ISMS – Questions You Should Ask
There are many genuine questions you should ask concerning ISMSs, and they wont (yet) all be explained by the standards, even if you’ve bought them.
Therefore, the following ‘QYSA’ have been assembled as a means of providing both an overview of what an information security management system (ISMS) is, what it is that defines the idea (international standards) and what those standards are and require. It also explains how organizations seeking to be conformant to the international ISMS standards should approach that goal.
We hope that you find these questions useful and edifying – if they cause you to give thought to how having a certified ISMS could help your organization then please do not hesitate to contact us with your own questions, to which we will be pleased to respond, and maybe use to extend this list.
We will revise these QYSA from time to time, to reflect important issues that arise either from enquiries received which highlight issues of concern to clients and visitors to this website, and advances and in the development of these standards.
Why QYSA, instead of a common-or-garden FAQ list? Well, we’re really not great fans of ‘FAQ’s. Usually they’re actually hardly asked questions (which makes them ‘hacks’) and are written by the owners of the subject documents, which tends to make them ‘TOBE’ – Things Originally Badly Explained !
You should be asking questions such as these:
About Information Security Management System standards
The notion of an Information Security Management System (ISMS) was first mooted during the development of British Standard 7799 (which can be traced back to 1987). The definition first given has changed little since, today being as follows:
“an Information Security Management System is that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security”
and “Information security’ is defined as the “preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved”.
These definitions come from ISO/IEC 27000.
A part of ISO (the International Standardization Organization) is developing a family of ISMS standards jointly with the International Electrotechnical Committee, the ISO/IEC 27000 series. These standards fall under the general title of “Information technology – Security techniques”: the 27000 series specifically addresses standards related to information security management systems (ISMS).
There are presently three principal standards in this series: one defines a management standard, which sets out the requirements of an ISMS; another sets out a code of practice, with extensive guidance as to how implementers should select information security controls to be implemented within their ISMS. A third sets out the requirements for bodies which undertake the certification of ISMSs. These three standards are:
- ISO/IEC 27002 “Code of practice for information security management“
- ISO/IEC 27001 “Information security management systems – Requirements“
- ISO/IEC 27006 “Requirements For Bodies Providing Audit And Certification Of Information Security Management Systems“
These three standards are based upon existing and proven practices which have been in use internationally since 1995. Today they are recognized globally as the de facto information security standards for businesses and governments alike.
Additional standards in the ‘27000’ series support those cited above, one (ISO/IEC 27000) provides an overview of the family, and also defines the terms used within the 27000 family, so is a ‘must buy’ if investing in an ISMS.
For more details on the organisation of ISO and the inter-relationships between the 2700x family of standards, click here.
ISO/IEC 27001 is the international management standard for Information Security Management Systems and is a part of the ISO 27000 family of standards being developed. It is a normative standard, i.e. it states requirements that must be fulfilled for conformity to be claimed. It was published in September 2005 and the most recent revision was published in 2013. It is against 27001 that businesses’ ISMS may be certified. A revision of this publoication is likely to commence in late 2020.
It has a counterpart, ISO/IEC 27002:2007 (see below), which is the international code of practice for information security management systems.
ISO/IEC 27002 is the international code of practice for Information Security Management Systems and is a part of the ISO 27000 family of standards being developed. Because it is a code of practice it offers implementation guidance, suggesting practices that implementers should adopt, but not requiring them. It was first published in 2000 and the most recent revision was published in 2013. It is presently in the latter stages of a revision and publication of these is anticipated for 2021.
It has a counterpart, ISO/IEC 27001, which is the international management standard for Information Security Management Systems. It is against this latter standard which businesses may be certified.
ISO/IEC 27006 is the reference international standard to be used by accreditation bodies in determining the suitability of bodies operating ISMS certification schemes. It is a normative standard and those bodies adopting it have to show full conformity to claim adherence to it. The publication of this standard and its adoption by accreditation bodies in those countries operating ISMS certification schemes serves to ensure consistency in accreditation and certification practices and in the mutual recognition of certificates issued under those schemes. It was first published in 2007 and the most recent revision was published in 2016, with an amendment published in 2020.
27001 is the foundation of the ISMS framework. In five normative sections it sets out requirements for an ISMS in terms of required documents, activities and a process model. It also, in a normative annex, sets out 133 controls (in 11 categories which are broken down into control groups). Organisations wishing to have their ISMS recognized as being conformant to the standard have to show that they fulfill the normative requirements of the standard.
ISMS implementers are given support through the code of practice which is set out in 27002. This document gives guidance on how to implement each of the controls specified in Annex A of 27001.
These two standards therefore are of primary interest to ISMS implementers. However, those organizations which provide ISMS certification services must also have in-depth understanding of the requirements of 27001, because they need to assess the conformity of their clients’ ISMSs. In addition they have to fulfill the requirements of 27006 in order to become accredited by an accreditation body.
27006 is based upon a generic standard which sets out requirements for bodies which certify management systems in general. 27006 adds requirements which are ISMS specific. It also offers guidance in a number of annexes which address key topics such as estimating the necessary resources to perform the assessment and on the actual conduct of certification assessments. Although of obvious importance to accreditation and certification bodies, implementers should take note of the requirements of this standard in order to understand what to expect from their chosen certification body.
Yes – there is a multitude of further standards in this series. The principle ones among them are:
- 27003 – ISMS implementation guidance
- 27004 – Metrics and measurements guidance
- 27005 – Risk management guidance
- 27007 – ISMS auditing guidance
- 27008 – Infosec controls assessment guidance
- 27009 – Sector-specific application of ISMS requirements
- 27017 – control implementation guidance for cloud services (based on ISO/IEC 27002)
- 27701 – Privacy Information Management System(based on ISO/IEC 27001)
The number of standards in this family continues to grow and interested parties may want to contact INCITS to learn more.
About using an ISMS:
Firstly, implementing an ISMS based on ISO/IEC 27001 shows that an organization is serious about the way it views its information security responsibilities and embraces internationally-recognized best practices. Secondly, a certified ISMS provides an organization with an externally-verified way of demonstrating that it has in place the controls to adequately protect the organization’s information assets. It is almost a near certainty (in all but the most efficiently operated organizations) that the implementation of an ISMS will reap many improvements in how the owning organization exercises its internal controls.
An ISMS can also make the organization’s information security strategy “defensible”. Should a breach occur that results in damages to a third party, the existence of a certified ISMS could be used as a due diligence defense in court. This may «caveat, ‘may’ – nothing certain!» limit the damages for which the organization could be liable.
If you have never before done any ISMS implementation then training in knowing what the ISMS standards cover, how they should be implemented and how to conduct internal audits will most likely be required. Investment may also required in developing policies, processes, procedures, and in operating the ISMS. However, while there are costs associated with setting up and operating an ISMS, there are also a number of benefits.
Simply implementing an ISMS is likely to provide benefits through identification of existing flaws, and a better understanding of the business’ information security needs. Overall, organizations that are operating certified ISMSs claim that they have saved money through better control of risk management within their organization. Manage your risk, manage your profits. We can provide you with training in the relevant standards.
Having a certified ISMS works two ways. One is the improvement it gives to an organization’s internal controls, and that includes specifically the way it controls risk associated with its information security assets. There is also, it is generally found, a net cost reduction to a business’ costs. An organization could set up its ISMS and simply run it entirely from within itself. The benefit of an external assessment and certification is that an independent view is applied, that independent perspective being more likely to identify the blind spots we all have when we try to review our own work.
The other way a certified ISMS benefits an organization is that when other parties understand the merits of the ISMS approach the organization has an advantage over its competitors, by being able to show that it has satisfied an external assessor that it conforms to the (internationally-recognized) ISMS standards. This allows an organization to give greater assurance to its business partners, investors, clients, and quite likely insurers and regulators.
