Less Pain, More Gain - A Better Way to Work Toward Improved Information Security Risk Management and ISO 27001 Compliance
By Jason Eubanks
How have the recent privacy and security violations crowding the daily newsfeeds changed your company's behavior? There's a silver lining to all the doomsday headlines - they should compel stakeholders in your company to pay more attention and provide more buy-in for proactive safeguarding activities against these risks. How are you going to leverage this opportunity? You need a fresh approach, management support, a solid plan, and comprehensive technology to support all the moving parts involved in setting up an integrated security and risk management program.
As an experienced governance, risk management, and compliance (GRC) consultant and former auditor, I've assessed and supported many companies through the challenges inherent to building a mature, enterprise-wide information security risk management program that aligns with global standards and boosts competitive advantage. One way many organizations are approaching this is through ISO 27001, an international standard for establishing, operating, maintaining and continually improving an Information Security Management System (ISMS). This standard pushes organizations to move past checking boxes for adherence to controls by promoting a top-down, risk-based approach to developing processes, policies, and controls that specifically address the organization's information security risks. Organizations are certified based on adherence to a set of process level clauses (requirements) and controls used to support the processes, and auditors certify against these requirements.
Why try to certify?
I've seen a growing number of companies working toward ISO 27001 certification (or towards compliance without undergoing the certification process). Implementing this standard is a highly effective way to build an integrated risk management program by establishing an ISMS. An ISMS is comprised of the people, processes and IT systems used to apply a risk management program for managing an organization's most sensitive and valuable data. Approaching ISMS development in alignment with ISO standards will help your organization protect its critical data and IT assets, build resilience against threats and incidents, and be prepared for challenges and opportunities as they arise.
Even though it is voluntary, ISO 27001 certification is a valuable undertaking for many reasons. ISO 27001 is highly recognized and respected worldwide, encourages continual improvement and serves as a solid foundation for other IT risk and compliance standards and frameworks. If you can meet the ISO 27001 standard, you are well positioned to comply with most other information security regulations, as well as client information security requirements.
At this point, organizations doing business globally are increasingly encouraged to achieve certification to stay competitive and win new business. As US companies expand operations internationally, they are often forced to comply with additional privacy and security regulations and provide additional assurances to partners and customers. In addition to being an important indicator of information security maturity, a certified ISMS operates as a marketing tool, and as a seal of approval, providing a competitive advantage over competitors. For evidence of this trend, do a quick search on ISO 27001 certification; note that the results are packed with company press releases announcing certification and re-certification.
A high bar to clear
Many companies struggle to achieve certification. The ISO 27001 standard sets a high bar - it is not a one-and-done, checkbox list of requirements. It's a continual living and breathing program that includes understanding interested party requirements, management commitment, cataloging risks, assessing the severity of risks, planning how to remediate risks, and producing documentation to substantiate the risk management activities. The standard also requires that organizations apply a mindset of continual improvement, where management pushes past program mediocracy and strives to improve the overall health of the ISMS.
Traditionally, ISO 27001-related tasks have been performed manually; documents are stored in network file folders or process owner local drives and tasks are managed through spreadsheets, documents and email. It is nearly impossible for global, digital businesses to keep up using a manual approach, given the complexity of information security programs, the expanding reliance on supply chains and outsourcing, and the criticality of data and IT systems.
The pain points become acute when it is time for auditors to assess a company's operations. Scrambling to pull together the proper documentation is a time-consuming hunt that distracts staff from core functions and operational improvement work. An inability to efficiently prove compliance, of course, increases the likelihood of failing an audit. This dynamic is disastrous enough for mandatory regulations like HIPAA and SOX. When it comes to voluntary standards like ISO 27001, failed audits, runarounds, and tedious tasks kill stakeholder enthusiasm and make it impossible to gain traction.
How can you bring focus and efficiency to your ISMS efforts, so you can build momentum towards certification? The key is to streamline, centralize, and automate. As a first step, consider your current processes to document and manage ISMS processes. If they are performed through manual ad hoc processes, then departmental segmentation, duplicated efforts, lack of visibility and accountability, and wasted resources are sure to follow.
Integrated systems deliver lasting benefits
This is why a governance, risk management and compliance (GRC) technology platform is so critical to successful ISMS initiatives and efficient compliance programs. These enterprise software suites are comprised of interoperable tools that all types of organizations deploy to help manage risk, demonstrate regulatory compliance, automate business processes, and prepare for audits.
Streamlined documentation and automated tracking are key features of these tools. When a task (e.g., inventory, assessment, remediation workflow, exceptions approval, policy review, etc.) is performed within the tool, the tool automatically retains the required evidence, allowing GRC teams to gain significant efficiencies. In contrast, if you're performing or documenting that task in Excel, it's nearly impossible to show when or by whom that task was completed.
GRC platforms do far more than establish evidence repositories. They support the work of integrating processes, policies, and controls across departments and business units, which is essential to extending comprehensive risk management throughout the value chain. Digitally linking processes to risks you identify, to policies you create, and to control procedures you administer weaves a tighter web of protection and oversight. I see the "shall" requirement statements - the standards set by ISO 27001 and other security and risk management frameworks - as objectives. The processes, procedures, and controls you put in place and maintain with the help of a GRC platform determine if you will achieve those objectives, and how expedient you'll be getting there.
GRC platforms, when combined with sufficient staff and expertise and supported from the top down, are instrumental in many ways. Whether your organization is building an ISMS from the ground up, seeking a better method for managing and integrating security and risk activities, or trying to streamline the audit process after certification, manual processes will no longer suffice. Your team can leverage a GRC platform's capabilities to manage regulatory requirements, policies and procedures, risk assessments, third parties, incidents, asset repositories, vulnerabilities, audits, and business continuity. When deployed across the organization, GRC technology systems facilitate collaboration, and increase visibility and accountability. A team attuned to the importance of working together to develop a world-class ISMS can reach compliance and certification more expediently with these capabilities at its disposal.
These benefits are valuable to every organization. Indeed, there are a lot of companies that will follow the ISO 27001 standards without attempting certification, but achieving the certification is the only way to provide assurance that your information security and risk management processes are compliant with the standard. The public, legislators, and industry organizations are increasingly aware of and reactive to negative news about corporate data breaches, and individual data privacy issues. Organizations that have built a mature ISMS that matches the standard of excellence set by the ISO will be well-positioned to sustain competitive advantage and protect their assets and reputation in the face of a myriad of challenges.