
Risk assessments and risk treatment plans must be reviewed at planned intervals at least annually as part of the organization's ISMS management review.

Analyze Return on Investment
Based on the groundwork done so far, companies should be able to arrive at approximate time and cost estimates to implement the standard for each of the scope options. Organizations need to keep in mind that the longer it takes to get certified, the greater the consulting costs or internal staff effort. For example, implementation costs become even more critical when implementation is driven by market or customer requirements. Therefore, the longer compliance takes, the longer the organization will have to wait to reach the market with a successful certification.


Implementing ISO 27001 requires careful thought, planning, and coordination to ensure a smooth control adoption. The decision of when and how to implement the standard may be influenced by a number of factors, including different business objectives, existing levels of IT maturity and compliance efforts, user acceptability and awareness, customer requirements or contractual obligations, and the ability of the organization to adapt to change and adhere to internal processes.

To learn more about the standard, BSI has prepared a guidance document available on its Web site, In addition, the Standards Direct Web site,, covers the latest version of the standard.

K. K. Mookhey is the founder and principal consultant of Network Intelligence India (NII) Pvt. Ltd., an IT security consulting firm located in Mumbai, India, that offers ethical hacking, security auditing, BS 7799, and business continuity management services. Mookhey has worked on research projects for ISACA and has published several articles and white papers. He also has led teams on numerous security audit and implementation assignments and has trained people from the Big Four accounting firms and Fortune 500 companies on IT security issues.
Khushbu Jithra has been part of all information security documentation projects for NII and helps to conduct security research for the organization. In addition, she drafts and reviews commercial proposals and security consulting reports, especially those dealing with penetration testing, vulnerability assessment, ISO 27001, and security audits.

Nhava Sheva becomes India's first security certified terminal

DUBAI: Global marine terminal operator DP World's Nhava Sheva International Container Terminal(NSICT) in India,has become the country's first to
achieve ISO 28000:2007 certification in supply chain security management systems.

With the certification announced yesterday, the terminal also known as DP World Nhava Sheva has become the 15th among the giant operator's network of 48 terminals worldwide, to get the distinction.

The Certification, undertaken by independent Rotterdam-based Dutch auditing firm and Maritime Classification Society of excellence Det Norske Veritas(DNV), validates the NSICT's mechanisms and processes to address security vulnerabilities at strategic and operational levels, as well as its preparedness for preventive action plans.

The Nava Sheva terminal, which boast of state-of-the art infrastructure and world class services, is already certified for ISO 9001, ISO 14001, OHSAS 18001 and ISO 27001 management systems.

The terminal, was granted the certification after a thorough security audit of the facility, focused principally on container security, physical access controls, personnel security, procedural security, security training and threat awareness, business partner requirements and IT Security.

"Having an internationally recognised and certified security management system will greatly benefit DP World's customers and other terminal users and stakeholders who can now be assured that robust systems are in place to provide for the safety of their cargo and people using the terminal facilities in DP World Nhava Sheva," DP World Nhava Sheva's CEO, Capt Rustom Dastoor, said.

Its investment in the ISO security management system has been recognised by the US Customs Border Protection agency, which invited DP World to join its Customs Trade Partnership Against Terrorism (C-TPAT) programme.


Sunday, January 4, 2009

VanceInfo Achieves ISO 27001 Security Certification

BEIJING, Dec. 15 /PRNewswire-Asia/ -- VanceInfo Technologies Inc. ("VanceInfo" or the "Company"), an IT service provider and one of the leading offshore software development companies in China, today announced that it has achieved the International Organization for Standardization ("ISO") 27001 certification for Shanghai VanceInfo Technologies Limited ("Shanghai VanceInfo"), one of the Company's major subsidiaries.

ISO creates standards that specify worldwide requirements for products, services, processes, materials and systems. ISO 27001 is the international standard developed specifically for Information Security Management Systems ("ISMS"), requiring that a company uses a systematic approach to managing sensitive corporate information and ensuring data security. VanceInfo's recent certification recognizes the Company's adoption of an effective information security system that complies with one of the highest established international standards.

"The protection of customers' information, particularly intellectual property and trade secrets, is a top priority for VanceInfo. We strive to safeguard the integrity, availability and confidentiality of the data of our clients and business partners," said David Chen, President of VanceInfo, "As one of the leading providers of offshore software development, VanceInfo has a longstanding commitment to applying best practices and technologies to software development for our clients. Achieving the ISO 27001 certification today and the CMMI Level 5 certification a quarter ago serves as confirmation that VanceInfo has made continuous efforts to meet the industry's most stringent standards."

The ISO 27001 certification was awarded after detailed assessment of information security management in Shanghai VanceInfo's processes of software architect, development and testing. This accreditation marks another major step of VanceInfo toward achieving operational excellence and maximizing customer trust and confidence in the Company's IT infrastructure and security capabilities. The ISO 27001 certification will position VanceInfo with enhanced strengths in foreign markets where ISO standards provide uniformity across national and regional boundaries.

