Monday, May 26, 2008

The Bare Minimum

We have all heard about ISO 17799 and ISO 27001; ISO 17799 is being renamed to ISO 27002 and ISO 27001 was formally known as BS7799-2. If you haven’t and your reading this, stop now and go look them up. Here is a good place for an general overview.

These standards are the basis of least requirement for doing business, when security is concern. Instead what you see are most companies, those that care and especially here in the US, are still in a phase of “working towards” meeting these standards. Very few western organizations have implemented or even looked at these standards. In Japan over 2000 companies have been certified meaning that Japan dwarfs any country by at least 300% more compliance than the UK and the US put together.

Something needs to be done to bring the compliance level up. Especially when it comes to the base foundation for security controls and ISMS.

So what can you do? Here is a 10 step guide to becoming certified.
  1. Prepare the ground: obtain copies of the ISO 17799 and BS7799-2 standards, research the background, set the objectives, understand the costs and benefits, and liaise with senior management to gain their support.
  2. Define the scope: what’s in, what’s out, including issues like location, assets and so on. Prepare a Statement of Applicability.
  3. Define a formal ISMS (Information Security Management System) policy.
  4. Analyze the information security risks to identify the corresponding security control objectives.
  5. Prepare a security implementation plan describing the implementation of specific information security controls to satisfy the objectives identified in step 4. Gain management approval and secure the budget.
  6. Implement the plan. Prepare, review, approve and publish information security policies, procedures, standards and so forth. Bring controls protecting the IT infrastructure and facilities up to scratch. Review and where necessary improve application security controls. Prepare and exercise contingency plans.
  7. Operate and maintain the information security management system. Keep records to document proper use of your system (e.g. information arising from the review of system security logs).
  8. Perform an information security audit and management review to check that everything is in order (this typically involves an informal pre-certification assessment by the certification body).
  9. Make any last-minute adjustments to the information security management system to address issues identified in the pre-certification assessment.
  10. Undergo the formal certification assessment by an accredited certification body.


No comments: