Search in ISMS Guides


Saturday, August 4, 2007

Policy Monitor and its relationship with ISO 27001:2005

A White Paper by Steve Wright, Siemens Insight Consulting

So how can Policy Monitor help an
organisation demonstrate best practice and
compliance with ISO 27001:2005?

Back to basics
Information security (InfoSec) covers a far
more complex and broad area than just IT.
InfoSec interweaves in and out of an entire
business function and its supporting process.
It spans and affects every part of the
organisation (and its trusted partners) and
business. It can change the way an entire
department is operated, whilst providing
assurance to stakeholders and shareholders
that appropriate controls are in place, or being
managed. It can also provide the necessary
risk management controls mandated under
legislation and regulatory requirements.

Whatever your business or contractual requirements to demonstrate and
manage InfoSec are, an organisation needs to think about how it can
manage and disseminate relevant InfoSec policies (e.g. IT User
Acceptance, HR Vetting, Building Access, IT & Network Access, Mobile
Devices Usage) to all its employees. This may sound straightforward, but
ensuring these policies have the correct version, are assigned to relevant
owners for regular updates (following the latest vulnerability alert, a
significant change or an updated risk review) and making sure the ‘end
users’ have read and understood them, can be a real headache for any
organisation (depending upon the size and geographical layout).

Policy Monitor has been designed and developed with this requirement in
mind. In addition, Policy Monitor also fulfils the best practice
requirements of ISO 27001.

What is Best Practice - ISO 27001?
ISO 27001:2005 was established by the International Organisation for
Standardization (ISO). It is based on, and replaces, the internationally
recognised British Standard BS 7799. ISO 27001 has been aligned with
other international standards, including the OECD guidelines for
implementing information security and the Code of Practice standard,
ISO 17799.

ISO 27001 defines the requirements for an
Information Security Management System
(ISMS). The standard is designed to ensure the
selection of adequate and proportionate
security controls such as a security policy and its
supporting IT policies and procedures. This
helps to protect organisations’ information
assets and provides confidence to interested
parties including an organisation’s customers
and third parties.

The standard adopts a process approach for
establishing, implementing, operating,
monitoring, reviewing, maintaining, and
improving an organisation’s ISMS. ISO 27001 is
by no means an IT only standard; information is
an organisational asset. The standard has no
technology requirements; although there are IT
related controls as the majority of information is
held on IT systems.

ISO 27001 is the only internationally accepted
auditable standard for information security

The standard goes further to re-emphasise the
importance of having a security policy endorsed
by the highest level of authority within an
organisation. This way, employees can
recognise the importance of security to that
organisation and ensure they comply with best
practice. ISO 27001 requires that “an
information security policy document should be
approved by management, and published and
communicated to all employees and relevant
external parties.”

Clause 4.2.2 (e) requires any organisation
wishing to be compliant (or certified) with
ISO 27001 to implement training and
awareness programmes. Clause 5.2.2 requires
that the organisation is responsible for ensuring
all personnel who are assigned responsibilities
defined in the Information Security
Management System (ISMS) are aware of their
responsibilities and have access to appropriate
policies at all times.

In addition to this, ISO 27001 describes the
context of risk and how risk, policies and
corporate standards can work together (within a
framework of an Information Security
Management System – ISMS / ISO 27001)
through a systematic and layered approach to
InfoSec Management.

Control reference Appendix 8.2.2 goes even
further – it requires any organisation claiming
to be compliant with ISO 27001 to ensure “All
employees of the organisation and, where
relevant, contractors and third party users shall
receive appropriate awareness training and
regular updates in organisational policies and
procedures, as relevant for their job function.”
This effectively means that an organisation is
responsible for not only ensuring all its staff and
contractors should have appropriate access to
the security policy, but they are required to
demonstrate the relevant people have read and
understood the policy.

Well, it all originates from one very simple
principle – good and effective policy and
content management. Without knowing what
and where your policies are, how current they
are, how they are accessed and by whom, then
the organisation increases the risks of
employees not adhering to policies within the
organisation. Nobody can be expected to
adhere to security policy rules, nor be
disciplined for breaching them, unless the
organisation can categorically prove the end
user was aware of the security policy

This presents most organisations with a similar
dilemma – how to ensure the relevant
information is disseminated appropriately and
that evidence can be provided should the need
arise (e.g. civil or criminal prosecution). Policy
Monitor has the answer, it uses an Integrated
Content Management System to allow author
and approver control (a requirement of
ISO 27001 – see Clause 4.3.2 & 4.3.3 Control of
documents and records and a requirement of a
Quality Management System – ISO 9001),
policy version control and monitors employee
usage and acceptance.

With the focus being placed on perimeter
security, firewalls, intrusion prevention software
and ID card access it becomes easy to forget the
simple rule, that you are only as good as the
people you employ.

Making sure they are equipped with the
knowledge and tools to ensure the correct
policy is applied – should be an
organisation’s first and last line of defence.

So, whatever your drivers are for ensuring
security policies are disseminated, adhered
to, or communicated effectively,
complementary use of Policy Monitor will
help your organisation with all kinds of
invaluable and available information about

I hope this paper will help you when
considering Siemens Insight Consulting as your
partner in helping you or your organisation
become fluent in the world of InfoSec.

Author’s biography
Steve Wright is a Senior Consultant
providing professional advice in relation to
information security/technology
management to meet BS 7799, ISO 27001,
ITIL, ISO 20000, PAS 56, PAS 99, PCI DSS,
ISO 13335 and works within legal and
regulatory frameworks such as Basel II, SOX
and Combined Code requirements. In
addition, he is accustomed to
implementing risk best practices such as
enterprise risk management frameworks
and conducting risk assessments, using
tools such as CRAMM.
He is currently project managing many
implementations of ISO 27001 ISMS
systems, both virtually and physically, from
initiation through to final delivery, to meet
certification requirements of ISO 27001,
ISO 9001 and ISO 20000 in both financial,
private and public service sectors, three of
which have recently achieved certification
to ISO/IEC 27001:2005 in late 2006 alone.

No comments: