Вы находитесь на странице: 1из 8


ISO 27001


A Blue Paper


Copyright © ECSC Ltd 2006


Blue Paper – ISO 27001 Executive Brief

Version 1_08

Date: 21 June 2006

Ian Mann
Hugo Richardson

For more information about ECSC’s full range of information security services, visit:

Copyright © ECSC Ltd 2006

All Rights Reserved.
This document contains information, which is protected by copyright. No part of this
document may be photocopied, reproduced, or translated to another language without
the prior written consent of ECSC Ltd.

For the latest updates to this document, please visit:


This document is supplied on an "as is" basis with no warranty and no support.

Limitations of Liability
In no event shall ECSC Ltd. be liable for errors contained herein or for any direct,
indirect, special, incidental or consequential damages (including lost profit or lost data)
whether based on warranty, contract, tort, or any other legal theory in connection with
the furnishing, performance, or use of this material.
The information contained in this document is subject to change without notice.
No trademark, copyright, or patent licenses are expressly or implicitly granted (herein)
with this blue paper.

Any brand names and product names used in this document are trademarks, registered
trademarks, or trade names of their respective holders. ECSC Ltd. are not associated
with any vendors or products that may be mentioned in this document.

Copyright © ECSC Ltd 2006 Page 2 of 8


Blue Paper – ISO 27001 Executive Brief

Most organisations now recognise that information is their greatest
asset. As a director, or senior executive, you will know how the
supply of accurate and timely information is vital to your role.

For more and more organisations, information security is becoming a

critical business function. This is much more than an information
technology (IT) issue as it also encompasses:
● Governance
● Risk Management
● Human Resources
● Physical Security
● Business Continuity
● Regulatory and Legal Compliance

You can see why organisations that can demonstrate expertise in this
area really have something to promote. They are developing a core
competence for the digital age.

ISO 27001 (formally BS 7799 and ISO 17799) is the recognised

international standard for an Information Security Management
System (ISMS). Building upon over ten years of development, it is
now the reference point in developing your organisation's systems.

Rather than the

over used 'white This Blue Paper is intended as an introductory document. It is
paper' from IT
vendors, an ECSC designed to help you to understand the benefits that developing an
Blue Paper is ISMS using ISO 27001 will give you. The comments and advice are
designed to inform
and help you in based on considerable experience in working with senior managers to
ways similar to how
design and implement systems, and take organisations through to
our consultancy
approach can help successful certification.

Copyright © ECSC Ltd 2006 Page 3 of 8


Blue Paper – ISO 27001 Executive Brief

Information Security
You know how the use of Information Technology is transforming
the way you do business. Whether through electronic commerce,
remote communications, or innovations in your business processes,
IT has become central to delivering business performance

However, business is not just about IT; you still value your people
and the knowledge they hold, and you appreciate the importance of
traditional paper documents. Also, when gathering your thoughts
and taking decisions, you may still use more established technology,
such as pen and paper. Therefore critical information extends well
beyond your IT systems. A common mistake many people make
when trying to improve information security is to ignore the above
and pass the issue to the IT department.

Many people believe that security is only about keeping information

secret; maintaining appropriate Confidentiality. You know which
information that you would not want other people to see. However,
in our experience it is usually disruption to business that has the
greatest impact. Availability of information is often the dominant
factor for an information security management system. Ensuring the
Integrity of your information completes the three elements of
The DTI estimates
the cost of
So effective information security is much more than IT security, it
security breaches
in the UK to be crosses organisational structures and impacts upon the whole
“£10 billion
pounds per business. It encompasses much more than keeping small amounts of
annum” - information secret. Your success is becoming more dependent upon
Security Breaches availability and integrity of critical information to ensure smooth
Survey 2006
operations and improved competitiveness. The ISO 27001
standard has emerged as the recognised mechanism to improve your
business, and, more importantly, make judgements about others.

Copyright © ECSC Ltd 2006 Page 4 of 8


Blue Paper – ISO 27001 Executive Brief

CEO Perspective
Your vision is central to organisational development; driving
improvements in all areas of the business to create value. With
information technology being key to so many change programmes,
effective information security management systems are a pre-
requisite to ensure systems deliver on their business objectives. Your
leadership can help create the appropriate security culture to protect
your business.

Organisations are now being asked questions about ISO 27001,

particularly by national or local government, and financial sector
customers. This is being driven by adoption of the standard as part
of their legal and regulatory compliance. In some areas the
standard is now a requirement for your winning tenders.

Others are seeing a competitive advantage in leading their sector

and using certification in information security management to develop
customer confidence and win new business. With more public
concern over security issues, there is now a requirement to build
effective marketing mechanisms to show how you can be trusted.

