Search in ISMS Guides

Google
 

Thursday, August 9, 2007

Little steps to ISO 27001

By Howard Smith, Information Security Manager at Sunderland City Council.

shares the lessons learned from the path they took to certification against ISO 27001, the Information Security Management System (ISMS), published in October 2005, which aims to help practitioners establish and maintain an effective information management system.

When local authorities began implementing ‘e-Government 3’ statements in 2003 they had to become compliant with the relevant standards (initially BS 7799, now the international standard ISO 27001). We in the ICT Unit at Sunderland City Council decided to go beyond simple ‘compliance’ and aim for full ‘certification’.

As you can see from the model below it’s a complex issue, and achieving certification can seem a daunting task. For instance, there are 133 underlying controls which address requirements ranging from security policy through to compliancy. These include the policies, procedures, advice notes, posters, etc which are required to support compliancy or certified status.

But don’t be daunted – stand back, reflect and then move forward – in ‘little steps’.

Some key things to remember are:

• First, know what the three key stages of the certification process are, namely Gap analysis, Risk Assessment and the Statement of Applicability. The Statement of Applicability is developed from the Gap Analysis and the Risk Assessment, and is a living document, but always reflects your current status. Remember they are your documents – you own them.

• Second, you don’t have toaddress all 133 controls in order tobe ready for audit. You will need to have done an adequate amount of work on the controls before you do so but any good security manager will know when his organisation is ready to be audited.

• Third, you will need an Information Security Management System (ISMS). This determines how you implement and manage the system, including the self auditing requirement using detailed metrics. It also includes a continual improvement provision which ensures that any controls that are still to be addressed are duly actioned and that documents are reviewed annually at a minimum.

• Fourth, you will need a management group to lead the way; we use the ‘Management of Information Security Working Group’. The group addresses issues and reviews and approves all relevant documentation, meeting on a monthly basis.

• When you have completed these steps you are ready for the audit. We used BSi to carry out our audit
– after all it’s their standard
– so who better to use! It can take two years of hard work to get to that stage, and it’s natural to want to protect your ‘new baby’ (all your processes, controls and documents) – but don’t forget that the auditors are human too!

• Finally you’ll be ready for certification. You can look back on your journey of enlightenment an learning, remember the little steps you took to get there, and be proud of what you’ve achieved.

If anyone in the Information Security arena would like to discuss the process of certification further on a one-to-one basis, I’d be more than happy to help. Please don’t hesitate to e-mail me on
howard.smith@sunderland.gov.uk
or phone me on 0191 553 4211.