There is much buzz and so many articles that attempt to describe ISO and what’s involved, why it should or should not be done, how time consuming and expensive an undertaking it is, debates about the value, and on and on. It sounds like a monstrous undertaking, but lay all panic aside. It’s not painful.
Some background; ISO is a non-governmental organization made up of a network of national standards institute of 160 countries that coordinates the system.
My best interpretation of the ISO standards taken from ISO/IEC 27001:2013 is: the ISO standards provide a model for implementing, operating, monitoring, reviewing, maintaining, and improving an organization’s Information Security Management Systems (ISMS). All that means is, it’s a collection of best practices and guidelines. What it’s not is a regulation. Key word there was “model”.
Here’s how it works:
1. Your organization determines the scope of the ISMS. For many law firms who already travelled this path, it’s typically limited to one or two systems for starters. For example; your firm may choose to certify the firm’s Document Management System (DMS). Yes, you choose the scope. There is no regulation in ISO that requires any specific scope. It is solely determined by your firm. If the process feels too big and time consuming, expensive and just plain overwhelming, start by looking at your scope and make it fit within the confines of your firm’s business strategy, resources, etc.
2. Your organization conducts a Risk Assessment. This involves using a process that identifies, estimates, evaluates, and prioritizes risks that could impact in scope assets. The Risk Assessment helps to determine what risk will be accepted by your firm, what will be treated, how the risk will be communicated and how it will be monitored and reviewed.
3. Create a Statement of Applicability (SOA). The SOA involves a look at the 133 Annex A Controls in the standard and the preparation of a statement that identifies what controls were selected as applicable and the reason for their selection or justification for their exclusion. The results of the risk assessment and organizational compliance requirements defines which Annex A controls are applicable.
That’s the bulk of the process. The steps above are building blocks to establishing and implementing the ISMS. The remaining processes required by the standard are oriented toward monitoring, review, and improvement of the ISMS. If you choose to certify your ISMS, the next step would be an ISMS certification audit. So what do I mean “if you choose to certify”?
Your organization may choose to certify against the standards or simply be in compliance with the standards without certification. If you opt to travel the certification road the steps above are followed by an audit conducted by a nationally accredited certifying body. Compliance to the standard is a self-declaration made by an organization that they have implemented ISO 27001. Via a process of third party audit and verification an organization can certify its ISMS, providing a clear demonstration to stakeholders’ its conformity to ISO 27001.
Not so painful after all.
#ServerOperationsandSecurity