March 31, 2010

New ISO 27001 Training Available !

Good afternoon everybody,

Let me first start by saying that I have been amazingly busy in March, lots of challenging and interesting customer’s project and an intense training delivered in Montreal 2 weeks ago.

The good news is that my latest ISO 27001 training is now available for you to watch.

This is part 1 of 2 training on ISO 27001 clauses 4 which defines the requirements for implementing an ISMS from a scoping, risk management and document management perspectives.

Just click on the image to watch it (31 minutes duration).

The second part of the training will be available in April.

I hope you will enjoy, don't forget to send me your comments please!

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

March 19, 2010

#1 ISO/ISO 27001 Related Blog on TechnoRati - Big thanks to all the readers

Good morning (again) to all of you!

Just a quick post to thank you again, I know I already did it back in early February, but this morning, this blog has hit another milestone I personnally set for myself when I decided to start it.

In fact, "martindion.blogspot.com - ISO Security Training" became the number one ISO/ISO27001 related blog on TechnoRati billboard :)

For those of you who don't know TechnoRati, it is a tracking system for bloggers to determine how well their blog is perceived.  It does not focus on how many hits you have or how well you rank in search engines but rather on how many other bloggers, public articles, information sources (all of this called "Authority") points back or link back to you and your article.

I am really happy that I already hit this milestone since:
- I started the blog a little over 3 months ago
- The readership already rank in the thousands on a monthly basis
- People start to send me more and more question, AND:
- I do not use any form of publicity and do not engage in any link exchange solicitytion with other blogs

This recognition from you the readers and from my peers encourage me to continue my work and to bring you the best available information from the field when it comes to ISO 27001.

Cheers and have a good week end,

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

ISO:27001 for small business and/or limited perimeter (Part 3 of 3)

Good morning folks,

This is the third and final posting in a series of 3, as a reminder, Cyril, one of the blog readers, asked me by email an interesting suite of questions:

1. Is there documentation or feedback information on ISO27001 ISMS implementation within a smaller organization (ie: business unit only or department) publicly available?
2. Could the decision of certifying only a subset of an organization or a smaller perimeter can cause more harm than good or even project an image of irrelevancy for such an endeavor?
3. Does other frameworks are more adapted to such context?

My understanding of your third question:
Is there any information security management framework available that might be better adapted to the context of a business unit, department oriented or smaller business information security?

Big question that I will do my best to answer but keep in mind that this blog focuses on the implementation of ISO frameworks in general.

For those of you who didn’t already listen to training #1 published last January, I invite you do to do so since I cover a bunch of information security related standards in that video training.

The first observation that comes to mind when answering your question is that although some non-ISO security frameworks are available, most of them if not all, try to directly attach and relate themselves to ISO 27001. Some of them should be seen as complement, some others offer equivalence but with a different perspective on the topic of information security and IT governance.

A second observation I would like to make is the fact that ISO has been created with a “one size fit all” mindset. In other words, it is business sector and size agnostic. Not all the controls are applicable to your specific context and the perimeter can differ from organizations to organizations.

As an example, let’s say you want to certify a business process outsourcing division that focuses on accounting services and that do not conduct software development. The controls documented in Annex A, section 12 are mostly irrelevant and can be excluded from the statement of applicability.

Furthermore, keep in mind that adopting the ISO 27001 framework does not automatically mean that you have to shoot for certification so you can lose some pressure and start experimenting :)

However, let’s say you want to stick with ISO 27001. What I personally like to do with customers who are getting into the 27001 business is to give it a CMM twist.

A Capability Maturity Model enables you to define how well you are doing some things on a scale of 0 to 5. The reason why I prefer to do this with “starters” is that the customer can work on various control improvement, without shooting for “certifiability”. The side benefit of the CMM scorecard is that it enables you to easily track the implementation progression and report on it to top management in an iterative manner.

To start using this combine approach you have to conduct an initial audit to establish a baseline by defining the current maturity level of the controls. The second step is to define the target levels you want to attain and to span the work over a 2 or 3 year period. If you want to be certified, all the controls should minimally attain level 3 and some of them are to be at level 4.

