ISO:27001 for small business and/or limited perimeter (Part 3 of 3)

Good morning folks,

This is the third and final posting in a series of 3, as a reminder, Cyril, one of the blog readers, asked me by email an interesting suite of questions:

1. Is there documentation or feedback information on ISO27001 ISMS implementation within a smaller organization (ie: business unit only or department) publicly available?
2. Could the decision of certifying only a subset of an organization or a smaller perimeter can cause more harm than good or even project an image of irrelevancy for such an endeavor?
3. Does other frameworks are more adapted to such context?

My understanding of your third question:
Is there any information security management framework available that might be better adapted to the context of a business unit, department oriented or smaller business information security?

Big question that I will do my best to answer but keep in mind that this blog focuses on the implementation of ISO frameworks in general.

For those of you who didn’t already listen to training #1 published last January, I invite you do to do so since I cover a bunch of information security related standards in that video training.

The first observation that comes to mind when answering your question is that although some non-ISO security frameworks are available, most of them if not all, try to directly attach and relate themselves to ISO 27001. Some of them should be seen as complement, some others offer equivalence but with a different perspective on the topic of information security and IT governance.

A second observation I would like to make is the fact that ISO has been created with a “one size fit all” mindset. In other words, it is business sector and size agnostic. Not all the controls are applicable to your specific context and the perimeter can differ from organizations to organizations.

As an example, let’s say you want to certify a business process outsourcing division that focuses on accounting services and that do not conduct software development. The controls documented in Annex A, section 12 are mostly irrelevant and can be excluded from the statement of applicability.

Furthermore, keep in mind that adopting the ISO 27001 framework does not automatically mean that you have to shoot for certification so you can lose some pressure and start experimenting :)

However, let’s say you want to stick with ISO 27001. What I personally like to do with customers who are getting into the 27001 business is to give it a CMM twist.

A Capability Maturity Model enables you to define how well you are doing some things on a scale of 0 to 5. The reason why I prefer to do this with “starters” is that the customer can work on various control improvement, without shooting for “certifiability”. The side benefit of the CMM scorecard is that it enables you to easily track the implementation progression and report on it to top management in an iterative manner.

To start using this combine approach you have to conduct an initial audit to establish a baseline by defining the current maturity level of the controls. The second step is to define the target levels you want to attain and to span the work over a 2 or 3 year period. If you want to be certified, all the controls should minimally attain level 3 and some of them are to be at level 4.

The good news is that by using and updating your ISO27001/CMM scorecard, you are practicing on a day to day basis, the Plan-Do-Check-Act cycle required by ISO:27001. Here is a sample CMM scale you can apply to ISO27001:

- Level 0: The control is not implemented or, although required, not respected at all.
- Level 1: The control is not documented and/or its application is intuitive/irregular.
- Level 2: The control is not documented but evidence shows that it is done on a regular basis by the staff.
- Level 3: The control is formally documented and proofs of its regular application are available, regular audits are made.
- Level 4: It is documented, evidences are available, performance is measured by mean of detective/automatic control and key performance indicators are available/communicated to top management.
- Level 5: The previous requirement plus an integrated control approach is implemented to prevent and/or correct deviance from the previously set objectives.

In a nutshell, I suggest you stick with ISO27001 since it is the only framework formally certifiable. Used in conjunction with CMM it will help you ease the implementation process.

The reason why I am making this claim is that although some other security frameworks are great and sometime, freely available; I do not think they are any easier to implement. To make yourself an opinion on the other framework, have a look to the following:

- ISM3 (Information Security Management Maturity Model)
- CoBIT from the ISACA and it can be used in conjunction with ValIT from the ITGI
- SSE-CMM (System Security Engineering Capability Maturity Model
- The Standard of Good Practices from the Information Security Forum
- The Security Publications from the NIST (National Institute of Standards and Technology)
- PCI-DSS from the Payment Card Industry Security Standards Council

To conclude, although I have a strong opinion on the adoption of ISO as the framework of choice, I see one alternative. If you want to achieve certification down the road, and that you want to limit re-work, I suggest you to start specific projects based on the NIST publicly available documents.

Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security