In 2016, ISO (the International Organization for Standards) contacted accredited certification bodies and requested information about the number of valid certificates that they had as of 31 December 20161. The results showed that 33290 organizations have been certified for ISO27001 growing at a steady rate of 21% year on year. That is the happy news. The sad part is that only 39 countries have more than 100 certificates.
In sharp contrast is however, another number, and that is of the breaches. More data records were leaked or stolen by miscreants during the first half of 2017 (1.9 billion) than all of 2016 (1.37 billion) 2. Compared to the losses, the 27001 story looks like a bleak effort at standardization. However, it is not clear if ISO27001 is helping or not. Currently no data is available, about how many of these certified organizations had breaches and how successful or unsuccessful has the ISO27001 journey been in all these years to reduce the breaches or their impact. And the perpetrators are having fun….educated global criminals, unethical corporate competition & greed, advanced persistent threats, blatant insider abuse, radicalization of script kiddies and many other cyber security violators are breaching our security.
Many have relegated ISO27001:2013 to a mere certificate on the wall, and are not an leveraging it as an inherent enabler to a robust, and lean governance of an information security management culture.
But being as inconclusive as that maybe. There is still hope. In June 2016, PECB, one of the leading certification bodies, published a whitepaper claiming “No ISO 27001 Certified Companies among Largest Data Breaches 2014-2015” 3. Released in 2013, the revamped ISO27001:2013 heralded a big change in security attitude, from security being thought of as asset based, than being related to the context of protection. Unfortunately, not many organizations have embraced that logic, and continue to operate as earlier, primarily because change is such a big disruption. Many have relegated ISO27001:2013 to a mere certificate on the wall, and not an inherent enabler to a robust, and lean information security management and governance culture. Cybersecurity speaker John Sileo says, “corporations continue their delusional belief that data security and cyber privacy are a byproduct of purchasing better technology. It helps, but it’s the human beings using the technology correctly (or not, in the case of most breaches) that actually delivers results.” Information security management and governance will only succeed when the technology is used effectively through pervasive information security management and governance.
Figure 1 Key Components of ISO27001
For the uninitiated, unlike the 2005 standard, the ISO27001:2013 prescribes a framework that follows a very simple logical breakdown of how information security (and all its other acronyms, like IT security and cyber security) can be managed. The standards requires organizations to determine stakeholder requirements and then remediate gaps if any vis-à-vis the organizations capability to meet them. It then expects that the organization will establish information security objectives and establish plans to implement them. These may requires establishment of operational processes for information security management, and then identify, assess and evaluate information security risks, and treat them. Evaluate the performance of the information security operations vis-à-vis the already established objectives, and then improve the established ISMS (information security management system) by addressing non-conformances identified through audits. At all times, the ISMS program should be visible to the top management through appropriate management reviews.
Organizations that are successfully using ISO27001 to continuously improve their security posture are continuously denying the perpetrators the chance to a security breach, satisfying their stakeholders.
Nothing can be simpler in the context of the very complicated cyber security challenges we face today. Does this mean we do not need high-tech equipment to protect our cyber infrastructure, no, it does NOT. But an ISO27001 ISMS program would put appropriate focus and rigor upon determining the requirements that prove the business case that once mandated the best network security money can buy. Does that prevent breaches? Yes, to a large extent. Today, data breaches and information security incidents are now probably part of our daily life… And your ISO27001 certification can do more than just being a best practice.The first step to leverage you ISO27001 certification is to ensure that the ISMS is fulfilling the requirements of the stakeholders, and its performance is measured upon the information security objectives. And in order to do that, organizations are increasingly making sure that the all information security reviews are based upon guidance of ISO27001. Organizations that are successfully using ISO27001 to continuously improve their security posture are continuously denying the perpetrators the chance to a security breach, satisfying their stakeholders. A case in point is the undeniable fact that Japan, which has the highest number of certified organizations, has consistently been reducing its exposure from 21 in 2015, 16 in 2014 and 1 in 2017 (as per www.breachlevelindex.com4).
However, this is not an adequate indicator of the benefits of ISO27001:2013. To understand that more, we need to understand how the ISO technical committee are focusing upon developing the ISO27001 family of standards.
In order to create consistency in structure and terminology across ISO management systems standards, ISO released Annex SL5, which was previously known as ISO Guide 83. Annex SL describes the 10 clauses and what they should that define ISO27001:2013 (and also ISO9001:2015, ISO22301:2012…and many more). And one of the biggest benefits of Annex SL is that it provides a universal high-level structure, identical core text, and common terms and definitions for all management system standards. It was designed to make it easier for organizations that have to comply with more than one management system standard.
