IT Compliance Institute, June 20, 2006:

Trends and Technologies

Baring the Standard: Ins and Outs of ISO 17799

For companies seeking to comply with a deluge of data management and privacy regulations, ISO 17799 offers both technical and managerial guidance. But the information security standard isn’t a silver bullet for compliance or even a good fit for every company. What are the potential and limitations of ISO 17799 and what do you need to know about certification?

How do you build an information security department that complies with numerous regulations and follows information security and IT best practices?

Less than two years ago, Kevin Doyle, the security IT manager for Pennsylvania State Employees Credit Union (PSECU), based in Harrisburg, PA, was the only employee dedicated to information security. Yet the credit union, which has 330,000 members and over 500 employees, wanted to formalize its information security practices, to lay the groundwork for hiring more security personnel, and to deal proactively with what was sure to be increased scrutiny, throughout the industry, from regulators.

So PSECU began looking for a framework to formalize its information security practices. “We looked at CobiT, and the ISO 17799,” notes Doyle, referring respectively to the Control Objectives for Information and related Technology (CobiT), a set of best practices for IT management created by the Information Systems Audit and Control Association and the IT Governance Institute in 1992; as well as to ISO/IEC 17799 (Information technology – Security techniques – Information security management systems – Requirements), a set of best practices for information security management first released in 2000. “We felt like the ISO was better for us because it was more of a management practice, rather than CobiT which is more audit standards for IT.”

PSECU isn’t alone in its search for a security framework and in both the US and abroad, many companies have settled on ISO 17799 as their information security management systems (ISMS) framework of choice. “The primary goal of the standard is to prevent, detect, and contain security breaches, so it provides companies with an established framework from which to build an effective information security platform,” notes Chrisan Herrod, an executive consultant for compliance solutions at Houston-based Scalable Software LLC, and until recently the chief security officer of the US Securities and Exchange Commission (SEC).

ISO 17799 gives companies a useful way to consolidate compliance efforts: organizations can comply with the framework, and then use it to demonstrate compliance with any number of regulations. Such an approach can save time, effort, and money, and keep organizations better secured.

A Question of Controls

Even so, know the limits of ISO 17799. Michael Rasmussen, vice president of risk and compliance research for Forrester Research, likens the standard to the framework of a house, noting it doesn’t provide the drywall, electricity, plumbing, and so on. “It’s no silver bullet. It doesn’t tell you the controls, and ultimately it comes down to the controls in the environment.”

When setting controls, companies are at least somewhat on their own. “Most of the regulations ask organizations to make risk-based judgments,” says Patrick McBride, vice president of compliance for Scalable; nothing is black or white. Even so, policies must stand up to auditors, so make them well-considered, thorough, and thoroughly documented. “The first argument you get into with an auditor is, are the policies you have in place enough to meet the requirement?”

With most regulations, auditors have evolving notions of what regulated organizations should be doing, and this complicates companies’ compliance efforts. Standardizing on a security framework can help. For example, Herrod says, she mandated ISO 17799 for the SEC. “Every policy we wrote, every standard or guideline we wrote, was in complete agreement, if you will, with the ISO framework. We chose that because I could never get the Government Accountability Office, the GAO, to tell me what standard they were going to audit me against. So I said look, I’m going to use the most universally accepted standard I can find.”

Certification

To understand what the standard does and doesn’t do, it helps to know how it’s evolved. For example, while ISO 17799 replaced British Standard 7799-1 in 2000, it notably didn’t include BS7799-2, the related certification component.

Things took a twist in October 2005, however, with the debut of ISO/IEC 27001 (Information Security Management Systems – Requirements), which replaced BS7799-2. Simply put, ISO 27001 allows companies to audit their ISO 17799 controls, and certify their ISMS. (Note while the International Standards Organization sets standards, independent certification bodies handle the actual certification.)

Yet so far when it comes to ISO 17799 or ISO 27001, “most people are using it as a framework,” and taking a wait-and-see approach to certification, notes Rasmussen. According to the International Register of ISMS Certificates, worldwide there are currently only 92 organizations with ISO/IEC 27001 certification.

The standards will also continue to evolve, starting in April 2007, when a slightly revised ISO 17799 is due to be reissued as ISO 27002. Then expect ISO 27003 (ISMS implementation guidelines) and ISO 27004 (for measuring the effectiveness of ISMS implementations), though their release dates have yet to be announced.

How to Pursue ISO 27001

As companies head down the ISO 27001 certification path, the best—if seemingly obvious—advice seems to be this: have a plan. “If organizations blindly rush to get certified without defining the scope and customizing the framework to fit their needs, the certification effort will be doomed for failure,” says Khalid Kark, an analyst at Forrester Research in Cambridge, Massachusetts. So first, calculate the costs and benefits of pursuing certification. If there’s no net benefit, don’t bother; otherwise, build a business case.

Next, “define your scope carefully, Kark says, and detail exactly which ISO 27001 controls are being included and excluded, since you won’t need every one it specifies, while it may lack others your organization does need. “Only a careful risk assessment can identify these inclusions.” Also decide which metrics you’re going to measure, since ISO 27001 requires security controls, “what makes these controls effective is appropriate measurements for each control,” says Kark.

Always keep auditors’ potential questions top-of-mind. For example, he says, common questions relating to access control include, “How many people tried to access critical systems? How many succeeded? Were there any exceptions granted? What percentage of remote access users has access to these systems?”

In addition, “set a realistic certification timeline,” says Kark. Rushing to get certified may not be in your company’s best interests. Rather, consider implementing the standard slowly, in stages, gradually rolling it out from one part of the organization to others, honing the process, controls, and surmounting any cultural challenges encountered.

Tools can help. For example, PSECU implemented Command Center, a product from Scalable which helps the credit union map its own security policies to the different frameworks in use. PSECU then demonstrated how it was complying with the set policies. Conversely, the credit union can also demonstrate compliance—where achieved—with multiple regulations. “The nice thing about that product is, if someone is doing an audit in accordance with CobiT, you could map back the processes you developed for ISO for that standard,” says PSECU’s Doyle. Previously, he did employ various policies, many from the SANS Institute, “but they weren’t all tied together in one big, nice bundle.”

Not Just About the Certificate

Doyle anticipates PSECU will achieve ISO 27001 certification by the end of 2006 through BSI America, which also provides training for the credit union. “The certification is actually not that complicated to do. You can do it on a limited scope and still be certified as an organization, which surprised me when I took the training to do it.” In other words, ensuring how ISO 27001 can produce an easily sustainable ISMS, optimized for your organization, is up to you.

The pursuit of ISO 27001 certification isn’t just about receiving a certificate. “The bottom line is certainly to get certified, however it’s not the end,” says Doyle. “It’s really about adopting best practices for management.”

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.