In Series Part I of this topic we understood about (a) Deploy initial resource, (b) Understand the standard and (c) Define the scope
We left discussing about defining ‘in scope’ and ‘out of scope’ areas/ assets. Out of scope is generally required to remove any ambiguity in scope definition especially when you might not want to keep something in scope but while reading out scope statement, it leaves someone to his/ her own understanding to include/ exclude items which are out of scope. Scope ideally should cover the physical entities, functions, user groups, IT, non IT, applications, middleware assets and of course the external parties. Going ahead now…
It is always important to clear the expectations from the customer and also make the customer understand that, if one is heading towards security certification, the security program to follow, will be under customer’s official ownership. You or any vendor in security team is merely facilitator, implementer or advisor. This expectation needs to be documented well. You need to assure customer, that, though security team shall always standby, it is the customer who is going to ultimately face the auditor. All circulars, advisories, authorizations given under security program shall go from customer’s office. However, you must also understand that ownership is entirely yours, if scope of certification is defined as work carried out by you as vendor, however, such requirements are scarce. So now you might be gaining, why defining scope is so important, as somewhere it also translate the ownership of security program.
However, ownership never means that as a service provider who facilitate ISO certification, we are relieved of our responsibilities as well. Once we talk about selection of security controls, we shall touch upon how ownership of implementing, maintaining security controls remains with applicable stakeholders who all report to owner for ensuring customer’s assurance w.r.t security.
Understand about compliance to mandatory controls
Let us understand something more about ISO27001 standard before we actually go in for working steps. As we know, this standard generally called part2 and controls given under section 4 to 10 of same, are called mandatory controls. If one is undergoing security certification ISO27001, each and every statement written under these sections are required to be complied with and is auditable during certification audit. Why? Because, these sections build base of an organization’s security program or in other words compliance to these sections shall assure an auditor that you have a reliable security framework in place to sustain your certification, if attained.
But some organizations shall say, though I am implementing ISO27001, don’t have a requirement of undergoing certification now or may be have a deferred plan, so do I still need to comply with these controls? Answer is: In case you are destined to go in for certification, sooner or later, the early you go in complying with these mandatory controls, the easier you find the way ahead. Even if, you are not in for a certification, I would suggest, still go for them, to the extent possible or may be in bit diluted manner, because as I said earlier. This forms the base of your entire security program and who in this world doesn’t want a strong foundation!!!
Will try to continue this series to give an insight of how one should go about certifying an organization for ISO27001.
Authored by Naveen Gupta