ISO27001 in Plain English

Often perceived as shrouded in an eerie mist of complexity and strange terminology, ISO27001 is an established information security standard. In this blog we'll explain what this means - in layman's terms - and explain why it is a sensible investment for organisations of all shapes and sizes. In its simplest form, it's a structured framework which helps organisations to understand what their valuable information is, develop an appreciation for the sort of "bad things" which can happen to that information, and implement a sensible safety net of controls to stop them happening.

Introducing "CIA"

However, not all information has the same value or sensitivity (compare a confidential password database with publicly available brochures, for example), so we need to take a look at three characteristics to determine how much protection it needs:

• Confidentiality - can it only be seen by persons that have authority and a need to see it

• Integrity - can the information be trusted, has it been modified without authority?

• Availability - ensuring that information can be accessed as and when required

We can start to see that sensible business systems and processes will help us provide appropriate protection for each of these considerations. For example, confidentiality can be maintained by user names, strong passwords and proper logging of user activity. Integrity is assisted by implementing access control to minimise access, or perhaps by having regular back-up media which could be recovered. Availability considers many things, from the resilience of power, networks and systems - through to our business continuity arrangements.

Sprinkle on some Risks ...

Think about all the things that could in some way affect your organisation's valuable data, or perhaps the buildings or infrastructure upon which it depends for its security. There are many of these, for the sake of a short blog, here's a small selection of risks which should be assessed by an organisation:

• risks of information theft by an employee, or a contractor

• damage to information from a computer virus outbreak, or theft by some form of malware

• disclosure of information to the wrong customer from unchecked software changes

• server failure due to hard drive capacity issues

• risks to your data centre environment due to historical flood risks or proximity to an airport

Some risks will happen on a more frequent basis than others, whilst some will have a major impact and others relatively minor. So alongside the identification of risks, we should seek to understand the probability of them actually happening, and the impact if they did.

... And stir in carefully selected Controls

There are lots of "bad things" which we need to identify, and do all we can to remove or at the very least minimise to an acceptable level. You're hopefully already doing sensible things, so for our five examples above you could be implementing:

• employment contract clauses, supplier agreements, and appropriate activity monitoring

• robust anti-virus and anti-malware protection, ensuring it is updated regularly

• formal change management for all software changes, involving multiple personnel

• infrastructure capacity checks, taking action when pre-agreed thresholds are reached

• environmental checks, ensuring your valuable infrastructure is protected from risks

The ISO27001 (2013) standard offers 114 controls which could be implemented, but there's nothing to stop you adding in additional controls if you think they are appropriate.

Statement of Applicability

The ISO27001 standard requires a "Statement of Applicability" to illustrate how controls have been implemented to protect your organisation's assets.Your risk assessment activities above may indicate to you that some controls are weak or inappropriate, so opportunities should be taken to implement more robust controls, or perhaps transfer the risks to a more suitable third party, or maybe even stop undertaking the risky activities altogether.

Is That All?

Not quite. Whilst asset identification, risk assessment and control implementation may require a clear head and a good supply of strong black coffee, there's a number of related activities which ISO27001 expects to see. Once again we'll spare you a long list, but think along the following lines:

• Involving your senior management, demonstrating their agreement and commitment to information security objectives which protect your business

• An appropriate framework of information security policies and procedures, and records to demonstrate how they've been followed

• A comprehensive employee and contractor security education programme - they need to understand their roles and responsibilities

• Internal audit activities, a programme of formal checks taking an objective view of how well your information security plans are working

• Improvement initiatives - doing things better when there is an opportunity to do so.

Next Steps

We hope that this end of the blog finds you more informed than ten minutes ago. With our help, protecting your business and gaining ISO27001 certification is a realistic and achievable goal. Please take a moment to view our http://www.infosaas.uk website, and register for updates for our new cloud-based software which is being launched in November 2014. It will help guide you through the requirements of ISO27001, including easing the complexities of risk assessment activities and an automatically prepared Statement of Applicability. Most importantly, however, is the reassurance that your business will be better protected in an increasingly competitive marketplace.

Introducing InfoSaaS

Every organisation needs to properly manage and protect information, both its own and the data entrusted to it by its customers. An international standard (ISO27001) exists to help organisations implement the controls necessary to achieve this important objective, but this is commonly perceived as being complicated, expensive, disruptive to implement properly, and a potential cash machine for "day rate consultants".

InfoSaaS, powered by Ctrl O, has been developed to make information security an achievable goal for all organisations, from SMEs to large corporates. It will help to provide valuable protection for your company, promoting your commitment to data security and helping to differentiate your offerings from your competitors. It's cloud based, requires no additional software, is easy to use and is provided for a low monthly cost. With over 20 years' experience in delivering certified systems to companies around the world, the creators of InfoSaaS know how you should be protecting your business.

InfoSaaS helps you to identify the important information and other assets (for example, premises, hardware, software etc.) and guides you through a risk assessment process to measure the threats and vulnerabilities that they could be subject to. It also contains workflows for managing unacceptable risks, security incidents, document management and a host of other useful features - all designed to help you deliver an effective, operational security management system quickly and with a minimum of fuss. Customers can choose the specific elements that they need, or use the whole solution to deliver their accreditation objectives.

If you have some previous experience with information security, or have perhaps attempted to achieve ISO27001 certification before, the following "top ten" of features will demonstrate what InfoSaaS has to offer:

1. Management dashboard, see at a glance the current status of all your information security activities and workstreams
2. Define thresholds for risk acceptance, and related parameters specifically aligned to the needs of your organisation
3. Undertake detailed risk assessments, perhaps using one of a library of standard asset risk templates, or create templates of your own
4. Progress risk treatment activities for any unacceptable risk levels identified during your various risk assessments
5. Automatically populate your Statement of Applicability (as required by the ISO27001 standard) as each risk assessment is completed
6. Integrated security incident module, allowing for prompt logging, investigation and closure of reported incidents
7. Integrated document management suite, assisting with document identification, ownership, approvals and planned review cycles
8. Calendar management, providing visibility of forthcoming (and overdue) management reviews, risk assessments, audits, document reviews etc.
9. Aligns with ISO27001:2013, and provides helpful cross-references to PCI DSS, CSA CCM and the UK Government Cyber Essentials Scheme for SMEs
10. A practical, effective and  integrated solution, affordable to all sizes of organisations whatever their sector

If you would like more information on InfoSaaS, or be kept updated, please take a look at http://www.infosaas.uk.