Monday, January 12, 2009

ISO 27001 - The auditor’s perspective

Hello readers,

Wish you all a very happy and prosperous 2009.

During the 2nd last week of 2009, I had a meeting with a prospective client who was interested in implementing an ISO 27001 compliant ISMS and getting it certified. One question which they asked was, “Can I see an ISO 27001 system?”. When I requested them to be specific, they said “You know..all the documents, policies, guidelines etc.”. What I could infer from the discussion was that they clearly thought it was a system which was documented.

Tangibles and intangibles in an ISO 27001 ISMS

I spend some time to explain to them that the ISO 27001 system consisted of tangibles and intangibles. There are things that you can see, touch and feel, but there are a lot of components that you cannot see, touch or feel. This prompted me to go back to some of my earlier experiences with ISO 27001 customers. In most cases, during the initial discussions, most customers were asking the question, “Can I see the ISO 27001 policies that you have created?” During ISO 27001 training sessions, they would invariably ask the question, “Can you give us some sample policies and sample templates using which we can create the policies?” And, when asked, why they were always asking for the policies upfront, the answer invariably would be, “Well, that is what we need to pass the audits and get certified right?” This prompted me to think more about this from the customers’ perspective and ask the question, “Are ISO 27001 audits (especially from a certification process) being misinterpreted for their purpose?”

The smart ISO 27001 auditor looks for..

No doubt, documentation is a very important component from a certification process, but from my perspective, an ISO 27001 auditor, will look for two things,

1 - The existence of the ISMS
2 - The functioning of the ISMS

Let us examine, “Point 1 - The existence of the ISMS”. This essentially means whether the P-D-C-A (Plan-Do-Check-Act) model is in place and all the required components of the P-D-C-A model exists. This would start from the Scope, the security forum, the asset classification list, risk analysis approach, the actual risk analysis reports, acceptance of risk, risk treatment and actual proof of risk treatment, audits, reviews etc. Some of these components are tangibles and some of them are intangibles. The smart auditor will spend his time first verifying this.

Let us examine, “Point 2 - The functioning of the ISMS”. The functioning of the ISMS is verified through the review and improvement processes, which comes in the CHECK and ACT phase. The smart auditor will check the internal audit reports, and often ask the question “Have you done a root cause analysis?” This is a very important question because the auditor is probing whether the organization has not just identified the problem, but has gone deep inside to check the root cause of the problem and then solve it. This proves that the ISMS is not just existing, but also functioning.

The broad picture or the Top-level view

So, anyone who is getting ready for an ISO 27001 Implementation and Certification process, please keep the broad picture in mind. This will help you not to get off-track and will help you when you are in a dilemma at certain junctions of the ISO 27001 implementation cycle.

You will have a great ISO 27001 implementation, maintenance and certification experience if you focus on proving two factors.

1) I have an ISMS in my organization
2) My ISMS is functioning well

& if you care to come and check, I shall prove both the above points to you. With this attitude you have a winner ISMS in your hands.

Warm regards,

Anup Narayanan
www.isqworld.com (Learning ISO 27001 through storytelling)

Key Strategies for Implementing ISO 27001

In 1995, the British Standard Institute (BSI) published British Standard (BS) 7799, a widely adopted set of best practices that help organizations implement effective information security management systems (ISMSs) and establish security controls for specific business areas. In October 2005, the standard was adopted by the International Organization for Standardization (ISO). As a result, implementing BS 7799 — now ISO 27001: 2005 — has become a major focus of attention for European-based companies and those working in the region.

Depending on the organization's size, the nature of its business, and the maturity of its processes, implementing ISO 27001 can involve a substantial investment of resources that requires the commitment of senior management. In addition, because of its emphasis on data security, many internal auditors perceive the standard to be focused solely on technology and often recommend that IT departments comply with the standard's requirements without understanding the amount of time and resources required for compliance. To ensure across-the-board acceptance and success, initial analyses and planning are vital. Because internal auditors are in the perfect position to add value to an organization's IT processes, they can help IT departments prepare the groundwork for an effective and efficient ISO 27001 implementation strategy during the initial planning phase. This will help companies ensure their IT processes are better aligned with the standard's requirements and ensure long-term compliance.

