An organization (say Client/ Customer) hires me to start information security program, with a final goal of certifying it against ISO27001 standard. How do I start my engagement?
Note: not each previous step is pre- requisite to next step and some may be done in parallel as well.
- Deploy initial resource
ÔÇïThe very basic requirement is to deploy a resource who understand ISO27001 standard. When I say understand, I don’t mean “have read the standard”, but at least have some experience in practicing the standard, because even myself who is practicing this standard for more than 10 years, still find mistakes in my own work, every time, I go through this standard again. Simple: The more you deep dive into sea, better is the quality of pearl you may get out of it. Sometimes RFPs says certifying against ISO27002 is the requirement.
- Understand the standard
ÔÇïOne needs to understand here that organization cannot be certified against ISO27002 but can only be certified/ audited against ISO27001 standard. One may require to know and also let the customer understand that ISO27002 is the code of practice i.e. the best practices captured which one has option to choose from, while implementing a control picked up from ISO27001. Not all code of practices mentioned here are applicable to each organization and ISO27001 do not restricts you to either choose all best practices out of it, few out of it or almost nothing out of it. Depending upon one’ organization need, one may end up implementing a security control in his/ her own way without relying upon ISO27002, though one need to ensure and should be able to prove that while doing this, the requirements of security control picked from ISO27001 and that of its security control objective is thoroughly met.
- Define the scope
ÔÇïISO27001 certification if done whole heartedly is not that simple, as how it looks from outside. Certification means your ‘organization’ (let us use this word till I define scope), have not only started implementing security controls but has got processes to support them and also is on the right path so that continual maturity is obtained throughout lifecycle of these security controls. All this require- time, money and resources. Now because time is also money and resources like hardware, software, human resources all comes at a cost, everything drills down to money or budget. So while defining scope of certification one must consider the budgetary constraints one have and if the given scope is achievable with current resources and time in hand. As an architect of security program for a client, one must know that when we go in for ISO27001 certification, we are not mandated to go for entire organization. We can include a set of functions, departments, sites or may be entire organization in ISO27001 scoping as per our needs and budget. One must understand that ISO27001 is a security management standard with aim to protect/ secure information hence an organization is not required to be IT savvy to go in for this certification. Even a florist shop may choose to undergo ISO27001 certification. So moral of the story is that one must clearly define the scope which one may want to undergo for ISO27001 certification. While defining the scope it is also advisable though not mandated by standard, to define ‘out of scope’ items as well.
Please wait for my next post…
Will continue this series to give an insight of how one should go about certifying an organization for ISO27001.
Authored by Naveen Gupta