About a decade ago, when ISO/IEC 27001 was just introduced, it was a fashionable certification to be bandied about. Today, it has grown to point where organizations are looking to leverage its potential to bring in process-related maturity. This is what Bharti Airtel, India’s largest cellular services provider, had in mind when it decided to get itself ISO 27001 certified in 2009.
With 28 certificates, Airtel became the organization with the largest number of ISO 27001 certificates in the world at the time. This was followed globally by NTT Docomo and Larsen & Toubro.
An ISO 27001 certification is basic hygiene today (the IT Rules 2011 stipulates it as a required standard). So what sets Airtel’s implementation apart? As Felix Mohan, Sr. VP and Global CISO at Airtel puts it, “Airtel’s ISO 27001 implementation effectively meshes together assurance and risk management with its business objectives, without compromising the standard’s principles.”
Long before it got ISO 27001 certified in 2009, Airtel had all the relevant processes in place (2007 onwards). ISO 27001 cannot be implemented retrospectively, a mistake many organizations are guilty of, says Mohan.
Airtel has gone through every subsequent sustenance audit with zero non-compliance (NC), says Mohan. This is a commendable achievement, given that Airtel started with a total of 28 ISO 27001 certificates (down to 19 ISO 27001 certificates post the company’s corporate restructuring and consolidation in 2010), each of which is audited every year, spanning 340-plus geographical locations.
Common ISO 27001 loopholes
According to Mohan, ISO 27001’s major lacuna lies in scoping. Any organization can claim to be ISO 27001 certified by conveniently limiting the scope of the exercise. This might help them qualify for RFPs that quote ISO 27001 as a requirement, but they miss out on the true benefits accruing from ISO 27001 in terms of process maturity, security, and so forth.
ISO 27001 is not just about the certificate. It is the scoping, which is the true derivative and indicator of ISO 27001
Felix Mohan, Sr. VP and Global CISO, Airtel
The second issue involves sustaining the certification. Post the initial euphoria of the certification, few companies bother with sustenance audits or manage one without any NCs, according to Mohan. While many organizations claim to still be ISO 27001 certified, the validity of these certificates might not be in-date, says Mohan.
Airtel’s ISO 27001 certification journey
Scoping for ISO 27001
“Airtel adheres to ISO 27001 in its truest spirit with the scope extending across all domains and controls,” says Mohan. While Airtel had the option of going for a single enterprise-wide certificate, this was ruled out as it would not actually drive process maturity.
Airtel’s processes were divided into domains and individually certified, with each circle getting its own certification. Airtel’s data centers were clubbed as a single domain. Airtel Gurgaon HQ, IT operations and network operations all received separate certificates, bringing the total up to 28.
Breaking up a large enterprise into smaller components sharpens the process focus and integrity of the certification, making it much more stringent, Mohan explains. Given that each domain has its own risks and critical processes that might not apply to other domains, a generic scoping exercise prevents ISO 27001 from being properly implemented, he says.
Process methodology and implementation
Fundamentally, Airtel’s ISO 27001 initiative can be broken down to implementation within the constituent domains and sub-entities. Individual domains were examined to determine their business role followed by identifying the various sub-components that helped it achieve its role objectives. These sub-components include people, technology and processes, and their identification led to the creation of asset registers.
For every identified asset, an asset-wise risk assessment was carried out in order to populate the risk register. The final piece of the pie was the control register, which lists the asset-wise control matrix needed to mitigate risks.
Assets have been prioritized on the basis of CIA (confidentiality, integrity and availability), which helps the management prioritize investments and control implementation based on criticality, says Mohan. Agility is key, he explains, citing how the ISO 27001 initiative was aligned to the business, midway through the implementation, when Airtel underwent a major internal restructuring into B2B and B2C segments.
Mohan asserts that the only way to implement ISO 27001 successfully is to have trained people on the ground take ownership of the processes. Each circle at Airtel nominates a SPOC (single point of contact) for the initiative, who drives the process within his/her domain. These individuals are part of the business and are not technical personnel.
SPOCs report into management representatives (MR), who in turn feed the security team, which monitors the implementation and centrally maintains the in-house dashboard. SPOCs also manage post-implementation activities such as internal audits, self-assessment reviews, training, and so on, which are then evaluated on the sustenance audits. Accountability is driven through the owners in each sub-entity.
More Airtel Stories
The SPOCs are selected and trained centrally, with Airtel training 30 people every year to account for churn and attrition. “Airtel perhaps has the largest number of qualified, certified lead auditors in India, numbering over 120,” says Mohan.
Airtel’s parallel BCP development
Along with the ISO 27001 implementation, Airtel also boasts the largest BCP implementation in the country with its BS 25999 implementation. Post the ISO 27001 implementation, Airtel merged the processes for ISO 27001 and BS 25999 to avoid repetition.
This consolidation is unique and has been replicated at Airtel’s operations in Bangladesh and Sri Lanka. Managed via a central dashboard, this consolidation has saved Airtel between 40-60% for every sustenance audit.
Mohan feels that eliminating the need to approach process owners separately for all processes has significantly cut down management time while gaining the same amount of assurance. “This is where Airtel differentiates itself by showcasing its process maturity that has followed the ISO 27001 implementation,” he says.
This was first published in October 2012