February 24, 2010, 3:34 PM — Whether or not you have had any direct experience working with international standards, ISO 27001 (ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems -- Requirements) might be coming your way. An increasingly popular and comprehensive program for information security, this standard touches on nearly everything that sysadmins do and addresses information security across the organization.
ISO 27001 looks intently at the totality of an organization's information assets and then steps through a process which gauges risks related to these assets. Participants in the process look at the likelihood of an attack or failure, the impact that such an attack or failure would have on the organization and the effectiveness of controls intended to protect the assets. The process involves calculating which risks need to be addressed, which are insignificant and which management is willing to accept (often because the cost associated with mitigation is simply too steep).
ISO 27001 is essentially a compendium of best practice with respect to information security. It doesn't tell you exactly how to implement security in your organization, but it tells you what goals you need to achieve to be secure. For example, one guideline says "Information shall be classified in terms of its value, legal requirements, sensitivity and criticality to the organization." This kind of requirement will make sense to most anyone, but will likely get you asking whether your organization routinely classifies its information along these lines.
If you want to get a quick feel for the content of ISO 27001, you might want to jump to Annex A and page through the list of requirements. Of course, to do this, you need to have a copy of the standard and this one is likely going to require you to pull out your credit card. In fact, anything you do with respect to ISO 27001 is likely to cost more than you expected it to. From books on ISO 27001 to the standards themselves, the price is relatively high and you're probably not going to find many on eBay. Even so, as an important upcoming set of standards, the ISO 2700x specifications are worth taking a look at. Whether you hire a consultant to help you through the process or decide to move in this direction on your own, the more you focus on ISO 27001, the more you will focus on how your own security posture might be lacking.
If you're not into reading standards from top to bottom -- or don't want to buy a copy of the standard right away, you can get a good feel for what is included in it by looking over the SANS checklist that you can find at http://www.sans.org/score/checklists/ISO_17799_checklist.pdf. This checklist can also serve as something of a script for ISO 27001 interviews (i.e., when you talk to staff in your organization about their security posture), but you should be careful to preview the questions ahead of time and determine which really apply to each person you are going to be talking to. For example, a lot of the questions will ask about documented procedures. If you have policies and practices that guard against risks to your systems, source code, contracts, customer lists and such, you may want to give some thought to committing these policies and practices to writing and store them on a shared file server. If eventually you go for ISO 27001 certification, auditors will be much more impressed if you can point at the policies and practices you follow. PDF files work very well for this since they tend to be more tamper-proof than other file types.
Once you get into the spirit of ISO 27001, you're ready to look at its sister standard -- ISO 27002, originally ISO/IEC 17799:2005. This standard provides information on various ways that you might go about achieving the goals specified in ISO 27001. For example, with respect to the classification issue mentioned above, ISO 27002 suggests that "It should be the responsibility of the asset owner (see 7.1.2) to define the classification of an asset, periodically review it, and ensure it is kept up to date and at the appropriate level."
While the image of yet another standard moving in to regulate how you do your work might be as welcome as an audit by the IRS, there is much about ISO 27001 which you are likely to welcome into your organization. The secure practices and the consistency demanded across the organization are likely to make everyone pay more attention when you identify weaknesses in the way your organizations processes, stores and transmits information. You may no longer have company dilettantes moaning that certain policies shouldn't apply to them because they're inconvenient. Instead, the systematic application of best practices will dictate that all forms of sloppiness be removed from your business practices. Yes, you might have to write more documents describing how you manage your systems, configure user accounts, shut down accounts when employees leave the organization or change roles, etc. On the other hand, you will have a much easier time convincing others to follow the rules that you and your information security staff lay down for proper system and account usage.
The business benefits from ISO 27001 certification are considerable. Not only do these standards help ensure that your security risks are cost-effectively managed, but your adherence to the standards transmits an important message to your customers and business partners. ISO 27001 plays a very important role in monitoring, review, maintenance and improvement of your information security management system and will likely give other organizations and customers greater confidence in all the ways they interact with you.