informa
News

Users Line Up Behind Audit Standard

ISO 27001 poised to fill the void in security audit standards and become a global benchmark

If audits are about as much fun as dental fillings, then security audits are like root canals. Small wonder, then, that security professionals don't want to have to conduct separate audits for Sarbanes-Oxley, HIPAA, and a growing pile of new state and federal regulations for data handling and privacy.

And while it may never be the perfect catch-all, ISO 27001:2005, "Information Security Management Systems – Requirements," may be the closest thing enterprises can get to an Underwriters Laboratory seal for security audits.

ISO 27001 has also recently won some important buy-in from a couple big users. Vendor sources a few weeks ago said the Federal Reserve Bank of New York has recently achieved ISO 27001 registration. And other companies have been marching down the ISO 27001 path since before the standard was approved.

ISO 27001, ratified in November 2005, defines the implementation requirements based on ISO 17799 and can be used by companies to build a security plan. More importantly, "ISO 27001 contains verifiable implementation language spelling out procedures and practices that an auditor can use to determine if your organization is compliant," explains Ken Peterson, president of consultancy Churchill & Harriman.

ISO 17799:2005, "Code of Practice for Information Security Management," is used as a framework for building a security plan, laying out 11 categories ranging from policy and organization requirements, asset, communications, and human resources management, through access control and business continuity. Think of ISO 17799 as a guidebook for implementing security initiatives.

Contrast the ISO approaches with the American Institute of Certified Public Accountants Statement of Auditing Standard 70 (SAS70) audits, which are conducted by CPA firms. The auditor issues a statement of opinion based on what the client company wants assessed. There are no standard criteria to measure the effectiveness of a security control. A SAS70 report really boils down to "this is the stated control, this is how the subject implements the control, and this is our opinion of whether the subject does what they say they do." Type II audits include testing of the controls by the auditor.

Companies can be audited against ISO 17799, but until ISO 27001 came along, there wasn't a certification path. Companies seeking an audit using ISO 17799 criteria would hire an auditor to perform the assessment and would be issued a letter of opinion, which Jon Gossels, president of consultancy System Experts, describes as "analogous to accounting firms issuing opinions to companies on their financial systems and reports." Letters of opinion are just that, qualified opinions about a company at a point in time. Finding a qualified auditor for an assessment based on ISO 17799 is not a simple task. Gossels recommends seeking advice from peers, interviewing potential auditor's reference clients, and examining the qualifications of the auditors.

Companies seeking ISO 27001 registration have to be audited by a certified body or registrar. Certified bodies have to go through extensive training and testing and are accredited by the International Register for Certified Auditors, according to Peterson. He points to these three phases of an audit:

  • Map the company's policies and procedures to 27001.

  • Audit the company's processes to the stated policies procedures.

  • A registered audit is valid for three years with interim audits taking place every six to nine months. After three years, the whole process starts again.

Gossels urges companies not to confuse an audit with a security assessment. "An audit documents the current state of an organization focusing on instances of non-compliance," he says. "In contrast, a security assessment is looking for problems and root causes or classes of problems -- not every instance of a problem. These standards are useful for both purposes."

To Page 2

The business case
Many compare ISO 27001 to ISO 9001:2000, "Quality Management System," which shows the company has gone through a rigorous audit of its manufacturing processes, and also submits to interim checkups to ensure that the QMS is enforced. Some experts are confident that ISO 27001 will have a similar impact on security practices. "Similar to when BS5750 became standardized as ISO 9001, the world, including the U.S., took notice and flocked to it," Peterson asserts.

Others are not sure ISO 27001 will have wide appeal. Gossels thinks unless there is a clear business reason -- such as customers or partners demanding certification to do business -- there is no reason to get registered. "We would not advise a company to get registered [for ISO 27001] unless there is a clear business driver, because of the expense. There is no incremental value in spending those dollars. Having a reputable security firm say they are substantially compliant is good enough." Audit costs can easily run to five figures or higher, depending on the scope.

Gossels does point out that "in some vertical markets, like financials and healthcare, or markets were there are supply chains in place like aerospace, registrations may become a fact of life."

Rick Hargraves, CIO of United Recovery Systems LP, a Houston-based collections firm, had a sound business reason. "A few years ago, our clients started asking us questions about our security processes that came straight from ISO 17799, so we knew they were leaning that direction. We made a decision to align with ISO 17799. When we found that ISO 27001 was being ratified, we decided to achieve registration."

The registration process went smoothly for URS. The first part of the audit compared URS's policies and procedures to ISO 27001, and the second part ensured that stated business processes were being carried out. "We didn't have to make major changes to map our processes to ISO 27001 because being a financial company, we already had them in place to begin with. Companies starting from the ground up will have a more difficult time adjusting."

The key to undergoing and consuming an ISO 27001 registration lies with the scope. Peterson recommends "starting with a narrow scope based on critical business process and then expand it when needed because an ISO 27001 audit is a difficult process, a large part of auditing is defining asset identification, risk assessment, and ownership. Failures happen when the scope is too large."

Hargraves agrees. "Just because your 27001 doesn't mean your company is doing best thing. For example, our company included processes under GLBA, networking, handling consumer information, complying with our clients data security standards, and how we developed our own software within our ISO 27001 audit, because those are critical processes for our customer. If we didn't include how we protect consumer information, our certification would be lacking."

The International Register of ISMS Certificates maintains a list of registered companies, their certificate numbers, and a statement of scope. As of this writing, there are 2,625 organizations registered either to BS 7799 part II or ISO 27001. The bulk of the registrations are in Japan.

— Mike Fratto, Editor at Large, Dark Reading

Organizations mentioned in this story

  • American Institute of Certified Public Accountants
  • Churchill & Harriman
  • International Organization for Standardization (ISO)
  • United Recovery Systems, LP
  • System Experts

  • Recommended Reading: