2

I've been asked to figure out how to get our company to comply with an "Industry Recognized [Security] Framework" where '“Industry Recognized Framework” means a global industry recognized information security management system (“ISMS”), such as ISMS standard ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements, as published by the International Organization for Standardization and the International Electrotechnical Commission (“ISO 27001”) and the Control Objectives for Information and related Technology best practices framework established by the Information Systems and Control Association and the IT Governance Institute (“COBIT”).'

I'm unsure where to turn with this. Is this something others would recommend I engage a larger security firm to help with? Or are there particular qualifications I should look for in a consultant or contractor to help?

I'm out of my league with this, so any advice would be appreciated. Thanks.

user16247
  • 23
  • 2
  • 1
    Part of the answer deals with 'why'. Do you have a regulatory requirement for such an alignment? Did a manager hear about a framework and wants to see it implemented? Do you need to prove to partners or customers that you adhere to a framework? Does your organization want the benefits of employing a framework? – schroeder Feb 25 '14 at 21:42
  • Clients are requesting this of us. – user16247 Feb 25 '14 at 22:05

2 Answers2

2

Because this is a client requirement and not an internal motivation to naturally "grow into" a security program, this is not a trivial task because you have time constraints (One would assume).

Assuming, then, that you need 3rd party verification of your alignment to a framework, you are going to need to find a qualified, certified person in the framework you hope to align with. ISO2700 has certified consultancies that help organizations do exactly this. COBIT also has a certification that individuals can get to prove that they know how to audit an organization against COBIT.

Seek a firm that will help you through it and ask for their certifications and experience.

schroeder
  • 123,438
  • 55
  • 284
  • 319
2

I'll pitch in here regarding ISO/IEC 27001 as I know something about it. I'm familiar with COBIT also but generally ignore it in my line of work so won't say much about it here and will leave that to someone who knows a lot more about it:-

ISO/IEC 27001 can be a major commitment but it depends on many factors. It basically requires top management support for an information security management system (ISMS) throughout the organization - so it can be a major undertaking if you are a large organization or geographically dispersed, for example. Its all about a management framework and processes and how you go about implementing it will depend on what exactly you are trying to achieve. In an nutshell its a business risk management standard focused on the preservation of the confidentiality, integrity, and availability of business information.

If there is no-one in the company currently who understand this standard or 'management systems' in general then I would highly suggest getting in some help, or at the very least going on a training course.

Probably the best training courses that I am aware of are the ones offered by BSI. They offer various courses, but I would suggest that you first attend a 1 day "Introduction" and follow up with the "Implementation" or "Lead Implementer" courses. The implementer courses will take you through the major steps of a typical project.

There is also the PECB certifications, but in my opinion, these courses are mostly slide shows (theory - snore) with a little bit of interaction, whereas the BSI courses are very interactive and practical. Full disclosure -- I have delivered training for both PECB and BSI.

If you are hiring in a consultant, then look for these qualifications along with the ISO/IEC 27001 Lead Auditor qualification. Also look at the consultant's CV. This is not an IT or technical standard and consultants who only look at things from this perspective often don't 'get it'. Look for some broad experience in other areas of security, like physical security, and experience in general with 'management systems', 'risk management' and business related disciplines.

Things to bare in mind: 27001 is not a technical standard and it is normally a bad thing if you try to do it just in an IT environment alone (ISO/IEC 20000-1 would be appropriate if that is the intention). Registration/certification itself is for the organization and will incur ongoing audit costs (audits are conducted by external 3rd party audit bodies).

Note also that the 2005 version of the standard is now obsoleted and the new version is 2013. This is the version that you would need to implement and certify against (if certification/registration is required).

My first suggestion, and the cheapest, is that you buy the standard from ISO.org, download, and read the standard. You want to have a look at clauses 4 through 10, which provides all requirements that you must meet.

COBIT and ISO/IEC 27001 will live together in perfect harmony. There is no contradiction and you will have benefits in many ways by implementing both - if done properly. ISO/IEC 27001 will give you a big umbrella, COBIT will give you some IT related specifics that will fall under that umbrella.

Good luck!

Lee
  • 71
  • 3