By Julie Kendall

Last time we discussed in more detail the ISO 27001 standard for ISMS. As we wrap up our four-part series today, we’ll discuss what is needed to implement a successful ISMS framework.

What does it take to implement an effective ISMS framework?

First and foremost an Information Security Management System framework such as ISO 27001 can only be effective if executive level management support is unwavering, consistent and ongoing. Without top management buy in and commitment to support a ISMS framework you cannot expect your ISMS to be fully effective.

A centralized direction for all, clearly defined organizational responsibilities related to information security, and resource commitments in staffing and funding is required to ensure the approach to protecting sensitive information assets will be consistent and predictable. Trying to manage such sensitive assets by only relying on personal initiative is asking for trouble.

Information security should also be an integral part of an organization’s overall risk management process. Just as assessing the impact competitors is important for your company’s potential sales, assessing the impact on revenues if customers believe their sensitive data is not well protected is just as important to an organization’s success. Information security objectives must be related to business objectives and the control choices made by management must be based on a cost/benefit analysis so as to ensure the right resourcing and focus is going to the most vulnerable areas associated with sensitive information.

An information security management system must also enable people to do what they need to in a controlled and predictably safe manner. An ISMS is not effective if its implementation stops people from meeting their business objectives or does not provide management any assurance the activities done by staff are predictably safe.

An effective ISMS must also account for continuous improvement and ongoing evaluation.  Business, like life, is ever changing and what works today may not be good enough for tomorrow. The ISMS framework should allow management a formal and regular means to determine if change in the control environment protecting sensitive information is necessary. This assumes regular control evaluations related to information security must be performed and the results analyzed by management so decisions and resources needed to affect change can be done expeditiously. Changes in business objectives and directions, economies, competition, customer satisfaction all contribute to the need to re-evaluate the ISMS for your organization and adjust as needed. New technologies, changes in trading partner needs, previously unknown vulnerabilities all require an organization to re-assess their risk profile as it relates to information security and business overall.

If your digital information is considered a valuable asset to your organization, you need to implement an Information Security Management System to safeguard those assets. Adoption and implementation of an effective, efficient information security management system framework like the ISO 27001 ISMS framework is cost effective and a ‘dollar worth spending,” before your data is lost or damaged.

For assistance in identifying gaps in your information security efforts and what steps you should consider implementing to become compliant with ISO’s 27001 standards, please contact KAI Partners by email info@kaipartners.com. We can help you address the risks associated with information security risks and train your staff to minimize your IS risks.

 About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.

By Julie Kendall

Our last post focused on why exactly an ISMS is important to your business. This time, we’re delving into the ISO 27001 standard.

What is the ISO 27001 Information Security Management System?

ISO 27001 is an internationally accepted risk-based information security management standard requiring active participation by business and IT management in assessing their risks and choosing controls best suited to meet their needs in a cost effective manner. Sometimes this standard is referred to as a ‘controls based’ framework. By requiring an ongoing assessment of risks and evaluation of  the adequacy of controls intended to mitigate the exposures those risks pose, the ISO 27001 framework can provide management with a significant degree of assurance their information is well protected.

A simple look up of ISMS standards in Wikipedia will note, “some best-known ISMSs for computer security certification are the Common Criteria (CC) international standard and its predecessors Information Technology Security Evaluation Criteria (ITSEC) and Trusted Computer System Evaluation Criteria (TCSEC). Some nations publish and use their own ISMS standards, e.g. the Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP) of USA, the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) of USA, the German IT baseline protection, ISMS of Japan, ISMS of Korea, Information Security Check Service (ISCS) of Korea.”

How does ISO 27001 compare to other ISMS standards?

The ISO 27001 framework has been accepted by organizations large and small throughout the world as an ideal systematic approach for the identification, assessment, and management of information security risks. By implementing these standards an organization will be able to successfully address the confidentiality, integrity, and availability goals of their information assets and in so doing, prevent and/or minimize the negative impacts of security incidents on an organization.

Who should consider implementing ISO 27001 ISMS standards?

Financial institutions, third party IT servicers, health services, public or governmental agencies, and digital content production entertainment companies all have reasons to take information security very seriously. Legal and regulatory requirements aimed at protecting personal or sensitive information compel organizations to devote considerable effort in their management of information security risks.  Intellectual property rights of digitally produced content require third parties to protect the content against unauthorized disclosure or premature distribution so as to ensure expected revenue streams are not negatively impacted. The implementation of ISO 27001 framework standards have been a  proven, effective means to achieving those compliance and revenue objectives for many who chose to adopt them.

