The Role of Standards in Information Security Management.

(This essay should describe the purpose and content of the main standards relevant to information security management, including ISO/IEC 17799/27001/27002, and explain the role they may play in an organisations overall information security programme.)

INFORMATION SECURITY MANAGEMENT STANDARDS HELP TO CHANGE AN ORGANIZATIONS INFORMATION SECURITY CULTURE BUT CANNOT DO IT ALONE. DO YOU AGREE WITH THIS ASSERTION? (In your answer explain the purpose and outline the components of ISO 27001. Discuss how its purpose and components could help bring about a change in information security culture. Support your discussion with examples related to specific components. Conclude with an evaluation of whether standards alone are enough to bring about change.)

A standard is something we follow to have an expected outcome, something we use as a means of comparison to know if we have achieved an expected outcome. Through practitioners or through subject specialists a standard can be set internally in an organization or externally. The ISO 27001 externally set standard/guideline, is not sector specific and can be applied to every organization. It talks about certifying the process of establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of an organizations overall business risks. An ISMS is a process driven way of identifying implementing, maintaining and updating controls and it is also designed to ensure the selection of adequate and appropriate controls. ISO 27001 is the specification of the management system, the standard against which you certify while 27002 is the control set that gives guidance, best practice suggestions for proper implementation. ISO 27001 has a summary of all the control groups in its Annex A. Among the components of the ISO 27001 are four mandatory clauses (Clauses 4-8) whose requirements must be included in the ISMS. These clauses are the mechanics of the ISMS. The idea is that if an organizations management has done all the steps in the four clauses correctly it would have achieved

the right levels of controls as laid out in Annex A and explained in ISO 27002. The control selection is documented in a document called the Statement of Applicability. This document lists all the controls in Annex A and against each one specifies if it has been selected or not, the reason for its selection or not, where it is being implemented and how. The idea is to maintain this document for the ISMS that is chosen to justify what was selected and how. The mandatory four clauses Clauses 4-8 contain as follows; CLAUSE 4 is the process of (a) Establishing and Maintaining the ISMS: has as inputs risk assessment, business requirements, regulatory requirements, policy. (b) Implement and Operate ISMS: involving Staff training and awareness of controls, allocating roles and responsibilities, more local risk assessment to identify issues and check how things have worked. (c) Monitoring and Review: involving audit, incident management, measuring of effectiveness (how far we are from our goal) and management review. (d) Maintain and Improve the ISMS: need for corrective and preventive action for example why are some controls unenforced? Is a review of roles and responsibilities needed or do the controls themselves have to be refined or changed? What is the root cause? Has the level of risks requirements changed? We also have documentation requirements of everything that has been done, policies, procedures etc so we have a means of checking and reviewing later. CLAUSE 5 Management Responsibility: Management commitment to maintaining the ISMS, resource management and resource allocation. CLAUSE 6 Internal ISMS Audits: Audits of effective and efficient implementation of controls that is, what level of the organizations overall security goals have we achieved and also those achieved within cost constraints. Checking the ISMS conforms to standards and relevant regulations also that it performs as expected. CLAUSE 7 Management Review: Results from ISMS audits and reviews, feedback from interested parties serve as inputs to management review and involves checking and linking the issues to expertise. This process is put into the management system to scan the horizon and get expert opinion that the controls

put in place are working and what to do onwards. The output is improvement of the effectiveness of the ISMS, update of the risk assessment and risk treatment. CLAUSE 8 ISMS IMPROVEMENT: Continual improvement, corrective and preventive actions.

The ISO27001 also defines Scope or boundary of information flow etc and Owner/roles and responsibilities of people to assets. ANNEX A (Control Areas Specific to Annex A): Security policy, Organization of information security, Asset management, Human resources security, Physical and environmental security, Communication and operations management, Access control, Information systems acquisition development and maintenance, Information security incident management, Business continuity management, Compliance. Implementing the ISO 27001 standard could definitely bring about a change in an organizations information security culture as it spans across social, technical and especially management issues. The right business specific technical controls like access controls get to be chosen and guidelines are followed when acquiring, developing and maintaining business information systems. Social issues are handled when owners, roles and responsibilities are assigned. Also staff get to have awareness training and become conversant with security issues and develop proper security related cultures like recognizing when they are being social engineered to give out their user names or passwords and sticking to boundaries. Management has to be committed to play specific roles in the maintaining of the ISMS. Yet standards alone cannot bring about change to an organizations security culture because it is the people and processes that matter. The management has to not just stick to ticking a box to show compliance but find ways to address the hard issues like how to identify and measure effectiveness, how to know when management level goals have been hit, find means of rewarding and recognizing staff that are security minded and conscious so as to encourage them and serve as a yardstick for others to follow. All said the huge issue is knowing and understanding what 27001 does and how to get it in place and know when a company has achieved it.