About VanceInfo

VanceInfo Technologies Inc. is an IT service provider and one of the leading offshore software development companies in China. VanceInfo was the first China software development outsourcer listed on the New York Stock Exchange.

The Company ranked number one among Chinese offshore software development service providers for the North American and European markets as measured by 2007 revenues, according to International Data Corporation, or IDC, a leading independent market research firm.

VanceInfo's comprehensive range of IT services includes research & development services, enterprise solutions, application development & maintenance, quality assurance & testing, and globalization & localization. VanceInfo provides these services primarily to corporations headquartered in the United States, Europe, Japan, and China, targeting high growth industries such as technology, telecommunications, financial services, manufacturing, retail and distribution.

Safe Harbor

This press release includes statements that may constitute forward-looking statements made pursuant to the safe harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements can be identified by terminology such as will, should, expects, anticipates, future, intends, plans, believes, estimates, and similar statements. Such statements are subject to risks and uncertainties that could cause actual results to differ materially from those projected. Further information regarding these and other risks is included in VanceInfo's filings with the U.S. Securities and Exchange Commission, including its registration statement on Form F-1. All information provided in this press release and in the attachments is as of December 15, 2008, and VanceInfo does not undertake any obligation to update any forward-looking statement as a result of new information, future events or otherwise, except as required under applicable law.


Tuesday, December 23, 2008

What It Means To Be ISO 27001 Certified - Benefits and Potential Payoffs

Mark Bernard is the Security & Privacy Officer at Credit Union Central of British Columbia. Today, Mark's credit union is the first financial institution to achieve ISO 27001 certification. Mark discusses ISO 27001 certification and its benefits with

Background: ISO 27001 is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO). The certification ensures that effective security controls and policies are in place. The certification process is a measurement of the performance of best security practices and identification of opportunities to improve those practices. It basically involves testing the existence and effectiveness of the information security controls at any given institution.

Benefits/ Payoffs of ISO 27001 Certification

The Credit Union Central of British Columbia has changed remarkably in its level of security awareness, and the credit union system has gone up substantially. People now recognize the value of, or they are realizing the value of having an information security credential such as this, and it is helping the institution to identify information security issues and address them more effectively.

As an institution in general, the culture has benefited as well. It's more focused on information security now and the identification of assets and how the credit union treats assets, threats, risk, and the vulnerability associated to those assets have been very positive.

Such involvement also boosts the team culture that remains, and this team effort can be effectively channelized into other business areas.

The ISO framework provides many of opportunities for improvement and to draw new sets of controls and to manage those more effectively likely than they have been in the past. Also, because the ISO framework already exists the credit union is looking at other standards such as the BS 25999, which is Business Continuity Standard, and integrating those controls within the ISMS.

Becoming ISO certified also made a big difference to the institution economically by reducing the number of external consulting engagements that were necessary, costing hundreds of thousands of dollars. And now the credit union has a bonafide external audit group that comes by twice a year to monitor their activity and provide a list of opportunities for improvement.

Thursday, December 18, 2008

Promoting accountability through ISO/IEC 27001 & 27002

As organisations go, there are those that welcome internationally recognised standards with open arms, and those that shy away citing cost or even applicability.

However, there is a need for standards within all organisations, regardless of size or market. It is in defining the Statements of Applicability (SoA) that the project becomes both relevant and cost-effective.

There is "information" within every organisation that is relied upon, so a system is required to manage its security. At the least, we need to ensure that the information is viable for its purpose.

Combined, these provide best practice guidance and a framework for an information security management system (ISMS) - ISO/IEC 27001 - and the management thereof - ISO/IEC 27002 - for the protection, confidentiality, integrity and availability of the information assets upon which an organisation depends.

Code of practice

ISO/IEC 27002 is merely a code of practice, so organisations are free to implement controls as they see fit, and the ISO/IEC 27001 standard incorporates only a simple summary of such controls and does not mandate any.

An important element is the definition of the SoA, among other scoping documents.

Through the SoA you are free to broaden or narrow the scope of certification, as you see fit, limiting the focus of any analysis. Understanding the SoA is crucial to attaching meaning to the certificate.

If you only define "the HR department", the associated certificate says nothing about the state of information security in "procurement", "manufacturing", "the IT department" or even the organisation as a whole. You set the scope.

Similarly, if the SoA asserts that some technical controls are not necessary for specified reasons, the assessing body will check that assertion but will not otherwise certify or fail those controls or the lack of them. In fact, no technical controls may be assessed at all as part of the assessment as ISO/IEC 27001 is primarily a management standard and compliance requires only that the organisation has a suite of management controls in place. If you feel a control is not necessary, giving a valid reason should suffice.

Start small

Look towards the information assets you currently manage or those you feel you can easily manage within the reduced scope, define a narrow SoA focused on what is already known and document your process to define, design, implement and manage these controls, including those "few" controls that may be missing.

