Over the last few weeks I’ve been working on a project for a client to roll out their ISO 27001 documentation and procedures for ISO 27001. What’s that, you ask? Just as we have international standards ISO 9001 for Quality Management, 14001 for Environmental Management and so on, well ISO 27001 is their equivalent for Information Security Management. Because that’s too much to type and it’s early in the morning when I write, I think it’s safe to also shorten that to InfoSec.

I spent a long time working on the other management systems standards and felt that it would be nice an easy to implement a similar system for InfoSec. How wrong I was! ISO 27001 is possibly amongst the larger standards, and because it’s relatively immature (sure some people will complain that it has a long heritage) it isn’t quite written to make sense yet. I am sure future revisions will help, but right now it is some serious brain work…

That said, I like challenges and it has been an interesting project to work upon. It’s interesting from an IT company prospective because, for a change we’re not solely focussing upon the technology, we’re actually focussing upon the information –whether this be in paper or electronic format. It also gives us some clear requirements for how we should be setting up clients systems in an InfoSec conscious environment.

Our client was quite well prepared for this situation, in that most of their technology was already built with what we consider a common sense approach to InfoSec. Their systems were largely compliant (phew, we built them!) and much of the management systems work just involved writing up what is what I consider to be good practice IT management. Of course, the flip side of this is the difficulties with actual physical security here in the real world of doors, locks, filing cabinets, people and paper. This is where I suspect that many companies, depending on the areas where they are based will all have different takes on who comes through the front door.

I have been to many businesses that are in less than salubrious areas of the country, with many locks, door entry systems and visitors pass systems before you’re even let through into the rest of the company. However the nicer friendlier areas of the country (Cumbria, obviously) not being like inner city areas, just don’t need these controls – they’re not appropriate to the risk. The main challenge for business managers is what controls you do implement, many consultants will come to you and say they’ll deliver you an InfoSec system, and you’ll be told you’ll need to make lots of changes. In reality these need to be commensurable to the risk – if you’re office has confidential documentation in it, then you should lock that, maybe not the entire building. If you can’t be trusted to lock your office all of the time, then yes you need controls on the building. I find these questions far more challenging of how we can protect the data – in the IT world, it’s a few clicks and you’re done.

So what you should really take away from this post is simply, you’re going to have to understand the requirements of the standard yourselves to stop it going too far in your business, if it goes too far, you’re just not going to do it and you’ll fail your external audits. You need to really have a good risk assessment that is appropriate for the information that your business keeps and you need to keep in mind, this is not an IT or technology thing, this is an information thing. Regardless of whether you process information on Mac, PC, abacus or Paper, it is the information you’re guarding the security of, not the systems processing it.

In my next blog article, I will be writing again on this topic, on a neat solution for monitoring your information and giving you greater compliance for your technical systems.