Standard security: Why does ISO 27001 compliance matter?

Georgy Belyakov, Information Security and Cloud Solutions Engineer at Linxdatacenter  

Ensuring the right level of information security with the ISO 27001 standard: cybersecurity strategy, planning timeframe, and performance assessment. 

In accordance with standards  

Enterprise-level information security is generally built based on international standards that help develop, implement, and maintain information security management systems across a company of any size and niche.

ISO 27001 is the generally accepted international standard. It’s comprehensive and covers security processes for all kinds of IT systems.

This standard focuses on organization and management of information security and describes basic processes and types of control adopted based on risk assessment. Companies can choose the types of control and technical implementation of information security solutions which suit them depending on their current needs.

The ideology behind the standard is the transition from process to technology. The higher the specific information security risk, the more technical and human resources need to be allocated to mitigate it.

Benefits of certification and where to start 

ISO 27001 compliance makes it possible to identify and fix security gaps and vulnerabilities, prevent hazardous incidents, and eliminate unnecessary human resources and financial costs.

Independent certification strengthens a company’s reputation in the eyes of customers, partners and other parties.

Adapting the standard begins with a detailed risk assessment of the information security management system. In the next step, the current state of information security management is compared with the principles and requirements of ISO 27001.

The analysis makes it possible to identify weaknesses in each information system and take security measures that mitigate the threats. All risks, management tools, and mitigation measures should be clearly defined in the security policy.

Additionally, it’s crucial to establish clear efficiency metrics and benchmarks to focus on achieving business goals.

PDCA cycle of ISO implementation 

The development of information security solutions always involves certain problems: budget adjustments; changes in exchange rates, software, and hardware prices; and changes in the personnel working on implementing the information security strategy.

Such changes make long-term planning of information security activities more complicated. ISO 27001 is used to ensure tangible results in the planned time frame.

ISO 27001 describes an information security management system without getting too deep into technical details. The standard implements a PDCA cycle: Plan, Do, Check, Act - —the stages for planning, action, verification, and response.

Planning is the key, and the success of the project greatly depends on it.

An information security strategy includes numerous one-time and regular tasks. During the planning stage, both types should be properly defined and described. This is critically important for the regular tasks dictated by the regulatory compliance and day-to-day needs of the company.

In the following stages, the information security management system is implemented based on the classification of tasks, the outcomes are checked and monitored, and the effectiveness of the information security measures is evaluated.

The results of the last stage allow for further updates of the information security system by completing the same steps — and take the effectiveness to a new level.

Fragmentation of terms  

In the field of information security, it’s common to plan within a timeframe of one year, which is impractical, given that new threats emerge more rapidly.

To ensure the flexibility of carrying out planned information security activities in combination with processing the flow of emerging tasks, it is necessary to break down global plans into short-term ones. All one-time and regular events from the annual plan are transferred to the quarterly one, with all the unplanned activities added there.

Minor operational tasks, such as communication with suppliers, receiving invoices, negotiating contracts, and so on shouldn’t be included into the general plan. Instead, they should be ranked by importance and taken into account using a short-term planning tool such as a kanban board.

Such an approach makes it possible to complete the basic information security activities in time and work out the current agenda without re-approving quarterly or annual plans—and it helps to improve the overall quality of the information security solution. Even if there’s not enough time to complete all the scheduled tasks, the most important ones will be completed.

Efficiency assessment 

Determining performance indicators isn’t simple when it comes to information security measures. Some common approaches include measuring the percentage of completed information security tasks (so-called "feasibility of risk management plans"), the number of security tools available to the company, the calculation of costs in relation to the economic effect of information security measures, and tracking the number of neutralized incidents.

However, these approaches are not effective enough, because they do not consider incidents that go undetected.

It also happens that a missed incident in the past did not cause considerable damage at the time (such as unauthorized copying of data or connection to view data, etc.), but the extent of the damage has not yet manifested itself in full.

To compensate for that, the effectiveness of information security policies should be assessed by the ratio of the actual damage from detected incidents to the possible damage in case the information security solution didn’t work.

Continuous improvement 

ISO 27001 is a roadmap that helps with continuous development of information security practices. It includes both data protection measures and process improvements in the field of information security.

ISO 27001 is a roadmap that helps with continuous development of information security practices. It includes both data protection measures and process improvements in the field of information security.

An integrated approach to information security management and short planning horizons make it possible to implement crucial information security measures in time, instead of stretching the tasks over a year-long timeframe. In the modern world of information security threats, long-term solutions can easily become outdated and obsolete.