Certification and ISO 27001.

Good security governance and ISO 27001.

By now, you may have gotten the idea that I don't like the current security standards very much. That's just because in almost all my case studies in organizations I have found that these standards are being abused. And, in those organizations that were serious about compliance to the standards, security inevitably suffered as compliance became more important than security itself. So, what should you do if compliance and certification is important for your organization? We already discussed on our compliance page that compliance should be separated from the actual development of your strategic security context. Now, we will briefly discuss how to fit our approach to security governance to the particular security management approach required by ISO 27001.

Developing an Information Security Management System

ISO 27001 was published in October 2005 and basically augments the previous security standard 17799 (which became ISO 27002) with an Information Security Management System approach. An Information Security management System is simply a system based on a policy life-cycle model, a fact that is unfortunately not explicitly clear from the standard itself. So, to better understand how to use the ISO 27001 standard, we advice you to have a look at the literature on policy life-cycles.

Policy life cycle models have been developed to help you maintain your security policy, and therefore assume you have a centralized waterfall type approach to information security. But, fortunately, the standard is very flexible on what the security policy should actually contain, and it is possible to adapt this life-cycle approach to maintain a purely strategic security policy that contains mostly those "controls" needed to support a distributed security governance approach. Some of these controls, for instance those needed in personnel security to ensure ownership by security staff, have already been mentioned in our previous pages. Other controls, related to your security strategic context still need to be discussed. We do advice you, however, to wait until your security governance is reasonable mature before you start developing this strategic security policy.

We have two other problems with the current security standards that we would like to address here. Firstly, the emphasis on the Plan, Do, Check, Act decision making model. As discussed on our Decision Making page in our Security Management section, we prefer the use of an alternative decision making model that emphasizes observation and situation awareness. However, if necessary, you can use PDCA to plan a decision making process based on situation awareness by identifying the right security objectives and strategies. To achieve this, you need to improve the balance between prevention and detection: Something, we would advice you to do anyway! And, of course, you now also have to plan what feedback loops are needed to inform your decision makers on what you learned about your organization's security. It's not that difficult, but it is just that using PDCA to support this approach is a bit less straightforward.

Our second problem is related to the lack of support for strategizing and innovation in these standards. Although it is nice to have an extensive list of previously identified controls, we really need a process that stimulates innovation. We are currently promoting the use of a security requirement engineering approach to organizational security to increase innovation. More on this later (on a future page). We are currently also going through the controls listed in 27001 and 27002 to identify those that we believe should receive priority and those that in our view should be replaced.