THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Broad path to compliance Whenever you are involved in any business that utilizes technology these days you run into compliance requirements or standards. As an IT Security Professional, it is our job to make sure that we provide our company leadership with the right information as to what sort of standards to follow. ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. With ISO 27001, you get what you put into it and a whole lot more. Broad Path When looking at the ISO 27001 certification requirements, it is important to remember that this is a certification standard that allows the company to figure out what sort of requirements work best for its needs. Leadership of the organization play a large part in this, as they will provide the overall strategy and long-term outlook. Most businesses will look at the standard as something that may be out of its ability to achieve. But with the certification process, it is important to remember that there are specific requirements that will be required to meet the standard and additional controls that may be best labeled as best practices. The organization is the one that chooses or decides on which controls to implement. The key area is to follow the specific requirements of the standard and implement them. An accredited certification body following successful completion of an audit of the controls may certify organizations that meet the requirements. With the standard as a guide, the organization will be able to determine how complex or how light the controls should be. This allows for great flexibility within the standard itself. Some controls are purely suggested while others are considered so important that they are requirements in order to meet the standard. ISMS Crazy The IT Security Management System (ISMS) is the key to the whole process of obtaining this certification for your organization. It is important to remember that you will be developing or documenting current or future practices and showing that you comply with those new controls before you are certified. This allows organizations to be able to develop their ISMS and implement its controls and processes in a structured and strategic way. One of the most frustrating issues that I have run into is that the business or organization thought that they had all of the controls and that they were following best practices. More often than not, you will find them doing the right thing, but they are just not documenting their processes. Easy Street If you find yourself with an organization that is doing the right things, but they are not documenting their processes. You can consider yourself on easy street, because in most cases, this is not the case and you will have to develop the ISMS from the ground up. This is a difficult task, as it will require you to perform some deep analysis of the various sections of your organization since the ISO 27001 standard covers most parts of your organization like the following:
Developing Controls
Once you have gone over the business and have decided on what controls you will need in order to meet the standard, you will have to develop those controls to address any gaps that you may have identified in the initial assessment. You will need some direction from your leadership on this in order to direct you in the way they see the company going. This can be difficult at times due to the fact they may not know which direction things will go in the coming years. Businesses have a way of evolving over time and what you may be working on right now may not be what you end up doing in 5 to 10 years down the road. Getting buy-in from, your senior management is important to have since they will know which direction the company may be taking in the coming years. They are also important to be on-board with the decision to pursue the certification because they have a stake in the success of your development of the ISMS. The importance of this cannot be stressed enough. It will be with their support that the program is either a success or a failure. When developing the overall program it will be important to keep these stakeholders in the loop of the process and make sure that any issues that come up are addressed in a timely manner. Auditing Controls Once the controls have been determined and created, they will need to be implemented and documented. A certified third-party provider will then verify this with an audit. After the audit is completed and the findings remediated, the organization is certified in the standard. While the audit is an integral part of the overall process, it is important to remember that the process continues even after the certification is achieved. ISO 27001 requires the organization to get better at IT Security and to improve its overall processes on a year on year basis. This requirement means that if minimal controls are currently in place, they will have to be improved over time. This continuing improvement will allow the organization to adjust its practices to how it does business in a timely manner while helping to improve its overall security posture. Certification Certification should be one of the easiest parts of the whole process. When the audit has been completed and certified, the organization will be in compliance with the standard. However, this is not something that you should slack on. The continued process should focus on improving the security posture of the company. Certification means that the organization has chosen to a path that will allow it to show other companies that IT Security is important and they have taken steps to be in compliance with the standard. Continued certification will rest on the ability of the business to continue to improve the already established processes. Annual reviews and compliance audits will ensure that the new controls are being implemented as designed and that they are effective. Companies should make sure that steps are taken to ensure that the requirements of the standard is adhered to from their implementation to the final certification process and beyond. Summary While there is a lot of work that will go into obtaining a certification, you should remember that you would be getting a lot of recognition in the industry that you work and setting your business apart from the competition. IT Security is becoming a key factor for many organizations and how and who they do business with. Obtaining this internationally recognized certification will allow your organization to show potential customers that it cares about the security and all of the various components that go into that across the enterprise.
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|