“I don’t want to talk to you no more, you empty-headed animal food trough wiper! I fart in your general direction! Your mother was a hamster and your father smelt of elderberries!” -Monty Python’s Quest for the Holy Grail, 1975″
Okay, so I had no idea how to tie this quote back to IT security, I usually am pretty good at doing that, so I just grabbed it because of the word “fart.” ha… Great line in that movie..
Sorry boys and girls, the days of buying IT security controls from the latest group reviews in SC Magazine or the Gartner Magic Quadrant and deploying them all over the network in a disjointed, impetuous fashion are simply just gone. Okay yes, I just used the word impetuous, good word though isn’t it? I like it You can insult a lot of people with that word and they’ll still have no idea what it means.
Just stop for a moment and consider this instead of throwing money at the problem and just buying things hoping it will “add more security.” The implementation of controls should be a risk-based decision. Why is the control applicable to you? Why are you deploying it? What are your highest risk assets and are you deploying the controls necessary to lower the risk to those assets or are you deploying them in the wrong area of the enterprise? These are the things that an ISMS will get you thinking about.
Okay, so back to my point. More and more companies are now tying all of their disjointed security controls together into some kind of formal management system. A management system you say? No, not management as in the suits sitting in mahogany row on the 10th floor, I mean management system as in quality management systems (ISO 9001), business continuity management systems, etc. in our case, information security management systems or ISMS.
An Information Security Management System (ISMS) is simply a continuous improvement program for information security comprised of administrative controls, such as policies, and procedures, and technical controls that can continuously be reviewed and improved over time as part of a feedback loop (think OODA). Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
In other words, it’s a way to tie all your security controls together into a formal system that you’ve defined key performance indicators (KPIs) for and also a way for you to get executive level support and insight into the IT risks at your organization. Tired of trying to explain to your senior leadership team why your IT security budget is so important? Than an ISMS is exactly what you need to look into. For example, ISO 27001 requires executive leadership support and visibility, even requiring annual management review meetings (MRMs). The annual MRM is an opportunity for you to present to the board and c-suite on the state of IT risk at your company as well as what your efforts have been over the past year to lower the IT risk to the business. Remember, IT security is no longer an IT problem, it’s a board room problem and more and more board members are asking the CEO of their companies as to what he/she is doing about IT security.
More recently, one of our largest MSSP clients invited me to speak to their entire Board of Directors on IT security. We routinely run MRMs for our MSSP clients, providing an outsider’s perspective to the state of IT security at their organization and the progress that has been made in lowering the company’s IT risk.
So now that you know what an ISMS is and you’re pretty sure now that you need one. Where do you start? If you feel like your organization is simply too small for a full-blown ISMS like ISO 27001, than look at the Center for Internet Security (CIS) Critical Security Controls (CSC). This is a much smaller set of controls and has far fewer requirements. The CIS Controls are developed, refined, and validated by a community of leading experts from around the world. Organizations that apply just the first five CIS Controls can reduce their risk of cyber attack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent. The CIS Controls embrace the Pareto 80/20 Principle, the idea that taking just a small portion of all the security actions you could possibly take, yields a very large percentage of the benefit of taking all those possible actions.
However, this article is written for those of you who do need something more robust — enter ISO 27001. An ISO 27001 ISMS is compromised of above all else, a scope document that defines what exactly the logical and physical scope of your ISMS is. The scope document defines what physical locations are in scope and what logical (data or information) is in scope that the very existence of your ISMS is in place to protect.
In addition to your scope document, you’ll also require a library of policies and procedures that must be reviewed and approved annually by management. This ensures not only that the necessary policies and procedures are in place in your organization, but also that they are being continuously improved over time and updated as technology changes.
Then there’s the Statement of Applicability containing all of the ANNEX A controls. These controls (specified in ISO 27002) are all of the IT security controls addressing risk in all areas of the enterprise, from IT to even Human Resources. These controls specified in the Statement of Applicability or “SOA” is where you will choose which controls are applicable to you, ensuring they are implemented, and that you’ve referred to evidence of such. This is important if you will be submitting your ISMS for ISO 27001 certification by an external auditing firm as the auditor will ask you for evidence of specific controls in your SOA. It’s always best to define where the evidence is located, e.g. inside your Document Control Management (DCM) system or Sharepoint intranet site at http://here. Know where the evidence in your SOA is located!
For controls that you say are not applicable, you still must address why you feel it isn’t. You must still justify the exclusion of that control from your ISMS.
Finally, there is the annual requirement for a risk assessment, internal audit, and penetration test. These are obligatory and must be performed. Brier & Thorn has published numerous free ISO 27001 ISMS templates, including an ISMS Scope document. Links to these free templates can be found below.
And of course, you can’t blame me for adding in this plug. But if you need any assistance in developing your ISMS, feel free to reach out to an IT risk management firm, such as Brier & Thorn, who can come in and write these documents, perform the penetration testing, risk assessment, or internal audit and even run your annual MRMs.