Practical advice for SME to use ISO 27001

ISO 27001 certifications are growing rapidly because of compliance regulation and increased awareness of information security risk.   The ISO organization recently (October 2010) took measures to make ISO more accessible by “providing practical advice for small and medium-sized enterprises (SMEs) on how to achieve the benefits of implementing an information security management system (ISMS) based on the International Standard ISO/IEC 27001″ – see the ISO news release: ISO/IEC 27001 information security explained for small businesses

It gratifies me to see ISO running with the ball for SME (small to medium-sized) enterprises. IEC/ISO 27001:27005 is a vendor-neutral standard and arguably the most comprehensive set of security controls and best practices for an Information Security Management System (ISMS) that a business should adopt.  ISO 27001 states in section 4.2.1 of the standard that:

The organization shall do the following.

a) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the

organization, its location, assets and technology, and including details of and justification for any

exclusions from the scope

b) Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology that:

1) includes a framework for setting objectives and establishes an overall sense of direction and

principles for action with regard to information security;

2) takes into account business and legal or regulatory requirements, and contractual security

obligations;

3) aligns with the organization’s strategic risk management context in which the establishment and

maintenance of the ISMS will take place;

4) establishes criteria against which risk will be evaluated and

5) has been approved by management.

1. Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements.
2. Develop criteria for accepting risks and identify the acceptable levels of risk.
3. The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results.

Consistent with information security best practices, the standard also suggests how to identify the risks.

1. Identify the assets within the scope of the ISMS, and the owners of these assets.
2. Identify the threats to those assets.
3. Identify the vulnerabilities that might be exploited by the threats.
4. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.

This is written in fairly clear language that the owner or manager of a small to medium sized enterprise can read and understand, perhaps with a bit of help from a security consultant.

The attentive reader has probably already noticed something missing in the ISO 27001 standard:  Money.

Money is not mentioned once in the entire standards document.  Financial value of assets is not mentioned . Cost of security countermeasures is a “kleinigkeit“: in German “Es ist das Detail, das unterhält und lebendig macht”  or in English – “God is in the details” or in American, “10 million here, 10 million there and pretty soon we’re talking real money”.

The word “value” is mentioned exactly twice in the 42 pages of the ISO 27001 standard – once (“an asset is anything that has value to the organization”) and a second time, as a control (A.7.2.1- ”Information shall be classified in terms of its value, legal requirements, sensitivity and criticality to the organization“).

ISO 27001 is missing the most important thing for an SME: the bottom line of business context expressed in dollars and cents, how much will it cost, how much can it save him in consulting and equipment support and how much can the business reduce its value at risk in dollars/euros/rupees etc.

In a small to medium sized enterprise, money spent on security is competing with  the basic needs of the business.  A company employing 25 people making high tech capacitors for solar cells  may want to protect sensitive IP from leaking, but if it comes down to choosing between making payroll or buying a DLP system, we know that the manager will choose making payroll.

There is a middle ground – and that is enabling you – the SME business manager –  to perform a threat analysis on your business taking the ISO 27001 standard as a baseline – injecting asset values and countermeasure costs and arriving at the right, most cost-effective security countermeasure plan for your business.

You can perform an ISO 27001-based risk assessment on your operation  with your business assets and your typical business  threats  in just a few minutes using the Software Associates PTA library for ISO 27001.  You can download the free Practical Threat Analysis library for ISO 27001 and (you will need to first download the free risk assessment software).

Upgrade your security today using ISO 27001, the most important vendor-neutral standard for data security available today and take a first step towards a world-class information security management system at a price that you can afford.