RECOMMENDATIONS FOR EFFECTIVE ISO 27001 COMPLIANCE

Implementing ISO 27001 can take time and consume unforeseen resources, especially if companies don't have an implementation plan early in the compliance process. To enhance compliance efforts, internal auditors can help companies identify their primary business objectives and implementation scope. Auditors should work with IT departments to determine current compliance maturity levels and analyze the compliance process' return on investment. These steps can be conducted by a team of staff members or external consultants who have prior experience implementing the standard. External consultants should work in collaboration with an internal team of representatives from the company's major business units. Below is a description of each recommendation.

Identify Business Objectives

Plans to adopt ISO 27001 must be supported by a concrete business analysis that involves listing the primary business objectives and ensuring a consensus is reached with key stakeholders. Business objectives can be derived from the company's mission, strategic plan, and existing IT goals and may include:

  • Ensuring effective risk management, such as identifying information assets and conducting accurate risk assessments.
  • Maintaining the company's competitive advantage, if the industry as a whole deals with sensitive information.
  • Preserving the organization's reputation and standing among industry leaders.
  • Providing assurance to customers and partners about the organization’s commitment to protecting data.
  • Increasing the company's revenue, profitability, and savings in areas where protective controls operate well.

The standard also emphasizes compliance with contractual obligations, which might be considered another key business objective. For instance, for an online banking division, implementing the standard would provide customers and partners greater assurance that risks stemming from the use of information systems are managed properly.

Select the Proper Scope of Implementation

Identifying the scope of implementation can save the organization thousands of dollars and time. In many instances, it is not necessary for an organization to adopt companywide implementation of a standard. The scope of compliance can be restricted to a specific division, business unit, type of service, or physical location. In addition, once successful compliance has been achieved for a limited, but relevant scope, it can be expanded to other divisions or locations.

Choosing the right scope is one of the most important factors throughout the compliance cycle, because it affects the feasibility and cost of the standard's implementation and the organization's return on investment. As a result, it is important for the selected scope to help achieve the identified business objectives. To do this, the organization may evaluate different scope options and rank them based on how well they fit with each objective.

Organizations also may want to sign memorandums of understanding (MOU) or service level agreements (SLAs) with vendors and partners to implement a form of indirect compliance to the standard. For example, a garment manufacturing company may have a contract with a software provider for application maintenance and upgrades. Therefore, the manufacturing company will not be responsible for the application’s system development life cycle compliance with the standard, as long as it has a relevant MOU or SLA signed with the software vendor.

Finally, the organization's overall scale of operations is an integral parameter needed to determine the compliance process' complexity level. To find out the appropriate scale of operations, organizations need to consider their number of employees, business processes, work locations, and products or services offered.

Determine ISO 27001 Maturity Levels

When assessing the organization’s compliance maturity level, auditors should determine whether or not the implementation team is able to answer the following questions:

Does a document exist that specifies the scope of compliance?
According to ISO 27001, a scope document is required when planning the standard's implementation. The document must list all the business processes, facilities, and technologies available within the organization, along with the types of information within the ISMS. When identifying the scope of compliance, companies must clearly define the dependencies and interfaces between the organization and external entities.

Are business processes and information flows clearly defined and documented?
Answering this question helps to determine the information assets within the scope of compliance and their importance, as well as to design a proper set of controls to protect information as it is stored, processed, and transmitted across various departments and business units.

Does a list of information assets exist? Is it current?
All assets that may affect the organization's security should be included in an information asset list. Information assets typically include software, hardware, documents, reports, databases, applications, and application owners. A structured list must be maintained that includes individual assets or asset groups available within the company, their location, use, and owner. The list should be updated regularly to ensure accurate information is reviewed during the compliance certification process.

How are information assets classified?
Information assets must be classified based on their importance to the organization and level of impact, and whether their confidentiality, availability, and integrity could be compromised.

Is a high-level security policy in place?
Critical to implementing an information security standard is a detailed security policy. The policy must clearly convey management's commitment to protecting information and establish the business' overall security framework and sense of direction. It should also identify all security risks, how they will be managed, and the criteria needed to evaluate risks.

Has the organization implemented a risk assessment process?
A thorough risk assessment exercise must be conducted that takes into account the value and vulnerabilities of corporate IT assets, the internal processes and external threats that could exploit these vulnerabilities, and the probability of each threat. If a risk assessment methodology is in place, the standard recommends that organizations continue using this methodology.

