Welcome to the inaugural Risky Business blog! The goal here is to provide education about the ISO 27001 standard and provide useful advice on how this framework can be used to solve many of your compliance and information security problems.

I have been using ISO 27001 for over a decade as the foundation for information security programs that I’ve developed and directed, both for myself and for my clients, and have seen the efficacy of the standard firsthand. ISO 27001 is unique in that it gives a clear framework that is risk-based, business-focused, and allows its users to build an information security program that meets their specific information security needs. It’s not a one-size-fits-all approach, but rather it tailors itself to your organization’s security needs based on your particular risk.

ISO 27001 is the successor to ISO 17799, BS 7799 before that, and is part of the ISO 27000 series’ information security standards. BS 7799 was published in 1995 by the government of the United Kingdom, so the core content behind this standard has been around for over 20 years. It was labelled as a “Code of practice for information security management.” In short, it tells you how to design and operate your information security management system (ISMS), or information security program.

Since you are reading an information security blog, you might be somewhat familiar with some other commonly used information security standards such as PCI DSS or HIPAA. Now, ISO 27001 has a very different approach to information security than standards such as these. Whereas, for example, PCI DSS tells you specifically what controls you have to use (the prescriptive approach), ISO 27001, instead, lets you decide on what controls best suit your particular information security needs (the risk-based approach). It’s a very different way of looking at things and requires a different mindset for those of you who are simply used to going “down the list” of controls, requirements, etc. The real magic in ISO 27001 is that, in following it, you essentially create an information security standard that is customized for your organization. It’s like making a tailor-fitted version of the PCI DSS just for you. This tailored version not only specifically addresses your particular information security needs and environment, but also allows you to not waste effort and resources on applying controls of no or little value to your organization. Again, it’s tailor-made for you.

ISO 27001 really is somewhat magic! I’ve consulted for hundreds of clients over the last few decades, and have noticed that those that use ISO 27001 as the basis of their information security programs are always heads and shoulders above those that don’t. Not only are their programs more mature and effective, but they also spend their budget far more effectively since ISO 27001 targets their real and actual risks instead of some theoretical risk on a piece of paper. We want you to be able to enjoy the same advantages that those organizations enjoy.

In upcoming posts, we will break down the standard into bit-sized pieces that are easy to understand and put into practice. In the meantime, we’d love to hear from you. What experiences have you had with ISO 27001? What questions or concerns do you have about the standard? Email me at b.penn@3.95.165.71. Contact us to learn more, and we look forward to hearing from you!

As the world continues to be pressured with information security challenges, over the last 12 months, major compliance frameworks have recently been updated or are currently updating. In today’s current climate, incidents and breaches are occurring more frequently, and at a much larger scale. With this in mind, many entities have realized these threats and are beginning to closely analyze the gaps in the current frameworks (HIPAA, ISO 27001:2013, FISMA/NIST 800-53, PCI DSS v3.0). Our number one business goal is to protect any critical assets, so it’s important to understand all of these changes and the impact they have on your organization. The most notable updates have been to the HIPAA, ISO 27001, FISMA, and PCI DSS frameworks.

Why should these updates be important to you? Let’s face it – it’s the new reality. Almost every industry is having the “compliance discussion”. Security threats aren’t just for big companies anymore, and the fines and loss of business can be an unfortunate impact of not being compliant.

HIPAA

Let’s begin with the healthcare industry. The HIPAA law strives to address the protection of patient information. We want to keep information private. That is what we are most after. The Security Rule enables privacy by establishing the approach of how to protect information so privacy can be obtained. Last September, the Omnibus Rule became effective to strengthen the Business Associate requirement. All covered entities are now required to ensure that their Business Associates are HIPAA compliant, and these BA’s can now be held directly responsible by the Department of Health and Human Services for their compliance. Where do you begin in assessing your vendors? Conduct a risk assessment of all vendors and determine which are the most at risk and monitor accordingly.

ISO 27001

ISO 27001 can be considered the grandfather of all information security frameworks. Most new publications reference ISO 27001 as a starting point, as this framework is internationally recognized and applicable. The ISO 27001:2013 update provides specific requirements for establishing, implementing, maintaining, and continually improving an information security management system. Your information security management process must be a system that is continually operating and improving based on changing risks. The core change is not revolution, but rather evolution. The standard has been reorganized and more harmonized and has made risk assessment focus a key change to the standard. Requirements for management commitment and preventative action have also be revised, with a greater emphasis on setting the objectives, monitoring performance, and metrics.

FISMA

The FISMA Act is a set of guidelines for selecting and specifying security controls for information systems that process, store, or transmit Federal information. The Act references that NIST publishes Special Publications as important updates that should be referred to. NIST 800-53 is specifically pointed towards as a reference for how to select controls and what it is that you need to implement for your systems. NIST 800-53 expects the important element of risk assessment to determine which controls apply, to what degree they should be applied, and what areas specifically should be considered. Learn more about the FISMA audit process.

PCI DSS

The payment card industry is probably what we’ve been hearing the most about. With all of the current breaches targeting retailers and service providers, the council has sought out to address the causes of these breaches and strengthen the industry. The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS v3.0 is an update to the security standard, and is available for implementation this year. Compliance with v2.0 is still an option only through January 2015. There were three major updates to the PCI DSS. There is a new Penetration Testing requirement that states an implemented penetration testing plan should be in place to verify that controls are operational and effective. Service Provider responsibilities have also been updated. Since security is a shared responsibility, service providers are now required to include written vendor acknowledgement for each DSS requirement for which they’re responsible. The last major change in PCI DSS v3.0 is in regards to password requirements and the enhanced awareness to ensure password security. Learn more about PCI DSS compliance audits.

It’s important to ask yourself, which of these frameworks apply to me? Which apply to my vendors? Performing a Risk Assessment can help you determine what is important to you and your organization, allowing you to assess from there. Security is no longer passive. Technology is evolving quickly, along with techniques used by hackers. As the compliance frameworks continue to update, it’s important to understand that security must now be active and always evolving.