Back in 2005, a new series of ISO standards made an appearance on the international stage of certifications (try to suppress the image of large wads of paper assembled in a Broadway kick line). Organizations that were already complying with standards aimed at transparency in corporate governance were invited to step up to a new suite of standards all based on what is required to keep information assets safe.
The standard wasn't really new in 2005. It was first published in 1995 as BS 7799, later adopted by the International Organization for Standardization (ISO) and eventually published as part of the ISO 27000 series. You'll still find copies today with the designation "ISO/IEC 17799".
While ISO 27001 is an up and coming standard, it doesn't quite qualify as "popular" -- at least not on the ISO organization's home page which lists ISO 31000 (risk management), ISO 9000 (quality management) and several other standards under that heading. But the popularity of ISO 27001 depends very much on where you are. While there are only 104 certified organizations in the US, there are 4,061 in Japan, 549 in the UK, 545 in India, 504 in China, and 459 in Taiwan. Go, Japan! The numbers go down from there to a number of countries with a single certification. If you are reading this text well after I posted it, these numbers may well have changed. Check this link for up-to-date figures:
Who goes after ISO 27001 certification?
- Companies that want to show their customers that their information processing infrastructures or their data processing products are developed with keen attention to security. As an example, Google Apps for Business announced its certification in May.
- Organizations that want to minimize their security risks in a systematic, comprehensive way.
Sometimes entire companies will get themselves certified, but often one portion of a company -- a particular business unit or product line (e.g., Google Apps for Business) may be certified, especially for large complex organizations in which achieving overall certification would be an incredibly complex and consuming effort.
While most people refer to "ISO 27001", the suite of related standards includes 27000 through 27011.
ISO/IEC 27000:2009 (ISO 27000) ISMS Introduction & Vocabulary ISO/IEC 27001:2005 (ISO 27001) ISMS - Requirements (revised BS 7799 Part 2:2005) The specification for an information security management system (an ISMS). This is basically a list of controls ISO/IEC 27002:2005 (ISO 27002) ISMS Code of Practice Formerly BS7799-1, this specification provides implementation advice. ISO/IEC 27003:2010 (ISO 27003) ISMS Implementation Guidance Guidance for the implementation of an ISMS. ISO/IEC 27004:2009 (ISO 27004) Information Security Metrics and Measurements ISO/IEC 27005:2011 (ISO 27005) Information Security Risk Management ISO/IEC 27006:2007 (ISO 27006) Requirements for ISMS Certification Bodies Guidelines for the accreditation of organizations offering ISMS certification ISO/IEC 27007:2011 (ISO 27007) ISMS Auditing ISO/IEC 27008:2011 (ISO 27008) Guidelines for Auditors on Information Security Controls. ISO/IEC 27010:2012 (ISO 27010) Infosec Communications. ISO/IEC 27011:2008 (ISO 27011) Guidelines for ISM Implementation in Telecommunications
All of the standards place some focus on what ISO is calling an ISMS. What exactly is that? No, I'm not referring to the Institution of Silly & Meaningless Sayings, although that site could prove a very entertaining diversion. Check that ISMS out at www.isms.org.uk. No, the ISMS that the standards refer to, the Information Security Management System, is a mix of policies and procedures along with the tools and records used to manage, monitor, and record anything that is information security relevant. They usually include a large amount of automation, but also a lot of manual procedure.
A lot of what comprises information security in organizations which are not ISO 27001 certified is relevant to ISO 27001, but using an ISMS is more comprehensive and better regulated. An ISMS does not include just digital assets, but also paper (e.g., invoices, customer lists, contracts), data centers, buildings, and both on-site and off-site storage -- pretty much anything that represents an information asset. So, with respect to sysadmin work, it's not just closing stale accounts, but the regulated process of reviewing accounts and the records that show the stale accounts were closed.
An ISMS provides the means to systematically assess risks and evaluate the effectiveness of controls (those things you do to mitigate the risks).
If you're at all interested in this certification, one of the first things you need to do is purchase a copy of the standards. No, they're not free. Far from it. You can buy a copy of ISO 27001 and ISO 27002 for "just" $995 or maybe a couple hundred pounds. The ISO 27000 (overview and vocabulary) alone is 50 pounds. In fact, even the textbooks you'll find on Amazon and eBay are a bit on the pricey side with many running between $50 and $100. You can get a pocket guide (roughly 70 pages) for about $30. That's costly if you're a lowly dweeb like me, but maybe not if you're Google. Anyway, it's good to get yourself schooled up if you're even remotely interested in pursuing or promoting this certification. Compared with the other costs you'll end up encountering, the books are very cheap.
So, peruse some books, think about the possible benefits, and come back in a week. I'll tell you about the certification process and offer some thoughts on things to watch out for.