Nearly every security practitioner is familiar with the ISO27001 standard for information security. A lot of companies base their internal security policies on it and third parties use certification to it as a gold standard.
But, what do the statements, recommendations and controls actually mean? Working for very large organisations, I learnt them to mean very different to what I suppose they were intended and now that I no longer am a practitioner and the 2005 standard has been replaced by the 2013 version, I thought it would be a good time to share some of my internal thoughts.
I’d also like to thank Brian Honan for his help in putting this together – if anyone understands security standards; it’s Brian.
The Cynics Guide to ISO27001:2005
The meaning behind the requirements
A.5 Security Policy
Objective: To state the bleeding obvious.
A.5.1.1 – Information security policy document
To set the readers expectations, the standard requires the security policy to be documented. That’s right you need an actual policy document.
The standard doesn’t define what the policy must be written on, so you could harness your inner Moses and etch it out on stone tablets. Or alternatively record it on a tapestry, which would be far more artistic and you’ve got more chance of someone reading it.
A.5.1.2 – Review of the information security policy
No-one has ever made money by selling something only once. Just ask any network marketer caught up in a pyramid selling scheme. The only way you make any real money is through repeat sales to family members who don’t have the heart to tell you they don’t need any more water filters.
Similarly, for a security policy to remain relevant, you need to ensure your policy is reviewed frequently; generating enough money to fuel the ever-growing population of security professionals wanting to leech off your company profits.
A.6 Organisation of information security
A6.1. Internal organisation
Objective: Keep your glass house in order before you collect some stones
A.6.1.1 – Management commitment to information security
Managers have a lot on their plate. In between the meetings, listening to their staff’s personal problems, trying to generate more profit they must show an unwavering commitment to information security.
Like most great ambition, there is no way of measuring just how committed a manager is to information security. I’ve always been a bit of a Jack Bauer fan, and how a bit of quick torture seems to resolve all issues. So next time you’re recruiting a manager, try electrocuting them for a little while. If they give up their mothers’ maiden name too quickly, you know they just aren’t cut out for management.
A.6.1.2 – Information security co-ordination Read the rest of this entry »