Information security or IS is a topic of continuing interest. For instance, “Lax security left employees’ data vulnerable,” reports Atlanta Journal Constitution. “Universities and their students can be identity theft hacker’s ‘Dream’,” cautions Reuters. And guardian.co.uk talks about ‘Huge rise in cash-machine crime.’
Guiding organisations in information security are standards in this space, such as the ISO 27001:2005. And, as a trainer in information security standards, Govind Srinivasan, CEO, Paramount Dataware Pvt. Ltd., Chennai (www.paramountworld.com) recently interacted with Business Line to explain the related issues.
Excerpts from the interview.
How has IS standard evolved over time?
‘Information security’ as a code of practice, was published with the tag ‘BS 7799’ in the year 1995 by the British Standards Institution (BSI). It published the BS 7799:1999 later, after extensive public consultation. This became an ISO Standard in the year 2000, under the name ‘ISO 17799:2000’ (Code of practice). This Code of practice is now in the form of ‘ISO 27002:2007’.
A Code of practice is not used for certification purpose, but serves as guidance. The part 2 of BS 7799 represented the evolution of ISMS (information security management system) certification standard. Initially published as BS 7799-2:1998 and after undergoing revisions in the year 1999 and 2002, the ISMS standard got into the ISO family of standards and was published as ISO 27001:2005.
At what stage of IS maturity level do we find most of our large organisations? What about the SMEs?
ISO 27001:2005 makes it mandatory to provide evidence of ‘continual improvement’. The third-party independent auditors make it a point to verify this from an audit sampling perspective. An organisation certified to ISO 27001 is supposed to provide positive evidence of continual improvement; this evidence is a show of maturity in ISMS.
Certification auditors don’t expect security incidents to be totally avoided at all, but find out the maturity of the organisation in the incident reporting system and identifying security weaknesses. Root cause analysis and corrective action are two important areas that show case maturity levels.
Most tier-1 and a good number of tier-2 IT (information technology) companies have reached a good level of information security maturity. Most IT companies, which aim to compete in the global market or aspire to maintain high levels of corporate or IT governance, comply with ISO 27001 with a drilled-down granularity approach.
Many SMEs face the challenge of reaching maturity in maintaining information security compliance. I think the problem lies with the bent of mind that makes an entrepreneur start and continue a business with great risks. Instituting ISO 27001 controls is one way how an entrepreneurial venture gets the risk management maturity by design.
Can you explain the basic tenets of information security from the ISO 27001 angle?
Information security aims at protecting information assets, the basic attributes of which are ‘Confidentiality, Integrity and Availability’ or the CIA triad. Information assets are CIA-valued for the purpose of identifying the critical information assets in the organisation.
Risk assessment is the next stage. Information assets face numerous risks, arising out of threats that exploit vulnerabilities. A methodology is framed by the organisation for assessing risks to its information assets and this is applied to critical information assets, through analysis, evaluation and risk-ranking. Risks that are acceptable are taken out and the rest of the risks are considered for treatment.
The ISO 27001 has risk treatment controls as well. These controls are carefully chosen for implementation. Choosing the right controls for risks is like administering appropriate medicines for an ailment. After doing whatever possible as risk treatment, there still may be certain ‘residual risks.’
A list of such residual risks is made out and then a ‘statement of applicability’ (SOA) of the ISO 27001 controls, with reference to the organisation’s information assets, is prepared. This SOA is implemented.
Compliance is audited by internal auditors; management conducts a review of the status of ISO 27001 compliance. Improvement is made by the organisation, on a continuing basis, as a result of reported non-conformities and observations (by the internal and third-party audits) and incidents and weaknesses reported, by way of root cause analysis, corrective and preventive actions.
This whole exercise is called PDCA (Plan, Do, Check and Act). ISO 27001’s PDCA structure is like that of any other ISO management system (like ISO 9001).
How many companies in India have got certified to ISO 27001 and where are we positioned now in the global list?
As of June 2009, there were 454 business organisations certified to ISO 27001:2005 (www.iso27001certificates.com), and the ISMS maturity level in these organisations is their selling point as well. It is the IT companies in India that are the largest in the number of ISO 27001-certified organisations in India. The fact that India continues to enjoy a great reputation as the top IT service provider country till now is a case in point. Japan stands first (3191), India second (454) and the UK third (402), in the number of organisations certified to ISO 27001.
The US didn’t take the ISO 27001 certification seriously earlier, but it is catching up now. It has close to 100 certifications. China has 200 certifications, Germany 120, Korea 100, Russia 10 and Pakistan has 11 certifications. Taiwan has taken the ISO 27001 compliance seriously; it has 325 certifications.
India is one of the early-starters, of course. India’s emerging competitors in the BPO space like Thailand, Philippines and Vietnam are way behind India in ISO 27001 certification numbers.