Blog

ISO 27001 – Between the Reality and the Myth

Nov 09, 2017

Tony By Tony Chebli, Senior Manager, Information Security Department/Risk Management Division, Credit Libanais S.A.L

Tony will be hosting the session ISO 27001 Between the Reality and the Myth at (ISC)² Secure Summit MENA in Dubai on the 21st and 22nd November 2017.

It seems like yesterday, but actually it has been over 13 years, since I obtained my ISO 27001 Lead Auditor certification and started travelling from country to country around the Middle East, preaching the benefits of ISO 27001 certification and its importance to companies that are looking to secure their information assets. 

I admit it was (and still is) very tough to convince organizations and their management to walk the difficult path towards ISO certification by adopting ISO 27001 security standards as company policy.

Unfortunately, people tend to be skeptical and raise the same questions over and over:

  • How much would ISO enhance our security level?
  • Will our company become immune against hackers and other forms of fraudsters?
  • Is it a reality or just a myth?

People are right to be skeptical. Achieving ISO-level security standards does involve hard work and some expense; however, we cannot forget the pain suffered by organizations being hit by cyberattacks. Not a single day goes by without a new story about a cyberattack: Yahoo, Equifax – even the professionals are getting breached. Is there any cure?

Of course, there is no formula or cure all to stop the hacking activities in the world, but we cannot stand still and do nothing.

With this in mind, companies must adopt a security program based on international standards. Today I still propose ISO 27001 for the following reasons: 

  • ISO 27001 is the only auditing specification for information security management systems
  • ISO 27001 is a process to develop and implement an information security management system (ISMS)
  • ISO 27001 is a management tool
  • ISO 27001 is comprehensive with 114 controls – represented as form of Annex A –spread over 12 security domains
  • The ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization

Organizations must adhere to the ISO’s standard to gain certification, which consists of complying with all clauses (requirements) enumerated 4 to 10 and the Annex A.

Certification is not an insignificant task. It’s worth understanding the breadth of requirement from the outset. An organization will be required to:  

  • Devise information security policy for the organization
  • Identify the assets
  • Classify the assets
  • Apply controls
  • Operationalize process
  • Audit process
  • Corrective action
  • Management review

In addition to complying with the standards clauses, there are other specific activities that need to be completed:

  • Phase I: Initial review & gap analysis
  • Phase II: Awareness training
  • Phase III: Identification of assets & risk assessment
  • Phase IV: Planning & building ISMS
  • Phase V: Internal Audit
  • Phase VI: Pre-certification & certification

Once you complete the rigorous review, you will then earn a certificate which is valid for a period of three years. It is worth noting that an ISO 27001 certification will be separate from any other management systems certificate. It can also be subject to suspension, cancellation or withdrawal within the three years.

After exploring the ISO 27001 security standards, do you consider the benefits they offer a reality or myth?

In order to draw to undisputed, decisive conclusions, I invite you to attend my presentation entitled ISO27001 Between the Reality and the Myth on 22nd November 2017, in Dubai at (ISC)² Secure Summit MENA .