I recently read an interesting statistic – only 85 US companies have achieved ISO27001 Certification. Putting this info into perspective, over 3,000 companies in Japan have been certified. What’s more interesting is that we (Pivot Point Security) currently have four ISO27001 related projects on the schedule, where last year at this time, we had zero. Assuming our competitors are seeing similar interest, it appears as though we are on the verge of a real “break-out” for 27001 here in the US.

If you haven’t looked at 27001 – it’s not just a refresh of ISO 17799 (a popular misconception). Actually, in a sense it’s a “precursor” to 17799 (which is now referred to as 27002) in that it establishes an Information Security Management System (ISMS) that drives an organization’s security efforts. I referred to it as a precursor because the initial stages of the ISMS produce an understanding of information risk that supports the determination of the controls in 27002 that need to be implemented in order to mitigate the risk to an acceptable level

ISO 27001’s ISMS is an “approach” to information security that emphasizes:

1. understanding an organization’s information security requirements and the need to establish policy and objectives for information security;
2. implementing and operating controls to manage an organization’s information security risks in the context of the organization’s overall business risks;
3. monitoring and reviewing the performance and effectiveness of the ISMS; and
4. continual improvement based on objective measurement.

I think 27001 is poised for significant growth because of the growing need for third party attestation. Increasingly it’s not enough to be secure – we need to be able to “prove it” to a business partner, regulating body, shareholder, or investor. There have been many (largely failed) approaches (e.g., Systrust) to third party attestation – but none have achieved critical mass. Sadly, the notable exception is a SAS70, which many entities look at as a good form of attestation. Unfortunately, they fail to understand what a Type II Service Auditors’ report really contains and what their obligations as the recipient are upon receiving it. Too often this results in a false sense of assurance. In a previous engagement it took us 7 minutes to compromise a banking application and move (we actually didn’t — but could have!) $500M to an offshore account. The client was shocked as they had a “clean SAS-70″ relating to the company/application (the root/admin password on all servers was the name of the company).

ISO 27001 certification is not without its failings:

1. It focuses on certifying the “process” by which you determine which controls should be in place – not that the controls actually are in place.
2. Without some level of substantiative testing to validate that the technical controls are operating as intended – it can lead to a false sense of security.
3. It fails to provide controls guidance for Applications – a major source of risk.

On the “plus side”, however:

1. It focuses on the “process” by which you determine which controls should be in place (yes, I know, this was on the ‘failings’ list). In theory, if you have a process and you follow it, then the result the process intends should be achieved. We have often found an environment to be secure at a point in time – but understood that the entity lacked the ongoing processes necessary to maintain this secure posture over time.
2. It incorporates a requirement for continual improvement. So in theory – the posture should improve each year.
3. It’s an international standard resulting in a common lingua to discuss security providing a common point of reference across entities. Better – it gives us independent attestation against a reference-able standard.
4. Folks like NIST and ISACA are integrating their thought process with 27001. If we can get 27001 to incorporate OWASP and/or PCI to leverage 27001 – life would get even simpler.

If you haven’t taken the time to look at 27001 you should. I expect that in the next year that you will either be asked if you have ISO27001 certification or ask someone else if they do ….

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results