BIC Information Security: The business side

The goal of this phase is to list all (critically) used assets. An asset in this context can be anything deemed essential to that company. According to ISO 27002 and ISO 27005, assets can be organized in the following groups: information, software, buildings, facilities, vehicles, equipment, hardware, data carriers, computer and communication services, utilities, employees including their qualifications, and intangibles (e.g., the reputation and image of the organization).

An asset owner will then be assigned to each identified asset as required by ISO 27001:2013. This can be a single person or a group of individuals who are responsible for the administration of the respective asset including any related risks and measures.

A business impact analysis (BIA) is one of the most effective instruments to identify critical security objects, because it shows which processes and assets have a high need for protection. It assesses the negative internal and external effects resulting from the failure of a security object including its impact on finances, task completion, guidelines, contracts and the ability to comply with the law.

The second phase focuses on risk identification. The company determines a comprehensive list of events that are relevant for its business activities and could be damaging to corporate objectives. Ideally, this should be a workflow-driven process. The individuals responsible for the ISMS typically compile these risk scenarios in cooperation with the respective department managers following a series of in-depth workshops. Creating risk scenarios is a method used to determine the occurrence of risks that could be damaging to the security goals related to the confidentiality, integrity or availability of the information system and, therefore, the business objectives.

A further aspect of risk identification is the identification of existing measures. This takes into consideration that companies have already implemented measures and, therefore, fulfill some of the controls in Annex A of ISO 27001 such as a password policy. Nevertheless, these measures may not yet meet the maturity level necessary for certification and, therefore, must be analyzed in light of currency, effectiveness and nonconformity. This minimizes duplication and unnecessary costs.

All identified risks are examined within the risk analysis. Once the probability of occurrence and the potential damages are assessed, a risk value is calculated and can be ascertained in BIC Information Security in a quantitative or qualitative (i.e., using a heat map) manner.

How risk controls are defined will determine how the company deals with the risk observed. Depending on the risk tendency, which can range from a risk aversion to risk neutrality or risk appetite, there are four different ways to approach a risk: acceptance, reduction, avoidance and transfer. The goal is to reduce the subsequent risk to a level so low that the remaining risk can be quantified and accepted.

The next step is determining how to cope with the risks that have been analyzed. An external auditor will expect a risk treatment plan which outlines measures that have been taken or are planned for dealing with risks. This plan, which is to be approved by the designated risk or measure manager, provides information on the implementation status of each measure.

In BIC Information Security, measures can be documented by risk treatment strategy, implementation and execution responsibilities, and the reduction of costs, damages and probability of occurrence.

A statement of applicability (SoA) declares that the company has carefully reviewed all controls from Annex A, taken them into consideration, and incorporated them into its corporate goals and information security risks. It describes the measures and their respective goals within the company’s scope and references the 114 measures and controls from Annex A of ISO/IEC 27001:2013 or ISO/IEC 27002. Together with the scope, the SoA is a core requirement for obtaining ISO certification for the ISMS.

Since ISO 27001 requires ongoing improvements to operational effectiveness, top management should check the currency and suitability of the information security systems with the support of the ISMS officer at least once a year. The topics for these types of management reviews can include: results of the risk analysis and implementation status of the measures, effectiveness of the implemented measures, internal and external audit results, nonconformity, corrective measures, and results of measurements (e.g., company-specific KPI’s, general information security performance, developments in ISMS).

To maintain information security during operations, companies conduct procedures for determining information security incidents in line with ISO 27001:2013, Annex A.16 (Information Security Incident Management). This ensures that a security-relevant incident, in the event it should ever occur, is handled efficiently. These procedures include incident reporting as well as assessments and treatments including the collection of evidence.

Incidents are typically nonconformities that affect the continual improvement process within the company and, therefore, the maturity of the ISMS. Due to the incident assessments and the resulting insights, the company will initiate corrective measures. These are designed to minimize any impairments to the availability, integrity or confidentiality of information as well as identify and correct vulnerabilities in the ISMS and prevent any future incidents.

Internal audits are to be conducted on a regular basis to check the effectiveness of the ISMS and continually improve the management system. The ISO standard states that an internal audit must be conducted at least once during a given certification cycle. The procedure, which closely resembles that of an external audit, can focus on either the entire organization or a specific division or department. The results are then used for future certification audits and are treated as findings.

Qualified auditors can conduct external audits on behalf of a certification body to ensure that the management system conforms to ISO 27001. The audit will determine any shortfalls and variances that the company’s ISMS still has in comparison to the standard. The BIC Information Security provides built-in support to assist in planning a pre-audit, certification audit, monitoring audit and recertification.

Findings are created in a variety of contexts and show the results of external and internal audits or management reviews. They cover norm variances or general security vulnerabilities that the ISMS has appraised and treated. Depending on their criticality, findings are classified as a major nonconformity, minor nonconformity, observance, recommendation, or opportunity for improvement. Major nonconformities or several minor nonconformities often stand in the way of the certification and should be resolved as soon as possible.

A key requirement for the successful implementation of an information security management system is documenting the decisions made and the goals set. Documented information is necessary, for example, to define and communicate information security goals, policies, guidelines, directions, processes and procedures. It is also used during the certification audit. Many sections of the ISO standard require documentation that must be officially approved and made available in an audit-proof manner to interested parties. Since companies document additional information depending on their objectives and desired level of maturity, its scope may vary.