Today, the issue of information security (hereinafter - IS) of companies is one of the most relevant in the world. And this is not surprising, because in many countries there is a tightening of requirements for organizations that store and process personal data. Currently, Russian legislation requires that a significant proportion of the document flow be kept in paper form. At the same time, the trend towards digitalization is noticeable: many companies already store a large amount of confidential information both in digital format and in the form of paper documents.
According to the results of the Anti-Malware Analytical Center, 86% of respondents noted that during the year they had to resolve incidents at least once after cyber attacks or as a result of violations of established regulations by users. In this regard, the priority attention in business to information security has become a necessity.
Currently, corporate information security is not only a set of technical means, such as antiviruses or firewalls, it is already an integrated approach to handling company assets in general and information in particular. Companies have different approaches to solving these problems. Today we would like to talk about the implementation of the international standard ISO 27001 as a solution to such a problem. For companies in the Russian market, the presence of such a certificate simplifies interaction with foreign clients and partners who have high requirements in this matter. ISO 27001 is widely used in the West and covers information security requirements that must be covered by the technical solutions used, as well as help build business processes. Thus, this standard can become your competitive advantage and a point of contact with foreign companies.
This certification of the Information Security Management System (hereinafter referred to as the ISMS) has collected the best practices in the design of the ISMS and, importantly, provided for the possibility of choosing controls to ensure the operation of the system, the requirements for technological security and even for the personnel management process in the company. After all, it is necessary to understand that technical failures are only part of the problem. In matters of information security, a huge role is played by the human factor, which is much more difficult to exclude or minimize.
If your company is about to become ISO 27001 certified, then you may have already tried to find an easy way to do it. We will have to disappoint you: there are no easy ways here. However, there are certain steps that will help prepare an organization for international information security requirements:
1. Get support from management
You may think this is obvious, but in practice this point is often overlooked. Moreover, this is one of the main reasons why projects to implement ISO 27001 often fail. Without understanding the significance of the project to implement the standard, management will not provide either sufficient human resources or sufficient budget for certification.
2. Develop a certification preparation plan
Preparing for ISO 27001 certification is a complex task that includes many different types of work, requires the involvement of a large number of people and can take many months (or even years). Therefore, it is very important to draw up a detailed project plan: allocate resources, time and people involvement to strictly defined tasks and monitor compliance with deadlines - otherwise you may never finish the job.
3. Determine the certification perimeter
If you have a large organization with diversified activities, it probably makes sense to certify only part of the company's business to ISO 27001, which will significantly reduce the risks of your project, as well as its time and cost.
4. Develop an information security policy
One of the most important documents is the Information Security Policy of the company. It should reflect the goals of your company in the field of information security and the basic principles of information security management, which must be observed by all employees. The purpose of this document is to define what the company's management wants to achieve in the field of information security, as well as how it will be implemented and controlled.
5. Define a risk assessment methodology
One of the most difficult tasks is defining the rules for assessing and managing risks. It is important to understand which risks a company can consider acceptable and which require immediate action to mitigate them. Without these rules, the ISMS will not work.
At the same time, it is worth remembering the adequacy of the developed measures taken to reduce risks. But you should not get too carried away with the optimization process, because they entail, among other things, large time or financial costs, or may simply be impossible. We recommend that you use the principle of βminimum sufficiencyβ when developing risk mitigation measures.
6. Manage risks according to the approved methodology
The next stage is the consistent application of the risk management methodology, that is, their assessment and processing. This process must be carried out on a regular basis with great care. By keeping the information security risk register up to date, you can effectively allocate company resources and prevent serious incidents.
7. Plan your risk treatment
Risks that exceed the level acceptable to your company should be included in the risk treatment plan. It should record the actions aimed at reducing the risks, as well as the persons responsible for them and the timing.
8. Complete the Statement of Applicability
This is the key document that will be examined by the certifying authority during the audit. It should describe which information security controls apply to your company's operations.
9. Determine how the effectiveness of information security controls will be measured
Any action must have a result leading to the fulfillment of the established goals. Therefore, it is important to clearly define the parameters by which the achievement of objectives will be measured both for the entire information security management system and for each selected control mechanism from the Applicability Annex.
10. Implement information security controls
And only after implementing all the previous steps, you need to start implementing the applicable information security controls from the Applicability Appendix. The biggest challenge here, of course, will be the implementation of an entirely new way of doing things in many of your organization's processes. People usually resist new policies and procedures, so pay attention to the next point.
11. Implement employee training programs
All the points described above will be meaningless if your employees do not understand the importance of the project and do not act in accordance with the information security policies. If you want your staff to comply with all the new rules, you first need to explain to people why they are needed, and then provide training on the ISMS, highlighting all the important policies that employees should consider in their daily work. Lack of staff training is a common reason why an ISO 27001 project fails.
12. Maintain ISMS processes
At this stage, ISO 27001 becomes a daily routine in your organization. To confirm the implementation of information security controls in accordance with the standard, auditors will need to provide records - evidence of the actual operation of controls. But first and foremost, the records should help you keep track of whether your employees (and suppliers) are performing their tasks in accordance with the approved rules.
13. Monitor the ISMS
What happens to your ISMS? How many incidents do you have, what type are they? Are all procedures properly followed? With these questions, you should check whether the company is achieving its information security goals. If not, you must develop a plan to correct the situation.
14. Conduct an internal audit of the ISMS
The purpose of an internal audit is to reveal the discrepancy between the actual processes in the company and the approved IS policies. For the most part, this is a test of how your employees comply with the rules. This is a very important point, because if you do not control the work of your staff, the organization may be damaged (intentionally or unintentionally). But the point here is not to find the perpetrators and impose disciplinary sanctions on them for non-compliance with policies, but to correct the situation and prevent future problems.
15. Organize Management Review
Management doesn't have to set up your firewall, but they do need to know what's going on in the ISMS, for example, are they fulfilling all their responsibilities and are the ISMS achieving its intended results. Based on this, management should make key decisions to improve the ISMS and internal business processes.
16. Introduce a system of corrective and preventive actions
Like any standard, ISO 27001 requires "continuous improvement": the systematic correction and prevention of inconsistencies in the information security management system. With corrective and preventive actions, you can correct the nonconformity and prevent its reoccurrence in the future.
In conclusion, I would like to say that it is actually much more difficult to get certified than it is described in various sources. Confirmation is the fact that in Russia today only have been certified for compliance. At the same time, abroad it is one of the most popular standards that meet the growing needs of business in the field of information security. Such a demand for implementation is due not only to the growth and complication of types of threats, but also to the requirements of the law, as well as customers who need to maintain complete confidentiality of their data.
Despite the fact that ISMS certification is not an easy task, the mere fact of meeting the requirements of the international standard ISO/IEC 27001 can give a serious competitive advantage in the global market. We hope that our article has given a primary understanding of the key stages in preparing a company for certification.
Source: habr.com