This year my colleague Mirko and I had among our annual goals the use of EriZone to support ISO 27001. The project was not highly detailed, so therefore we felt free to interpret it the way we thought would be most useful for a medium-sized company.
Obviously we needed to know exactly what ISO 27001 entails, and to then enhance EriZone to manage it. Here I will write about the first part and I will leave Mirko the second (and in my opinion the most beautiful) part. [Mirko, you owe me a favor, but I owe you too and so now we’re even!]
So where should we start? We needed to create a knowledge base on ISO 27001. Okay, easier said than done. How can you characterize ISO 27001? A series of rules that if respected allows you to obtain a certification…
Obviously this is not really the correct approach, and like all complex topics it should be treated with the correct terminology. I don’t want to repeat here information that you can easily find online on the official websites, or on those that deal specifically with ISO 27001 (below you will find such links), but instead I’d like to give you a quick introduction without boring you too much.
Okay, so what is ISO 27001? Wikipedia says (I know, I know, I said I didn’t want to bore you, but I’ll only do it here): “The ISO / IEC 27001 standard (Information technology – Security techniques – Information security management systems – Requirements) is an international standard that defines the requirements to set up and manage an information security management system (ISMS or ISMS, from the English Information Security Management System), and includes aspects relating to logical, physical and organizational security.”
Great! So now you understand everything, right? What? No? Well, not even I understood much after reading this definition. To save you the trouble, I will make an essential summary of what I found on the internet about ISO 27001 and how it helped me to understand it better. The ISO 27001 standard is essentially a document about 23 pages long that can be downloaded for a fee. The 23 pages provide guidelines on how to set up a set of corporate documentation that will serve to manage the security of the information present in the company.
Obviously a company is ISO 27001 certified when a certifying body says that it is following ISO 27001 guidelines and that company information is adequately protected. ISO 27001 aims above all at providing a corporate self-awareness that takes into consideration the assessment of possible risks and the implementation of controls, always linked to information security.
Regarding risks, the ISO standard does not provide a full list, but indicates how to identify the vulnerabilities and threats that create those risks. Risk assessment is perhaps the most important part because for each risk, it is necessary to indicate a numerical level and a strategy of acceptance and/or mitigation.
The controls (an example of a control is the one that requires that inventoried assets must have a manager) are listed in Annex A of ISO 27001. There are 114 of them, divided into 14 categories. For each of these controls, the organization must specify how it was implemented, or else the reason for the non-implementation.
As you will have realized by now, if done on paper, it becomes very difficult to maintain all of this documentation. For this reason it is very important to try to insert documentary and process information in a system that itself acts as the very center for collecting processes and documentation and allowing traceability of revisions. To help with this, we have created a customization of EriZone that will accommodate not only the applicability of controls and risk management, but also documentation changes, security incidents and more.