Heads up! Updated security standard coming….

I like the ISO 27000 group of security standards; in fact, I liked their precursor, BS 7799, at the end of the 20th century. It was a practical standard, rooted in the needs of practical organisations, and provided a good framework for an Information Security Management System (ISMS) based around agreed security policies. It wasn’t perfect; but it provided a good basis for discussing security with its stakeholders (an agreed set of terms and concepts) and was a foundation on which you could add controls to address any areas you felt, after mature consideration, were a bit weak (risk management perhaps). The ISO 27000 standards expanded on BS 7799 and continued the good work. There’s a lot more to good governance than security; but without a good policy-based ISMS, good governance initiatives tend to be built on sand.

Nevertheless, the security landscape has changed over the last decades and the ISO 27000 set is now due for an update. The first of these is expected to be finalised later in 2013 and I’ve just read an interesting paper from information security consultants ECSC which explains the expected changes. There is likely to be an increased emphasis on monitoring and measuring the performance and effectiveness of the ISMS, which is welcome. Security isn’t a set of check boxes – having a security policy (perhaps something just downloaded off the Internet) isn’t enough, for example; what matters is how effective the policy is. A mature company will need an ISMS based on process improvement – and that (in part) needs identification and monitoring of key KPIs; and the availability of useful business-level metric. The new standard is also likely to clarify the links between risk management and corresponding controls and talk about the skills and competences needed in order to maintain the ISMS.

Mostly, the controls haven’t changed in content, but their numbering has changed (which’ll keep people on their toes). There are some new controls. I particularly like ones that suggest that security should be embedded in all areas of business process, including development and supplier relationships – not simply bolted on – but I’d be appalled (although, perhaps not too surprised) if most organisations didn’t already realise this. You can find the ECSC paper here.

So, you should start thinking about the new standard now; if you formally adopt ISO 27000, changes will be needed. You probably shouldn’t make any actual changes until the new standard is actually published and, even then, you will want to discuss the changes implied with those affected. In particular, you should be thinking about how your ISMS can respond, in a timely manner, to business changes and consequent changes in risk and the threat landscape. This appears to be an area where the draft standard is perhaps a bit weak, as yet; although it does seem to emphasise a need for ongoing support for the ISMS (it’s not something you do once and then forget about).

However, perhaps you are already more or less in compliance with the new thinking – the ISO 27000 set was always a baseline framework, not a mandated security ceiling, and I’d be surprised if any company with a mature and effective ISMS doesn’t already see security as a people and process thing, and hasn’t already thought about effectiveness, measurement and ISMS improvement. Mind you, I don’t really think that “a mature and effective ISMS” is all that common yet.