The good news is that by using and updating your ISO27001/CMM scorecard, you are practicing on a day to day basis, the Plan-Do-Check-Act cycle required by ISO:27001. Here is a sample CMM scale you can apply to ISO27001:

- Level 0: The control is not implemented or, although required, not respected at all.
- Level 1: The control is not documented and/or its application is intuitive/irregular.
- Level 2: The control is not documented but evidence shows that it is done on a regular basis by the staff.
- Level 3: The control is formally documented and proofs of its regular application are available, regular audits are made.
- Level 4: It is documented, evidences are available, performance is measured by mean of detective/automatic control and key performance indicators are available/communicated to top management.
- Level 5: The previous requirement plus an integrated control approach is implemented to prevent and/or correct deviance from the previously set objectives.

In a nutshell, I suggest you stick with ISO27001 since it is the only framework formally certifiable. Used in conjunction with CMM it will help you ease the implementation process.

The reason why I am making this claim is that although some other security frameworks are great and sometime, freely available; I do not think they are any easier to implement. To make yourself an opinion on the other framework, have a look to the following:

- ISM3 (Information Security Management Maturity Model)
- CoBIT from the ISACA and it can be used in conjunction with ValIT from the ITGI
- SSE-CMM (System Security Engineering Capability Maturity Model
- The Standard of Good Practices from the Information Security Forum
- The Security Publications from the NIST (National Institute of Standards and Technology)
- PCI-DSS from the Payment Card Industry Security Standards Council

To conclude, although I have a strong opinion on the adoption of ISO as the framework of choice, I see one alternative. If you want to achieve certification down the road, and that you want to limit re-work, I suggest you to start specific projects based on the NIST publicly available documents.

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

March 18, 2010

ISO 27001 for small business and/or limited perimeter (Part 2 of 3)

Good morning folks,

This is the second posting in a series of 3, as a reminder, Cyril, one of the blog readers, asked an interesting suite of questions:

1. Is there documentation or feedback information on ISO:27001 ISMS implementation within smaller organizations publicly available? (ie: business unit only or department)
2. Could the decision of certifying only a subset of an organization or a smaller perimeter can cause more harm than good or even project an image of irrelevancy for such an endeavour?
3. Do other frameworks are more adapted to such context?

Since we discussed question 1 in the last posting, let’s jump right away to question #2 which is: What is the potential impact in terms of value perception or image when certifying only a subset of an organization?

This question is really interesting. First, as I have discussed in a previous posting on LinkedIn there are many different reasons why companies decide to obtain ISO 27001 certification:

- Marketing
- Better security process
- Continual improvement… (See previous post for all the reasons)

Second, one must know that an early step towards certification is to define the ISMS perimeter (Information Security Management System).

If you carefully and scientifically analyze the potential situation using the following approach:

MIX “First Observation” / “Reason #1” WITH “Observation #2”

It is safe to assume that an organization going for certification with marketing reasons in mind will make an outstanding effort in reducing the perimeter to the smallest possible unit within the organization. This scientific demonstration is also known in lay man terms as the “biggest bang for the buck” :)

The reason why this question is so interesting is that those miss led persons I just mentioned will get the unpleasant surprise of discovering that within a large organization, it is not easy to limit the certification scope to a specific department or a subset of a business since:

- Physical security is managed centrally
- Human resources processes are handled by a specific department and are standardized across the organization
- Access control management (physical, logical, network, OS, DBMS, Applications…) are rarely managed by a single person or department (ie: HR + IT most of the time)
- Corporate email, file storage, backing and printing services are shared corporate facilities and it would be hard to operate it differently than the corporate standard for a single department
- End users are within the scope of certification; therefore, if your system is used by human beings out of your department, you will need some security measures and a security awareness campaign aimed to them.

The list of reason can go on and on but I think you get my point...

With that said, ISO allows you to scale down the certification perimeter to a single business process or a limited perimeter. In my opinion, if you want to do it, there are three good ways of defining and scoping a smaller perimeter:

- A specific office /region / geographical location / country
- A shared service unit such as “information technology” and its datacenters
- A self sustained business process (ie: an off location call centers with their own servers, IT staff and purpose in life, in short, a business within the business)

On the point of “Would trying to limit the perimeter give a bad image to the initiative?” I think that you can now determine on your own that the result of doing so without taking certain precaution will most certainly have a negative impact, if now on the initiative, on you!