And, let’s face it, once an organization understands the benefits of having an ISMS it really should have one itself before it starts to demand one of its suppliers and business partners. The benefits affect everyone in the supply chain.
Firstly, there are now over two thousand certified ISMS around the world.
Just to give you a feel for the numbers (its hard to keep up, and we’re not promising to), here are a few ‘ball park’ figures: UK 220+; India 130+; Taiwan 60; Germany 45; Korea 33; Italy 26; USA 35, Netherlands 20+. Oh, and Japan – 1600 (and growing almost daily!) The remaining certifications are spread across almost fifty additional countries, in some cases just one or two per country – these must represent truly pioneering organizations. These numbers are of course increasing steadily.
By no means do each of the countries in which organizations have certified their ISMS operate accreditation and certification schemes, or have their own version of the standard. A US-based accreditation scheme has been in place for some years .
Let’s consider the question in two parts – firstly, which bodies with any standing recognize the value of the controls set out by ISO/IEC 27002? In fact 27002 (when it was still published as 17799) has been recognized as being a guiding light in information security by a number of US bodies, amongst which are the US Congress Joint Economics Committee, the Food and Drug Administration, the States of Georgia and Maine and the Department of Health and Human Services.
For instance, in May 2002 the Joint Economic Committee of the US Congress reported on “SECURITY IN THE INFORMATION AGE“. In this report, under the heading ‘VALIDATING COMPLIANCE – THE FUTURE OF INFORMATION PROTECTION’ it is stated “The defining standard for developing an information protection program around is ISO , formerly British Standard 7799”. At that time there was no international equivalent to BS 7799-2, the management system requirements, and one might suspect that it was considered impolitic to recommend a foreign standard as the basis of securing the nation’s information infrastructure. Now of course, the situation is vastly improved, with the publication of ISO/IEC 27001:2005.
The answer to the other part of the question is a rhetoric question itself: what about the 35 or so organizations in the US that have already gained certification of their ISMSs by seeking the services of foreign assessors and which have been certified against a foreign standard (BS 7799-2)?
We firmly believe that now ISO/IEC 27001:2005 has been formally published there will be very significant uptake in North America, which hitherto has had to rely on ‘off-shore’ certifications. Zygma is talking to some of those leading the wave – in fact we’re among them, having built an ISMS which supports our own businesses, thereby helping us improve our services to our clients, by practicing what we preach.
A simplified answer is that you need to establish policies for information security, identify your information assets, perform a risk assessment on those assets, establish a management structure to implement the defined policies and controls and then establish a continual improvement process to ensure that those policies and their implementation are under constant review and enhancement. All of that needs to be documented in a way which can be shown to fulfill the requirements of the ISO/IEC 27001 ‘Statement of Applicability’.
The full texts of all published ISO standards are available from ISO and national standards bodies (see same ISO page) – suggested sources in the US are the American National Standards Institute or BSI Americas, in the UK the British Standards Institute. Just a word of advice – get a PDF downloadable version. It may seem obvious to point out that it is quicker and more convenient, but there are some sources selling paper versions still.
About audits, conformance, accreditation and certification:
You could, but (there’s always a ‘but’) any such declaration would be more likely to be of use within an organization. It would be unlikely that a third party, especially one which understands the principles of the international ISMS standards, would place as much confidence in such a declaration as it would in a formal certification arising from an independent audit. Certainly a self-declaration would have no place in the context of international recognition of conformity.
Technically, yes, but (see above – you’ve already been warned about this), if the auditor has not had formal training and relevant experience then their performance may not give the client organization value for money and their opinion is likely to carry less weight (than that of someone who does have appropriate training and experience) if the organization is trying to ‘sell’ the audit outcome to its business partners, etc.
Note – the stress is on ‘may not give satisfaction’ – there are auditors with a wealth of experience and competence but who have not sought formal certification for themselves. That can give organizations looking for an auditor some problems in making a selection.
