ISO 17799 and 27001: Setting the Standards for Information Security
While these laws and regulations do a good job of defining the scope of information security and spelling out the role of information security in risk management, they have little to say about what constitutes effective information security or how to achieve it. Fortunately, the International Standards Organization has developed two standards that do precisely that, and by adhering to them financial institutions can go a long way toward satisfying regulatory compliance requirements.
The two standards, ISO 17799 and ISO 27001, together provide a set of best practices and a certification standard for information security. The standards are both derived from a British standard, BS7799, which for many years served as the authority for information security. BS7799 came in two parts; part one, BS7799:1, became ISO 17799, while BS7799:2 became ISO 27001.
ISO 17799 provides best practice recommendations for initiating, implementing, or maintaining information security management systems. Information security is defined within the standard as the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).
The standard contains 12 sections: risk assessment and treatment; security policy; organization of information security; asset management; access control; information security incident management; human resources security; physical and environmental security; communications and operations management; information systems acquisition, development and maintenance; business continuity management; and compliance.
Within each section, information security control objectives are specified and a range of controls are outlined that are generally regarded as best practices. For each control, implementation guidance is provided. Each organization is expected to perform an information security risk assessment prior to implementing controls.
The second standard, ISO 27001, specifies requirements for establishing, implementing, maintaining, and improving an information security management system consistent with the best practices outlined in ISO 17799. Previously, organizations could only be officially certified against the British Standard (or national equivalents) by certification/registration bodies accredited by the relevant national standards organizations. Now the international standard can be used for certification.
ISO 27001 is the first standard in a proposed series of information security standards which will be assigned numbers within the ISO 27000 series. ISO 17799 is expected to be renamed ISO 27002 in 2007. In the works is ISO 27004 - Information Security Management Metrics and Measurement - currently in draft mode.
ISO 27001 is the formal standard against which organizations may seek independent certification of their information security management systems. It contains a total of 133 controls in eleven sections. Controls from ISO 17799 are noted in an appendix to ISO 27001. Organizations adopting ISO 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations.
Certification is entirely voluntary but is increasingly being demanded from suppliers and business partners who are concerned about information security. Certification against ISO 27001 brings a number of benefits. Independent assessment brings rigor and formality to the implementation process, implying improvements to information security and associated risk reduction, and requires management approval, which promotes security awareness.
Perhaps most significantly, by implementing ISO 27001, financial institutions can go a long way toward meeting their compliance requirements and satisfying auditors and regulators. Says Martin Smith, senior consultant at Insight Consulting, "It should provide assurance for an organization, both to itself and its external partners and competitors, that information security is taken seriously."
The management processes implemented for ISO 27001 are based on the Deming cycle of continuous improvement: Plan-Do-Check-Act. Measuring effectiveness is a critical element of improving information security management, and hence realizing business benefit and flexibility in a changing environment.