You will also be fully aware of your responsibilities for effective

governance, and be answerable for damaging incidents that can
effect organisational value. The risk assessment foundation to the
standard is designed to give you a clear picture of where your risks
Three-quarters of
are and to facilitate effective decision making. This translates into
businesses believe
that security is a risk management, not simply risk reduction and therefore replaces
high priority to
their senior the feeling many directors have of risk ignorance in this area. This
management or will help you to understand the potential risks involved with the
deployment of the latest information technologies. This in turn will
enable you to balance the potential downside with the more obvious

Copyright © ECSC Ltd 2006 Page 5 of 8


Blue Paper – ISO 27001 Executive Brief

CFO Scrutiny
Whether, as part of compliance, such as your OFR, BASELII,
Sarbanes Oxley, Data Protection Act, or as part of effective
governance, information security is a key component of operational
risk management. It enables the formulation of effective risk
analysis and measurement, combined with transparent reporting
of ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your

information assets, and understanding the realistic threats that are
relevant to your business is vital. Analysis of where you are
vulnerable allows you to measure the probability that you will be hit
by security incidents with direct financial consequences.

Many organisations are now further developing their ISO 27001 risk
assessment processes to begin to measure risks in financial terms.
This now gives them the (almost) perfect mechanism to make
investment decisions based on more accurate measurement of risk
rather than guess work or vendor scare stories.

An added benefit of the risk assessment process is that it gives you a

thorough analysis of your information assets, how they can be
A major global bank
impacted by attacks on their Confidentiality, Integrity and
recently calculated
that 98% of its Availability, and a measure of their real value to your business.
asset value
information Although the detail within the risk assessment process can be
complex, it is also possible to translate this into clear priorities and
risk profiles that the board can make sense of, leading to more
effective financial decision making.

Copyright © ECSC Ltd 2006 Page 6 of 8


Blue Paper – ISO 27001 Executive Brief

COO Control
The efficient delivery of new business processes, by implementing the
latest information and communications technologies, is probably one
of your key challenges. Success means new competitive advantage,
failure can be catastrophic.

An effective Information Security Management System (ISMS) as

described by the ISO 27001 standard is a key enabler for
information dependent systems.

Encompassing much more than IT security, its coverage of physical

security and business continuity extends its impact and benefits to
the organisation.

The standard can also be an effective tool for assessing and

managing the risks inherent in outsourcing and relationships with
key business partners. Assessing risks and using the controls as a
benchmark can give you increased control over critical risks to your
systems that can be caused by third-parties.

An important, and often neglected, area is that of systems acquisition

and development. This weakness can be a result of the ISO 27001
standard allowing you to select the areas important to your business
for inclusion in your ISMS. Through our incident response services
we, on many occasions, encounter major security breaches where no
regard to security was given during the development process. The
ISO 27001 standard has a number of controls to help you with
development in addition to operational security issues.

Copyright © ECSC Ltd 2006 Page 7 of 8


Blue Paper – ISO 27001 Executive Brief

Where next?
As of February 2006, organisations are certifying to the new ISO
27001 standard. Some for the first time, and others converting from
existing BS 7799 certifications.

This ECSC Blue Paper has been designed to help introduce you to the
more important elements and show how these can benefit executives,
their organisations, and key stakeholders.

If you require further help, you may wish to join us on one of our
regular ISO 27001 Briefings. These are updated with each delivery
to reflect our continued work with a variety of clients. You may also
want a custom board briefing delivered on your site.

Alternatively, we would be more than happy to come to see you to

discuss your particular project, and give you some initial guidance on
building an effective Information Security Management System.

About the Authors:

Ian Mann is a Senior Systems Consultant with ECSC Ltd. He is a member of
the BS7799-3:2005 ISMS Risk Management Panel and the UKOnline for
Business Expert Panel. He is a certified security specialist and a CESG Listed
Advisor (CLAS) with GCHQ, holding security clearance. Ian is a visiting
lecturer at Bradford University for the Masters in IT Security and Forensics.

Hugo Richardson is Marketing Consultant with ECSC. He is a member of the

Chartered Institute of Marketing

About ECSC:
Following its inception in 1999, ECSC Ltd has developed and grown rapidly. We
serve such diverse organisations as legal and financial firms to e-commerce
based companies, traditional manufacturing organisations and the military.

Our consultants have wide experience of ISO 27001 development in a variety

of sectors. In addition, we have extensive practical experience of providing
and managing the security of clients' IT systems with award winning solutions.
The consultants also provide a broad set of skills to carry out testing and
auditing from the network level, through specific applications to the auditing
and review of code and programming techniques for bespoke applications.

And, as you would expect, we gained certification to the new

ISO 27001 standard within two weeks of it becoming available.

Copyright © ECSC Ltd 2006 Page 8 of 8