If you make the mistake of not considering that certain controls transversally affect the organization, you won’t succeed, therefore, you will have invested a lot of time, efforts and spend precious organizational budgets to achieve near to nothing.

Yes, the security posture will have improved, but remember one thing: YOU told top execs when selling your project that your success measurement criteria will be the certification proving you did your job correctly…

Note to myself: In a future post, I should take some time to discuss how to sell the project internally and what you can safely promise your management when talking ISO 27001 certifications without shooting yourself in the foot.

I hope this post will help you get a better understanding of the benefit, requirements but also of the potential pitfalls to consider when limiting the perimeter and scope of your certification.

Now readers and fellow bloggers, the ball is in your court! Although I just gave you what I think to be nice property tour, my posting is not a fully detailed answer or analysis of the “perimeter and scoping” nuts and bolts. I didn’t look into all the possible scenarios and constraints, and therefore will ask you to either comment or proposed specific perimeter scoping scenarios you would like to debate on.

Until next time, have a great day :)

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer

ISO 27001 for small business and/or limited perimeter (Part 1 of 3)

Good evening folks,

I hope all of you are doing well, as I am giving an ISO 27001 Lead Auditor certification training in my hometown this week, I am writing you from beautiful Montreal city in Canada.

First, I would like to start this post by sincerely thanking Cyril, one of the blog readers, for an interesting set of questions and comments. Here are his questions:

1- Is there documentation or feedback information on ISO 27001 ISMS implementation within smaller organizations (ie: business unit only or department) publicly available?
2- Could the decision of certifying only a subset of an organization or a smaller perimeter can cause more harm than good or even project an image of irrelevancy for such an endeavour?
3- Do other frameworks are more adapted to such context?

Since each of those questions deserves my full attention and will require a potentially lengthy answer, I will answer to each of them in a different posting over the next few days.

Question 1: Is there feed back or documentation source available on small business / limited perimeter ISO27001 certification?

Let me first answer your question by saying that the reason why I decided to start this blog is specifically the lack of publicly available, non-commercial and community oriented meeting place for people wanting to learn and share on the topic of ISO27001. So I hope my blog will eventually fill that particular space.

With that said, there are a few discussion groups available, but I must unfortunately admit that those are low “traffic”. Still, they might be interesting places to look at as a lot of questions were asked and answered over time. Here are some forums and web sites you might want to look into:

http://groups.google.com/group/iso27001security
http://tech.groups.yahoo.com/group/iso-27001/
http://www.17799.com/modules.php?name=Forums

Another place you should go to if you have specific questions is LinkedIn. It is one of the best places to ask questions to a wide audience of potential experts. Although the quality of answers is variable, if you post your inquiries in the Information Security and Quality Management subsections, you will reach in "near realtime" tens of thousands of people who might have faced the same issue. Here are the links to the LinkedIn Q&A space:

LinkedIn Quality Management Q&A Section
LinkedIn Information Security Q&A Section

Finally, one thing you should do is to get online and look at who got certified, revise their certification scope and identify two or three companies who got certified in a similar context. Once you spot them, I suggest you do not hesitate to contact them to discuss the matter at heart. After all, this is a professional inquiry and anybody with a normal level of professional courtesy will gladly answer to your question. Here are some links you can look into to find certified companies you can contact:

http://www.iso27001certificates.com/
http://www.sgs.com/certified_clients
http://www.bsigroup.com/en/Assessment-and-certification-services/Client-directory/CertificateClient-Directory-Search/

I hope this posting answers your question, and that you will find what you are looking for in the previously mentioned resources.

Stay tune for the next posting and until then, have a great day!

PS: Readers are invited to leave comments!

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security

March 12, 2010

Nothing to worry, standby for new post !

Good day everybody,

Just want to apologize, I was offline most of the week and will be delivering a training next week. 

But hang in there!!!! I am done with "ISO 27001 - Clause 4" training script.  I will try to record it and to put it online mid-next week :)

Until then, have a great day !

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security