Is a controls' list available?
Necessary controls should be identified based on risk assessment information and the organization's overall approach for mitigating risk. Selected controls should then be mapped to Annex A of the standard — which identifies 133 controls divided in 11 domains — to complete a statement of applicability (SOA) form. A full review of Annex A acts as a monitoring mechanism to identify whether any control areas have been missed in the compliance planning process.

Are security procedures documented and implemented?
Steps must be taken to maintain a structured set of documents detailing all IT security procedures, which must be documented and monitored to ensure they are implemented according to established security policies.

Is there a business continuity (BC) management process in place?
A management process must be in place that defines the company's overall BC framework. A detailed business impact analysis based on the BC plan should be drafted and tested and updated periodically.

Has the company implemented a security awareness program?
Planning and documentation efforts should be accompanied by a proper IT security awareness program so that all employees receive training on information security requirements.

Was an internal audit conducted?
An internal audit must be conducted to ensure compliance with the standard and adherence to the organization’s security policies and procedures.

Was a gap analysis conducted?
Another important parameter to determine is the organization's level of compliance with the 133 controls in the standard. A gap analysis helps organizations link appropriate controls with the relevant business unit and can take place during any stage of the compliance process. Many organizations conduct the gap analysis at the beginning of the compliance process to determine the company's maturity level.

Were corrective and preventive actions identified and implemented?
The standard adheres to the Plan-Do-Check-Act" (PDCA) cycle (PDF, 62KB) to help the organization know how far and how well it has progressed along this cycle. This directly influences the time and cost estimates to achieve compliance. To complete the PDCA cycle, the gaps identified in the internal audit must be addressed by identifying the corrective and preventive controls needed and the company's compliance based on the gap analysis.

Are there mechanisms in place to measure control effectiveness?
Measuring control effectiveness is one of the latest changes to the standard. According to ISO 27001, organizations must institute metrics to measure the effectiveness of the controls and produce comparable and reproducible results.

Is there a management review of the risk assessment and risk treatment plans?
Risk assessments and risk treatment plans must be reviewed at planned intervals at least annually as part of the organization's ISMS management review.

Analyze Return on Investment
Based on the groundwork done so far, companies should be able to arrive at approximate time and cost estimates to implement the standard for each of the scope options. Organizations need to keep in mind that the longer it takes to get certified, the greater the consulting costs or internal staff effort. For example, implementation costs become even more critical when implementation is driven by market or customer requirements. Therefore, the longer compliance takes, the longer the organization will have to wait to reach the market with a successful certification.

MOVING FORWARD

Implementing ISO 27001 requires careful thought, planning, and coordination to ensure a smooth control adoption. The decision of when and how to implement the standard may be influenced by a number of factors, including different business objectives, existing levels of IT maturity and compliance efforts, user acceptability and awareness, customer requirements or contractual obligations, and the ability of the organization to adapt to change and adhere to internal processes.

To learn more about the standard, BSI has prepared a guidance document available on its Web site, http://asia.bsi-global.com/InformationSecurity/ISO27001+Guidance/download.xalter. In addition, the Standards Direct Web site, www.standardsdirect.org/iso27001.htm, covers the latest version of the standard.

K. K. Mookhey is the founder and principal consultant of Network Intelligence India (NII) Pvt. Ltd., an IT security consulting firm located in Mumbai, India, that offers ethical hacking, security auditing, BS 7799, and business continuity management services. Mookhey has worked on research projects for ISACA and has published several articles and white papers. He also has led teams on numerous security audit and implementation assignments and has trained people from the Big Four accounting firms and Fortune 500 companies on IT security issues.
Khushbu Jithra has been part of all information security documentation projects for NII and helps to conduct security research for the organization. In addition, she drafts and reviews commercial proposals and security consulting reports, especially those dealing with penetration testing, vulnerability assessment, ISO 27001, and security audits.

Nhava Sheva becomes India's first security certified terminal

DUBAI: Global marine terminal operator DP World's Nhava Sheva International Container Terminal(NSICT) in India,has become the country's first to
achieve ISO 28000:2007 certification in supply chain security management systems.

With the certification announced yesterday, the terminal also known as DP World Nhava Sheva has become the 15th among the giant operator's network of 48 terminals worldwide, to get the distinction.