If your organization subscribes to more than 1 management system standard, adopting the Annex SL method to integrate management systems, thus reducing resources wastage, reducing expenses and yet improving performance by focusing the right amount of leadership cadence to ensure quality of security.
In 2016, ISO released ISO270096. ISO 27009 explains how to include requirements additional to those in ISO 27001, how to refine any of the ISO 27001 requirements, and how to include controls or control sets in addition to ISO 27001, Annex A. ISO27009 is a very big step in enabling organizations gear up to face cyber threats. It has now heralded a new world to implementing controls to reduce both the likelihood and impact of security and privacy threats by introducing the concept of sector specific application of ISO27001. And these sectors maybe a specific field, application area or even a market sector.
The most popular of these sector specific implementations are the 2 cloud certification for ISO27017, for information security in cloud operations and ISO270187, for protection of personal data in the cloud. Both AWS8 & Azure9 have obtained these certificates and are assuring their customers of protection of their data. Both standards are called as “code of practice” and contain a list of controls that extend the ISO27001 program. These extensions are of 2 types. Controls that modify existing ISO27001 Annexure A controls to make them relevant to the sector and controls that are additional to ISO27001 to enhance the capability of the operational ISMS. Needless to say, the ISMS needs to be operating as an optimally resourced, continuously improving management system.
There are others. ISO27001 contains sector specific guidelines for telecom companies…ISO27011, for financial services…ISO27015, for energy utilities…ISO27019, for application security…ISO27034 and health informatics…ISO27799.
GDPR…the next frontier
Let us look at the regulatory environment that is about to change equations soon…GDPR10 or the General Data Protection Regulation (Regulation (EU) 2016/679) will become a law on April 25, 2018, allowing the European Parliament, the Council of the European Union and the European Commission to strengthen and unify, data protection for all individuals within the European Union (EU) and the attempts to export their personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. 25 May 2018 isn’t just about the GDPR: the ePrivacy Directive and the Law Enforcement Directive (LED) also come into effect that day. And there are many other countries (including Britain, Singapore, India, Philippines etc.) that are introducing new legislations or modifying existing ones to make the computing world more secure.
It is no secret that most organizations are severely unprepared to meet the requirements of this regulation. And then there are gaps in how we are organized. While most privacy experts are assuming that security will protect privacy, and many a security expert is waiting for privacy teams to tell them what needs to be protected.
It is the view of this author that the only sure-fire way to address the GDPR is to implement a management system. BS10012:2017 is the only Privacy Management System standard in the world. However, it does not address requirements to protect privacy information.
Figure 2 GDPR Integrated Management System
BSI revised BS1001211 in 2017 to align to Annex SL, to ensure there’s good governance around data protection and that it gets anchored at board level, with a very specific focus to align with ISO standard structure and to align the existing standard with the GDPR. The new standard has a section for updated terms and definitions and separate sections concerning “planning” and “implementing/operating” the management system and it also contains a comparison between UK DPA and the GDPR. ISO on its part has released the base privacy framework though a free standard called as ISO29100, and has already released ISO29134 which is a must to implement a Privacy Impact Assessment program. Financial Services organizations may also use ISO22307, which can also be used during privacy compliance audits. And then there is ISO 29190, which provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.However, a full implementation of GDPR requires not only a privacy information management system, but also an accompanied information security management system. In order to enhance the coverage of ISO27001, ISMS, ISO has also released ISO29151, which, like all other sector specific standards, is a code of practice contains privacy specific information security controls, both as an extension of Annexure A and as modifications of existing controls which can be used to extend the scope and coverage of the ISO27001 program.
With so much going on around us, standardization in security and privacy provide the much needed sanity to ensure we cover all our bases. As Willie John McBride, captain of the famous 1974 Invincibles, told his team-mates, “Get your retaliation in first.”
1 To read more about the ISO survey go to http://bit.ly/2p0O3yN.
2 To read more on the data breaches by “The Register” website at http://bit.ly/2ByyHYh
3 To read more about the PECB whitepaper go to http://bit.ly/2yLZxGV
4 To learn more about the breaches http://bit.ly/2efGM5I
5 To learn more about Annex SL go to http://bit.ly/2kDlHGt
6 To learn more about ISO27009:2016 go to http://bit.ly/2BoSHKI
7 To learn more about AWS ISO27018 go to http://bit.ly/2yN9qUV
8 The learn more about AWS ISO27017 go to http://bit.ly/2j9rvXP
9 To learn more about Microsoft ISO27017 go to http://bit.ly/2BnJFNW
10 To learn more about GDPR go to http://bit.ly/2kbGFgc
11 To learn more about BS10012:2017 go to http://bit.ly/2AIletx