Risk assessment framework
Once the organization obtains management buy-in and defines the scope of an ISO 27001 ISMS, the biggest challenge is to develop a risk assessment methodology addressing its business and environment. The ISO 27001 standard doesn't prescribe the methodology, and leaves the designers (of the program or framework) with a lot of questions. An ISO 27001 ISMS designer should have a good understanding of the different kinds of risk assessment methodologies. A lot of designers with an engineering background use the failure mode effect analysis (FMEA) method, while others use software pushed by vendors. What you need to keep in mind is that what worked for Company X may not necessarily work for you. Also remember that you are dealing with information, hence you must think of scenarios which may affect the information's confidentiality, integrity and availability. It's very important to keep the organization's culture, decision-making style and people in mind while designing the risk assessment process (integral to ISO 27001 ISMS design). This framework will help you to identify the risks to your critical information assets.
Statement of applicability and risk treatment plan
Based on this risk assessment, the organization will need to prepare a statement of applicability and a risk treatment plan. ISO 27001 broadly mentions 11 security domains, 33 control objectives and 133 security controls which can be utilized for this purpose. Before selecting any control, you must undertake a cost-benefit analysis of the value of the control and the value of the information asset. The 11 security domains of ISO 27001 are not mandatory; however, if you don't want to put any security control then you must mention the reasons for exclusion in your statement of applicability. After this, the next step is ISO 27001 ISMS design.
Once all the controls are selected you must develop an ISO 27001 ISMS implementation program which involves setting up of policies, procedures and guidelines, and deploying security controls to mitigate the identified risks. Many ISO 27001 ISMS designers feel that it's best that the security controls are centrally managed. This may be true for the technological controls, but a central monitoring team will not be able to do justice for the controls on people and business processes (which are scattered).
A common mistake made by security personnel when crafting an ISO 27001 ISMS strategy is to try and convince the management that increased security spending means greater security. Organizations often use some sort of metric to justify security spending. This approach may be valid for some technological solutions, but not for business processes and people-related risks.
Review and corrective action
The security team should review whether the implemented security controls provide the desired results as well as address threats and vulnerabilities. If the controls are part of ISO 27001 ISMS are not successfully addressing risks, then you must analyze the reasons and take corrective action.
Key challenges of ISMS implementation.
One of the basic problems that most organizations face is to understand requirements of the ISO 27001 standard. Besides, choosing a wrong implementation partner can lead to several problems in the design of the framework of, approach to, and actual implementation of an ISO 27001 ISMS.
The cultural change which the implementation of an ISO 27001 ISMS brings with it is also a major issue. Security teams often spend a lot more time managing people-related issues than process, technological or functional issues during the ISO 27001 ISMS implementation.
Many organizations go in for certification immediately after the implementation of an ISO 27001 ISMS. However, when the business returns to normal, the momentum is lost, and the organization starts striking a balance between functionality and security. This often happens due to an impractical solution devised by the team designing ISO 27001 ISMS. People start disconnecting themselves from the initiative, and look at the situation as 'them against us.' Processes are not followed, and are bypassed. Business reasons are cited, and the exception list starts getting populated. Eventually, these exceptions become the policy, and the entire ISO 27001 initiative is lost in spirit.
About the author: Deepak Varde is Head- Managed Information Security Services with Mahindra Special Service Group and has been involved in designing and deploying security frameworks that address the risk spectrum covering People, Process & Technology.
(As told to Dhwani Pandya)
This was first published in May 2010