There is an abundance of information security standards or frameworks available to help enterprises secure their data and operations. Implementing these standards involves reading not only the requirements of the standards themselves, but also the accompanying implementation guides and myriad online documents regarding the challenges to be overcome. This becomes more difficult if an enterprise is required to be aligned with more than one standard due to its global footprint. The solution is a global information security management system (ISMS) that fulfills a combination of requirements from multiple standards.
ISMS
The ISMS was introduced by International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001, which states that:
[T]he establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization.1
This means that, for a global enterprise, the ISMS must cover all internal and external requirements at the global and the local country level, while ensuring that it also covers critical operations and follows the enterprise’s governance structure.
Aligning a global enterprise’s ISMS with several standards and certifying compliance with those standards have become necessary because enterprises have interested parties worldwide, each of which may recognize different security frameworks. Each country’s legal and regulatory requirements may also mandate an enterprise’s alignment with a combination of standards, making local hurdles unavoidable.
When an enterprise makes the effort to achieve alignment with globally accepted standards and can prove it, it increases the trust of third parties and may lead to more business. As Webhelp’s Group Chief Information Security Officer (GCISO) Ivan Milenkovic notes, “Implementing an ISMS provides multiple benefits: It is an ‘invitation to the party’ with clients, represents the basis for the common language and showcases the willingness to constantly improve company culture. On one side—clients understand what they get; on the other—we break the vicious circle of questionnaires and audits.”
Implementing a Global ISMS
Once an enterprise’s global ISMS requirements have been identified, standards have been selected, a team of experts has been engaged and the enterprise’s leadership is on board, implementation can begin.
In most, if not all, cases, there is more than one way to implement a measure (i.e., control) to achieve a security objective. And standard requirements always have an ultimate security objective to be achieved, no matter how prescriptive they are. Therefore, it is a good idea to develop a baseline of measures that are tailored to the enterprise and can cover objectives from multiple standards. If that baseline is accompanied by a means of mapping to each standard, along with the rationale behind why and how the baseline measures fulfill the standard requirements, this ensures that nothing has been missed.
Certifying a Global ISMS
Once the baseline for the global ISMS has been implemented, the next step is certification. The ISMS can typically be certified for only one standard at a time and, in most cases, one country at a time. Although the ISMS meets a number of requirements, it must be shown that it conforms to each specific standard. This requires information security experts with a working knowledge of the relevant standards who can initiate a program with a road map that includes:
- Enterprise strategy
- Client requirements
- Information security objectives
- Country specifics
- Other internal compliance requirements
These requirements must be balanced and met within specified deadlines. Unexpected changes may also occur during the journey to certification, including:
- New requirements from prospective or existing clients
- Scope expansion due to the enterprise’s growth in new countries or new sites in existing countries
- Acquisition of an enterprise to be included in the certification scope
- New regulations in one or more countries
- Unplanned unavailability of resources
- New versions of a standard
Auditors should be used as enablers, and their advice should be taken as if they were consultants.
It may seem like an impossible undertaking, but it is not.
Certification in a new country where the enterprise operates is much easier (assuming that local information security resources exist) if it has a blueprint outlining the steps necessary to achieve certification for each standard using the previously developed baseline. To ensure efficiency, the blueprint should include:
- Steps toward certification expressed in plain language, including what steps to take to implement the baseline
- Estimated effort required for the implementation of each step
- Anticipated owner
- Useful internal resources, such as globally developed policies, standards, procedures, frameworks or templates that allow standardization across different countries
At this point, the enterprise should have a baseline that covers all relevant standards and a blueprint for achieving certification for each of those standards.
Choosing a Certification Body and Certification Auditors
A global enterprise should select a global certification body that can support all countries in which certification is desired. The lead auditor assigned to an enterprise’s account should examine the baseline and blueprint for the relevant certification to confirm acceptance of the chosen approach, even before the audit starts.
Certification auditors play an incredibly important role. Experience has shown that every auditor is different. Although all local representatives of the certification body follow the same standard requirements and guidelines, they may focus on different areas based on their experiences. It is likely that certain issues identified in one country because of an auditor’s particular focus also exist in other countries, though they may not have been mentioned. This is extremely helpful for improving an enterprise’s global security posture and obtaining the necessary sponsorship for change. Auditors should be used as enablers, and their advice should be taken as if they were consultants. Openness and honesty on both sides can be the key to successful certification.
Finally, be aware of any potential language barriers with local auditors. Determine beforehand whether the assigned auditor is fluent in the enterprise’s formal language and which language the audit will use for every country to ensure that it runs smoothly.
For most enterprises, maintenance of the certified ISMS and the relevant baseline is more difficult than developing them in the first place.
Does Certification Mean Security?
Obtaining certification of a global ISMS means a lot of things, but it does not mean that the enterprise cannot be breached. It means that certain operations of the enterprise follow a consistent, standardized approach, enabling more effective and more mature preventive and detective information security measures. This, in turn, means that information security risk factors and incidents can be identified faster and handled according to global guidelines that conform to good practices. However, there is always room for improvement and this is evident by the certification audit findings.
Does certification make the enterprise more secure? Indirectly, yes. But one would have to drill into the details of a certification audit report to understand which preventive and detective measures are enabling a better security posture.
Maintaining a Global ISMS
Certifying an ISMS is not a one-time exercise. For most enterprises, maintenance of the certified ISMS and the relevant baseline is more difficult than developing them in the first place. Continuous effort is required to ensure that:
- Standard requirements are constantly met.
- Information security threats are managed.
- Information security processes are embedded, and potential exceptions are documented, monitored and periodically attested.
- Performance of the ISMS is evaluated and reported.
- All employees (internal, external) are trained.
- Documentation is reviewed and updated.
- Security posture is improved.
Conclusion
Complying with internal and external information security requirements for a global enterprise is hard work. For an information security system to operate at its best, it takes time and requires human and technology resources. To make compliance efficient and effective, all those requirements must be combined, baselines established and one global ISMS developed. The introduction of blueprints can be a huge help to ensure certification of the ISMS against globally accepted standards and frameworks, so that the enterprise shows interested parties that it takes information security seriously and conforms with their multifaceted requirements.
Endnotes
1 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27001:2013 Information Technology–Security techniques–Information Security Management Systems–Requirements, 2nd Edition, Switzerland, 2013, http://www.iso.org/obp/ui/iso:std:iso-icc:27001:ed-2:v1:en
SARANTOS KEFALAS | CISA, CISM, CCSP, CISSP, ISO 27001 LI
Is the group infosec risk and compliance director at Webhelp and is responsible for maintaining its global information security management system (ISMS). Previously, he held auditing and consulting roles at PricewaterhouseCoopers (PwC) in Greece and the United Kingdom, working on information security and cybersecurity primarily in the financial services sector, shipping and telecommunications. He has more than 10 years of experience in information security, including training and coaching younger professionals and students. Kefalas is a member of ISACA® and other professional organizations.