1
INTRODUCTION

Why would your company need to keep its information safe? How can ISO 27001 help you achieve information security? And, is this book the right choice for you?

1.1 Why information security? Why ISO 27001?

Information security, cybersecurity, or data protection are not the things that are reserved any more for IT geeks only – this is something that concerns virtually any person on this planet, as well as any company.

If you were an executive in an organization 10 years ago, you probably would not be so concerned with any of these things. Today, you are in the second decade of the third millennium and you cannot ignore threats to your data anymore. What's more, in the future you will need even more protection. Why? Because the majority of organizations are now in the business of processing information.

Most of us imagine that a bank handles large amounts of cash every day. While the banks still conduct many cash transactions, the fact is electronic money transactions far outweigh cash transactions – in some cases by more than a million to one. So, this means that a typical bank is in the business of processing information – it is one large factory of information. And, guess what: For some time now, robbing a bank by hacking is far more profitable than walking in with a mask over your face and robbing the tellers. And, hacking is far less risky, too.

Think about your business; are you an information factory, too?  Chances are, your business is, if not completely, then in most part about processing information. This means your business is more vulnerable. Your information, your knowledge, your know-how, and your intellectual property are all at risk. And now the one-million-dollar question, or if you are in a larger business this might be a one-billion-dollar question: What do you need to do to protect the information in your company, and where do you start?

The problem nowadays is there is an abundance of information about information security; you are probably bombarded with information about new firewalls, anti-virus software, frameworks, methodologies, legislation, and so on. Many companies offer services claimed to be the solution to all of your security problems. Yet, these individual solutions aren't going to protect you completely. For instance, you cannot solve the problem of a disgruntled employee with a firewall, the same way you cannot solve the problem of a hacker just by complying with a law.

So, it's obvious you need something more, something comprehensive. But, the challenge is where to even begin, what steps to take that will best protect your business.

This is where ISO 27001 comes in – as explained throughout this book, it provides a comprehensive framework that will help you with this crucial process. It gives you the necessary guidance and building blocks for protecting your company. ISO 27001 tells you where to start from, how to run your project, how to adapt the security to the specifics of your company, how to control what the IT and security experts are doing, and much more.

So, the point is – ISO 27001 doesn’t have to be just another bureaucratic compliance job – if implemented properly, it can be a very efficient tool not only to protect your company, but also to achieve some business benefits.

1.2 Basic information security principles

First, let us define what information is. Information is an asset of the organization, which has value to the organization and needs to be protected appropriately. Information can have various forms and can be stored on different media.

On the other hand, information security can be defined as protecting the confidentiality, integrity, and availability of information in various forms, such as written, spoken, printed, electronic, and so on.

Let’s see the official definitions of these terms from ISO 27000: confidentiality is “property that information is not made available or disclosed to unauthorized individuals, entities, or processes,” integrity is “property of accuracy and completeness,” and availability is “property of being accessible and usable upon demand by an authorized entity.”

Yes, sometimes it is difficult to understand this ISO terminology, so here is an easy explanation of these basic concepts: if I come to a bank and deposit $10,000, first of all I do not want anyone else to know about this money except for the bank and myself. (This is confidentiality.)

In a few months’ time when I come to withdraw my deposit, I want the amount to be $10,000 plus any interest; I do not want the amount to be $1000 because someone has played around with my account. (This is integrity.)

Lastly, when I want to withdraw my money I do not want the bank clerk to tell me that the bank’s systems are down and that I have to come back tomorrow. (This is availability.)

ISO 27001 has exactly the same focus – protection of confidentiality, integrity, and availability (also known as the C-I-A triad); but, it also goes a step further – it explains how to do it systematically in a company of any type.

1.3 ISO 27001 puts it all together

What I like about ISO 27001 is that it has this comprehensive, and at the same time, balanced approach to building up an information security management system (ISMS) – it not only gives a perfect balance between the IT and business sides of the organization, it also requires the direct involvement of top management in the information security implementation, ensuring that such project not only has all the required resources, but that it also supports the strategic objectives of the company.

ISO 27001 explains how to structure the information security documentation, but also how to apply only those security controls (safeguards) that are really necessary for the company. It gives you the tools to permanently review the whole system and improve it whenever it is possible; it provides you with a system on how to train your employees and make them aware of the importance of information security; it includes the requirements on how to plan the resources, including financial resources.

As I will explain later on in greater detail, it gives a perfect implementation path – it is written in such a sequential way that you just have to follow the structure of the standard to implement your ISMS in the most logical way.

Finally, it provides a management framework on how to evaluate whether information security has achieved some business value – by setting objectives and measuring whether these objectives are fulfilled. You may be surprised, but I like this part very much – this is because if the management sees concrete benefits from their information security investment, it is the best way to ensure the long and successful life of the ISMS in your company.

1.4 Who should read this book?

This book is written primarily for beginners in this field and for people with moderate knowledge about ISO 27001 – I structured this book in such a way that someone with no prior experience or knowledge about information security can quickly understand what it is all about, and how to implement the whole project; however, if you do have experience with the standard, but feel that you still have gaps in your knowledge, you’ll also find this book very helpful.

This book provides examples of implementing the standard in smaller and medium-sized organizations (i.e., companies with up to 500 employees). All the principles described here are also applicable to larger organizations, so if you work for a larger company you might find this book useful; however, please be aware that in some cases the solutions will have to be more complex than the ones described in this book – for example, you might want to use a more complex risk assessment methodology than the one that is suggested in Chapter 7 Risk management.

So, if you are an IT administrator, information security professional, head of an IT department, or a project manager tasked with implementing ISO 27001 in a small or mid-sized company, this book is perfect for you.

I think this book will be quite useful for consultants, also – being a consultant myself I made an effort to present in this book the most logical way to implement an Information Security Management System (ISMS), so by carefully reading this book you will gain the know-how for your future consulting engagements.

This book is not written as a guide for performing the audits, but it might be useful for internal auditors, or even certification auditors, because it will help them understand all the requirements of the standard, and it will also present the best practice for the implementation – this will be useful when the auditor needs to provide some recommendations in his or her audit report.

Finally, I think this book can be a kind of checklist for experienced information security practitioners – I'm saying this because I've had many such experienced professionals in my ISO 27001 courses, and although they didn't learn anything especially new, they were thankful for getting a comprehensive and structured view of how information security should be implemented.

And, this is exactly how this book is written – it gives a systematic picture of what ISO 27001 is all about, and how to make sure you didn’t forget something. It doesn’t really matter whether your company will go for the certification or not – this book will explain how to...