A certification body is a third party organization that has been deemed competent to perform assessments and audits against a specified standard.
For a certified ISMS, the applicable standard is ISO/IEC 27001.
Individual auditors are required to have undergone formal training and to have acquired certain levels of experience in order to perform ISMS audits. The International Register of Certified Auditors holds a register of those whose competence it recognizes.
Certification bodies are accredited by national accreditation bodies and have to meet the requirements of ISO/IEC 27006.
Normally the accreditation bodies are affiliated through participation in the International Accreditation Forum. In the USA, ANSI National Accreditation Board is an accreditation scheme based upon 27006.
Today there is a substantial number of Certification Bodies (CB), globally and specifically within the US. A number of US-Accredited CB are based off-shore. It would not be appropriate for Zygma to make recommendations and potential users of CB services should determine their requirements and then seek a CB which can fulfill them.
Comparisons with other standards:
Both ISO/IEC 27001 and 27002 are “harmonized” with other management standards, including ISO 9000 and ISO 14000. ISMS is much more focused and generally requires significantly more resources to perform, on the basis of comparable organizational characteristics. However, because of the similarities we are starting to see certification bodies offering combined audits at a reduced cost. If you are certified under ISO 9000, it will cost less to maintain your ISO 27001 certification than it would cost if you are not ISO 9000 certified, because of certain shared practices. Indeed, some organizations cover both their in-house ISMS and QA schemes under a single management system and undergo single audits.
There are a number of other ‘standards’ used for information security auditing. None equal ISO/IEC 27001 and ISO/IEC 27002. The international ISMS standards have the benefit of thousands of hours of refinement and practical feedback from actual implementations across the globe. They have been recently upgraded to bring them up to date within our electronic information society. They are aligned with other international management and quality standards (ISO/IEC 9000, 14000, 20000). Furthermore, these ISMS standards actively encourage organizations to enhance and add their own controls whenever their specific circumstances demand it, but in a manner which is consistent with the form of expression and audit practices of the overall ISMS framework.
Additionally, the ISMS standards are supported by auditor training requirements, formal accreditation and certification schemes world-wide, which generally affords an ISMS certificate global recognition, adding significantly to its worth.
Zygma can provide clients with detail guidance on how they can implement an ISMS and, moreover, can demonstrate how an ISMS can be extended to show conformity with specific pieces of legislation, or indeed with any specific internal control needs which clients may have (refer to some of Zygma’s white papers).
The BIG questions:
Well, actually no, owing to its very small size, but that doesn’t stop Zygma following the principles of an ISMS, and there are in place documented policies and practices which we will share with certain parties, as needs may dictate or suggest.
Well, there are many businesses in the game of selling ISMS guidance, tools and other support. As the consumer of their services, first of all, develop your own plan, decide how you want to use any external services, and make sure you remain in charge of their participation and the development of your ISMS. This way, you stay in charge of your business and understand better how the ISMS is a tool to help you do that. It is a part of your internal control system – and the ISMS management standard requires top-level management support.
Next, ensure that the business you choose to give you support really understands what the ISMS concept is about, and has a range of services from basic introduction to the concepts, through training, assistance with policy development, and maybe some tools to help you. Check also their track record, whether they are themselves certified auditors, whether they participate in the development of these standards and whether they have an ISMS themselves. We’re not saying that these are ‘musts’ – sometimes extensive experience is worth more than a piece of paper declaring a certified status, but our point is, look for strength overall, understanding of the practical application of the ISMS standards, not just theoretical knowledge, and match it to your needs.
We’d like you to take a look at Zygma and see how we might be able to assist you. We think we can fulfill these requirements and provide a team of size and competence to meet your needs.
We look forward to hearing from you – we hope that at the least this ‘QYSA’ list has made you more aware of the merits of having your own ISMS. Good luck with your endeavours in that direction.