A standard choice

Through a perplexing alphabet soup of choices in security standards, most Middle East enterprises are selecting and working with the ISO/IEC 27000 series of benchmarks, especially the 27001 standard.

  • E-Mail
By  Sathya Ashok Published  April 1, 2008

However, as Kotze points out, an increasing number of enterprises, especially those which work with businesses outside the region, are getting themselves certified and this will drive standards certification among other regional firms.

Getting certified

Getting ISO 27001 certified can be either easy or difficult - depending on how the enterprise in question handles it. Companies only have to implement and follow the requirements specified by the standard and then call in a third party auditing firm to carry out the test and if they pass the same, they get certified.

Carrying out the rigorous demands for certification can be easier said than done. In fact, the task can seem so daunting that many enterprises are put off from even starting the process.

"One of the most common mistakes that companies make when they try to get certified is they believe that such standards are too difficult when they are not. They also think that they can cut corners when implementing ISO/IEC 27001 by leaving out some of the requirements," says Humphrey.

"Many also believe that such standards can be an expensive undertaking. But the truth is that it can turn out to be inexpensive for the firm if they do it right. Lot of enterprises also make the huge mistake of ignoring some of the critical aspects of ISO/IEC 27001 such as the risk assessment process or the need to take regular measurements to check the effectiveness of security," explains Humphrey.

According to Kotze, who has specific experience with Middle East enterprises, corporates in the region tend to ignore the obvious sometimes.

"While information security is high on the agenda of most enterprises, they do not pay enough attention to physical security. They make a lot of mistakes especially with the kind of documents that get carried around and thrown away. Just by digging in dustbins there have been situations where we have got a lot of information including credit card details, personnel information, even cheque books. Lot of enterprises concentrate only on firewalls and hackers. They are negligent towards physical security which can turn out to be a problem," says Kotze.

Kotze also stresses the importance of educating end-users within an enterprise.

"Companies which want to get certified should do training needs analysis quite early in the programme. There should be different levels of security knowledge within the organisation. They have to decide what level of knowledge and detail of subject is required for different roles in the organisation. They need a quality system, levels of knowledge, awareness, different levels of expertise, competence and skills. Without these in place it is difficult to get certified," says Kotze.

All of this starts with a proper risk assessment, identifying problem areas, address ing the level of risk and applying systems to deal with it.

"Risk assessment is the point of starting. Companies have to implement measures and procedures based on the risk assessment. Otherwise, it would not be effective," adds Kotze.

Obtaining the certification is only half a victory as enterprises have to continue the standard's practices and manage it in order to retain the certification or get re-certified.

"After the initial assessment, we go back four months later. We visit the company to make sure that everything is as it should be as per the certification. We then visit them every six months after that. The certificate itself lasts for three years," explains Kotze.

During this period, if companies are found to be lacking, they are warned and the certification may be suspended. If the non-conformance continues, the certification can be cancelled.

Walk the talk

The truth though is that most enterprises which have invested in getting certified on the standard do not turn their backs on it and only in rare cases do they lose their certification entirely.

The ISO 27001 standard is a global acknowledgment of the company's seriousness in business practices and in ensuring the highest standards within the organisation. This is of special importance for enterprises that trade with other businesses as well as service providers who offer hosting and telecom services in the region.

Considering that, whatever the troubles involved, larger numbers of regional enterprises will move towards the ISO 27001 standard and, in the process, increase awareness of security best practices.

Some other standards in the ISO 27000 series

ISO 27002 - the renamed ISO 17799 standard is a code of practice for IT security which provides controls that can be implemented based on the guidance provided by ISO 27001.

ISO 27003 - a proposed document it is intended to provide guidance in implementing an information security management system (ISMS).

ISO 27004 - it is an emerging standard on security management, measurement and metrics.

ISO 27005 - it is an emerging standard on security risk assessment.

ISO 27006 - this standard offers guidelines for the accreditation of organisations which offer certification and registration for ISMS.

Some benchmarks closely linked to the ISO 27000 series

ISO 17021 - this standard contains principles and requirements for the competence, consistency and impartiality of the audit and certification of management systems of all types. It is particularly related to ISO 27006.

BS7799-3 - this is BSI's standard for Information Security Risk Management. It relates most closely to ISO 27005, which will cover similar ground when it is published.

ISO 24760 - this has not yet been published, but this standard will largely involve providing a framework for identity management - a topic that is semi-related to ISO 27002.

ISO 13335 - this multi-part standard presents management of information and communications technology security, and is related to the future ISO 27005 standard.

BS25999 - this is the BSI standard for Business Continuity Management, and includes two parts, a code of practice and a specification. It relates to a number of ISO 27000 standards, but most notably, ISO 27002.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code