The Certification, undertaken by independent Rotterdam-based Dutch auditing firm and Maritime Classification Society of excellence Det Norske Veritas(DNV), validates the NSICT's mechanisms and processes to address security vulnerabilities at strategic and operational levels, as well as its preparedness for preventive action plans.

The Nava Sheva terminal, which boast of state-of-the art infrastructure and world class services, is already certified for ISO 9001, ISO 14001, OHSAS 18001 and ISO 27001 management systems.

The terminal, was granted the certification after a thorough security audit of the facility, focused principally on container security, physical access controls, personnel security, procedural security, security training and threat awareness, business partner requirements and IT Security.

"Having an internationally recognised and certified security management system will greatly benefit DP World's customers and other terminal users and stakeholders who can now be assured that robust systems are in place to provide for the safety of their cargo and people using the terminal facilities in DP World Nhava Sheva," DP World Nhava Sheva's CEO, Capt Rustom Dastoor, said.

Its investment in the ISO security management system has been recognised by the US Customs Border Protection agency, which invited DP World to join its Customs Trade Partnership Against Terrorism (C-TPAT) programme.

Source: http://economictimes.indiatimes.com/

Sunday, January 4, 2009

VanceInfo Achieves ISO 27001 Security Certification

BEIJING, Dec. 15 /PRNewswire-Asia/ -- VanceInfo Technologies Inc. ("VanceInfo" or the "Company"), an IT service provider and one of the leading offshore software development companies in China, today announced that it has achieved the International Organization for Standardization ("ISO") 27001 certification for Shanghai VanceInfo Technologies Limited ("Shanghai VanceInfo"), one of the Company's major subsidiaries.

ISO creates standards that specify worldwide requirements for products, services, processes, materials and systems. ISO 27001 is the international standard developed specifically for Information Security Management Systems ("ISMS"), requiring that a company uses a systematic approach to managing sensitive corporate information and ensuring data security. VanceInfo's recent certification recognizes the Company's adoption of an effective information security system that complies with one of the highest established international standards.

"The protection of customers' information, particularly intellectual property and trade secrets, is a top priority for VanceInfo. We strive to safeguard the integrity, availability and confidentiality of the data of our clients and business partners," said David Chen, President of VanceInfo, "As one of the leading providers of offshore software development, VanceInfo has a longstanding commitment to applying best practices and technologies to software development for our clients. Achieving the ISO 27001 certification today and the CMMI Level 5 certification a quarter ago serves as confirmation that VanceInfo has made continuous efforts to meet the industry's most stringent standards."

The ISO 27001 certification was awarded after detailed assessment of information security management in Shanghai VanceInfo's processes of software architect, development and testing. This accreditation marks another major step of VanceInfo toward achieving operational excellence and maximizing customer trust and confidence in the Company's IT infrastructure and security capabilities. The ISO 27001 certification will position VanceInfo with enhanced strengths in foreign markets where ISO standards provide uniformity across national and regional boundaries.

About VanceInfo

VanceInfo Technologies Inc. is an IT service provider and one of the leading offshore software development companies in China. VanceInfo was the first China software development outsourcer listed on the New York Stock Exchange.

The Company ranked number one among Chinese offshore software development service providers for the North American and European markets as measured by 2007 revenues, according to International Data Corporation, or IDC, a leading independent market research firm.

VanceInfo's comprehensive range of IT services includes research & development services, enterprise solutions, application development & maintenance, quality assurance & testing, and globalization & localization. VanceInfo provides these services primarily to corporations headquartered in the United States, Europe, Japan, and China, targeting high growth industries such as technology, telecommunications, financial services, manufacturing, retail and distribution.

Safe Harbor

This press release includes statements that may constitute forward-looking statements made pursuant to the safe harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements can be identified by terminology such as will, should, expects, anticipates, future, intends, plans, believes, estimates, and similar statements. Such statements are subject to risks and uncertainties that could cause actual results to differ materially from those projected. Further information regarding these and other risks is included in VanceInfo's filings with the U.S. Securities and Exchange Commission, including its registration statement on Form F-1. All information provided in this press release and in the attachments is as of December 15, 2008, and VanceInfo does not undertake any obligation to update any forward-looking statement as a result of new information, future events or otherwise, except as required under applicable law.

Source: http://findarticles.com/