Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 AM
Connect Directly

Users Line Up Behind Audit Standard

ISO 27001 poised to fill the void in security audit standards and become a global benchmark

If audits are about as much fun as dental fillings, then security audits are like root canals. Small wonder, then, that security professionals don't want to have to conduct separate audits for Sarbanes-Oxley, HIPAA, and a growing pile of new state and federal regulations for data handling and privacy.

And while it may never be the perfect catch-all, ISO 27001:2005, "Information Security Management Systems – Requirements," may be the closest thing enterprises can get to an Underwriters Laboratory seal for security audits.

ISO 27001 has also recently won some important buy-in from a couple big users. Vendor sources a few weeks ago said the Federal Reserve Bank of New York has recently achieved ISO 27001 registration. And other companies have been marching down the ISO 27001 path since before the standard was approved.

ISO 27001, ratified in November 2005, defines the implementation requirements based on ISO 17799 and can be used by companies to build a security plan. More importantly, "ISO 27001 contains verifiable implementation language spelling out procedures and practices that an auditor can use to determine if your organization is compliant," explains Ken Peterson, president of consultancy Churchill & Harriman.

ISO 17799:2005, "Code of Practice for Information Security Management," is used as a framework for building a security plan, laying out 11 categories ranging from policy and organization requirements, asset, communications, and human resources management, through access control and business continuity. Think of ISO 17799 as a guidebook for implementing security initiatives.

Contrast the ISO approaches with the American Institute of Certified Public Accountants Statement of Auditing Standard 70 (SAS70) audits, which are conducted by CPA firms. The auditor issues a statement of opinion based on what the client company wants assessed. There are no standard criteria to measure the effectiveness of a security control. A SAS70 report really boils down to "this is the stated control, this is how the subject implements the control, and this is our opinion of whether the subject does what they say they do." Type II audits include testing of the controls by the auditor.

Companies can be audited against ISO 17799, but until ISO 27001 came along, there wasn't a certification path. Companies seeking an audit using ISO 17799 criteria would hire an auditor to perform the assessment and would be issued a letter of opinion, which Jon Gossels, president of consultancy System Experts, describes as "analogous to accounting firms issuing opinions to companies on their financial systems and reports." Letters of opinion are just that, qualified opinions about a company at a point in time. Finding a qualified auditor for an assessment based on ISO 17799 is not a simple task. Gossels recommends seeking advice from peers, interviewing potential auditor's reference clients, and examining the qualifications of the auditors.

Companies seeking ISO 27001 registration have to be audited by a certified body or registrar. Certified bodies have to go through extensive training and testing and are accredited by the International Register for Certified Auditors, according to Peterson. He points to these three phases of an audit:

  • Map the company's policies and procedures to 27001.

  • Audit the company's processes to the stated policies procedures.

  • A registered audit is valid for three years with interim audits taking place every six to nine months. After three years, the whole process starts again.

Gossels urges companies not to confuse an audit with a security assessment. "An audit documents the current state of an organization focusing on instances of non-compliance," he says. "In contrast, a security assessment is looking for problems and root causes or classes of problems -- not every instance of a problem. These standards are useful for both purposes."

To Page 2

The business case
Many compare ISO 27001 to ISO 9001:2000, "Quality Management System," which shows the company has gone through a rigorous audit of its manufacturing processes, and also submits to interim checkups to ensure that the QMS is enforced. Some experts are confident that ISO 27001 will have a similar impact on security practices. "Similar to when BS5750 became standardized as ISO 9001, the world, including the U.S., took notice and flocked to it," Peterson asserts.

Others are not sure ISO 27001 will have wide appeal. Gossels thinks unless there is a clear business reason -- such as customers or partners demanding certification to do business -- there is no reason to get registered. "We would not advise a company to get registered [for ISO 27001] unless there is a clear business driver, because of the expense. There is no incremental value in spending those dollars. Having a reputable security firm say they are substantially compliant is good enough." Audit costs can easily run to five figures or higher, depending on the scope.

Gossels does point out that "in some vertical markets, like financials and healthcare, or markets were there are supply chains in place like aerospace, registrations may become a fact of life."

Rick Hargraves, CIO of United Recovery Systems LP, a Houston-based collections firm, had a sound business reason. "A few years ago, our clients started asking us questions about our security processes that came straight from ISO 17799, so we knew they were leaning that direction. We made a decision to align with ISO 17799. When we found that ISO 27001 was being ratified, we decided to achieve registration."

The registration process went smoothly for URS. The first part of the audit compared URS's policies and procedures to ISO 27001, and the second part ensured that stated business processes were being carried out. "We didn't have to make major changes to map our processes to ISO 27001 because being a financial company, we already had them in place to begin with. Companies starting from the ground up will have a more difficult time adjusting."

The key to undergoing and consuming an ISO 27001 registration lies with the scope. Peterson recommends "starting with a narrow scope based on critical business process and then expand it when needed because an ISO 27001 audit is a difficult process, a large part of auditing is defining asset identification, risk assessment, and ownership. Failures happen when the scope is too large."

Hargraves agrees. "Just because your 27001 doesn't mean your company is doing best thing. For example, our company included processes under GLBA, networking, handling consumer information, complying with our clients data security standards, and how we developed our own software within our ISO 27001 audit, because those are critical processes for our customer. If we didn't include how we protect consumer information, our certification would be lacking."

The International Register of ISMS Certificates maintains a list of registered companies, their certificate numbers, and a statement of scope. As of this writing, there are 2,625 organizations registered either to BS 7799 part II or ISO 27001. The bulk of the registrations are in Japan.

— Mike Fratto, Editor at Large, Dark Reading

Organizations mentioned in this story

  • American Institute of Certified Public Accountants
  • Churchill & Harriman
  • International Organization for Standardization (ISO)
  • United Recovery Systems, LP
  • System Experts

    Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics ... View Full Bio


    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    Stay-at-Home Orders Coincide With Massive DNS Surge
    Robert Lemos, Contributing Writer,  5/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Can you smell me now?
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-29
    There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
    PUBLISHED: 2020-05-29
    A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
    PUBLISHED: 2020-05-29
    All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.