Beyond certification or having marketing potential the process of assessment should confirm or improve accountability internally for information asset interfaces with wider business functions and third parties, confirming the scope for use of information assets with those partners.

Certification is optional, but is increasingly being mandated from suppliers and business partners concerned about their information security and the security of shared or common information.

Bodies such as the British Standards Institution, the National Institute of Science and Technology and various national bodies are issuing approximately 1,000 certificates per year - and the trend is growing.

By concentrating on the known information assets of a small business function, defining your ISMS to manage these will get you on the ladder and act as a springboard to widen your certification later.

ISO/IEC 27001

ISO/IEC 27001 is a formal standard towards which your organisation can attain independent certification of its frameworks to systematically and consistently design, implement, manage, maintain and enforce information security processes and controls - an information security management system (ISMS).

It covers any organisation (commercial business, government body or non-profit organisation), specifying the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a well-documented ISMS, within the context of the organisation's overall risk management processes.

It defines the requirements for custom security controls that meet the specific needs of the organisation or, importantly, any specified part or department thereof.


David Gregg is an infrastructure and security consultant at The Logic Group

The growing accreditation of IT security tools and processes

Vincent Villers, Partner at PwC Luxembourg and Marc Sel, Director at PwC Belgium
Business review, December 2008

For a long time, Information Security has had many technical standards but has been lacking a minimal consensus in the area of management and responsibilities. The BSI (British Standards Institute) put forward their 7799 standards, which were well accepted and evolved into the ISO (International Standards Organisation) world. Fundamental to the ISMS (Information Security Management System) standard is the typical management organisation model ‘Plan-Do-Check-Act’:

ISO 27001 is commonly used as a term to refer to a family of interrelated standards:

• 27000 ISMS fundamentals and vocabulary
• 27001 ISMS requirements (absorbing parts of ISO 13335)
• 27002 Code of practice (based on the BSI 7799)
• 27003 ISMS implementation guidelines
• 27004 Information security management measurements
• 27005 ISMS risk management (absorbing parts of ISO 13335)

Structure of ISO 27001

The main standard document ISO 27001 addresses requirements for the Information Security Management System, as well as how to establish, manage and monitor the ISMS. It continues by addressing ISMS responsibilities, as well as audit and management review aspects.

The ISO 27001 certification process

In many countries, certification bodies have been established under the umbrella of accreditation bodies. For example, one of the authors, Marc Sel, is accredited Lead Auditor for PwC’s Certification Body ‘PwCC B.V.’ which is on a peer level with the BSI, TÜV and KEMA1 . PwCC B.V. is in turn accredited by the Dutch Accreditation Body (‘Raad voor Accreditatie’).

The International Register of ISMS accredited certificates lists those certificates that have been awarded to organisations that have gone through an accredited certification process in line with the ISMS standard BS 7799 Part 2:2002 and ISO/IEC 27001:2005 (i.e. the revised version of BS 7799 Part 2:2002).

This register has been produced in cooperation with the international network of certification bodies and is managed and maintained by the ISMS International User Group (IUG). It is updated on a regular basis in co-operation with the certification bodies. The entries in this register have been supplied by those certification bodies that have carried out the ISMS certification.

The increasing interest in ISO 27001 certification

In November 2008, almost 5.000 ISMS certificates have been issued (4.987 to be precise2) . The top five countries with the highest number of certificates today are Japan, India, the UK, Taiwan and China. They are followed by Germany and the USA.

The best advice to follow is to centralise core IT services in larger data centres. For example, the data centres of PwC Yemen, UK, Hong Kong, China, and USA have been secured by ourselves and accredited by the BSI against ISO 27001:2005. This gives us a strong background when helping customers prepare for such certification or improve their security posture.

In Luxembourg, only one company is registered as being accredited against the standard so far. However, considering the current trend of financial institutions to focus on their core business by considering outsourcing of several functions, coupled with the increasing need to embed trust in business relationship, all conditions are fulfilled to lead to a growing interest for this certification. Indeed, unlike current perception of other standards, the ISO 27001:2005 relies upon clear requirements and implementation guidelines that provides sufficient transparency to bring the required level comfort that an accredited company meets adequate level of security to build trust with its stakeholders. The implementation of an ISO 27001 ISMS is clearly becoming an optimal approach to help organisations tackle the current regulatory requirements with regards to Information Technology controls.

Finally, rather than individually answering each request for compliance, it is advised to look at the requirements holistically, and build a framework that allows demonstrating compliance against a broad set of regulations, re-using the same set of well-defined controls. The implementation of such a control framework makes demonstrating compliance significantly less expensive.

1 BSI British Standards is the National Standards Body of the UK, TÜV Rheinland Group is a leading provider of technical services worldwide, KEMA is a commercial enterprise, specializing in high-grade business and technical consultancy, inspections and measurement, testing and certification.
2 The status of the official ISO 27001 certificates is available at

Source: PwC