Stay tuned for the final part of our four-park series, where we’ll talk about what it takes to implement an ISMS.

For assistance in identifying gaps in your information security efforts and what steps you should consider implementing to become compliant with ISO’s 27001 standards, please contact KAI Partners by email info@kaipartners.com. We can help you address the risks associated with information security risks and train your staff to minimize your IS risks.

 About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.

By Julie Kendall

Last time, we brought you some facts and figures related to information breaches and their associated costs. Now we’ll get into more detail about why an ISMS is important to your business.

Even with the obvious evidence of significant increase in reputational risk organizations experience in their marketplace when an information security breach occurs, many executive teams still find it difficult to allocate sufficient funds and resources to Information Security consistently.

Some executive management teams expect IT to decide “what resources are necessary” to protect their information and to do it within the existing IT operational budget. Managing information security and its associated risks requires the active participation by all major players in a company because the risk profile of the entire organization is impacted. IT alone can’t make that decision independent of the rest of the organization. All business management must take the lead on assessing IS risks and deciding the appropriate controls to implement to manage those risks. After all, it is the business side that actually owns the data. IT will certainly enable the mitigation strategies, but it is business management that must determine the acceptable level of risks to manage, assume, or transfer.

Why is an ISMS important?

The implementation of a risk-based information security management system (ISMS) framework within an organization is absolutely critical because businesses today rely heavily on their digital data to operate. Management must define a set of information security policies and processes to be followed by all members of their staffs, and implement mitigation solutions to manage the identified risks associated with those assets. The lack of a clear guidance from management on how to mitigate the information security exposures they face regularly can result in inefficient and ineffective actions by their employees.  This then can lead to the likelihood for significant loss when unmitigated vulnerabilities are exploited.

Next time we’ll discuss the ISO 27001, an internationally accepted risk-based information security management standard—stay tuned!

For assistance in identifying gaps in your information security efforts and what steps you should consider implementing to become compliant with ISO’s 27001 standards, please contact KAI Partners by email info@kaipartners.com. We can help you address the risks associated with information security risks and train your staff to minimize your IS risks.

 About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.

By Julie Kendall

This is the first in a four-part series from our Information Security expert about creating an Information Security Management System (ISMS). We hope the information will be of value to you as you look towards creating your own ISMS. Today’s post contains some background and initial information on Information Security. In Parts 2, 3, and 4, we’ll get into more detail about ISO 27001 framework and what it takes to implement a successful ISMS framework.

How important is the confidentiality, integrity, and availability of your information, and/or information entrusted to you by third parties and to your ability to achieve your business goals? If you said ‘very,’ then how sure are you those valuable information assets are well-protected from loss or damage?

Even with all the publicity today related to information security breaches experienced by major corporations (e.g., Target, JP Morgan Chase, Bank of America, TJ Maxx, Home Depot), many still believe if they only implement a network firewall and ensure anti-virus software is installed on all employee workstations their valuable information is protected. We all know that just isn’t enough control over such a valuable asset.

Symantec research noted the top three causes for data breaches during 2013 were:

1. Hackers
2. Data accidentally made public
3. Theft or loss of a computer drive

552 million identities were breached in 2013 as well, marking 493% increase in one year alone.  Corporations spent in excess of $24 billion to correct client information breaches. During their 2013 Website Vulnerability Assessment Service Scan, Symantec found 77% of the public corporate websites scanned had security vulnerabilities that if exploited would result in information loss or damage.

Many companies today could not afford an information breach. In some states within the USA, monetary penalties must be paid to each client impacted by information loss, which contributed to the average cost of those breaches of approximately $188 per record lost for companies in 2013 alone, according to Symantec surveys. Considering the average number of records lost due to a security breach during 2013 was over 1,000,000, the costs for NOT implementing an effective Information Security Management System (ISMS) framework can be significant.

Now that we’ve set the foundation, stay tuned for next time, when we’ll discuss exactly why an ISMS is important to your business.

For assistance in identifying gaps in your information security efforts and what steps you should consider implementing to become compliant with ISO’s 27001 standards, please contact KAI Partners by email at info@kaipartners.com. We can help you address the risks associated with information security risks and train your staff to minimize your IS risks.

About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.