LegalSEC® - Cybersecurity

 View Only

What is ISO 27001 Anyway?

By John Verry posted 04-30-2016 18:04

  

What is ISO 27001 Anyway?

ISO 27001 is a recipe for effectively managing information related risk, by creating a set of policies, standards, & processes (controls) commonly referred to as an Information Security Management System (ISMS).

What does it all mean and why do we want to do this?

The predominant reason that law firms are moving so quickly to ISO 27001 is client demand. Clients want assurance that the information that they are giving to the law firm is being protected in a manner consistent with their expectations, good practice, and relevant laws and regulations. Because ISO 27001 is a very comprehensive framework and becoming certified requires a very rigorous certification process, it’s the “gold standard” for proving you are secure and compliant.

Can you provide an overview of the standards that have to be met in order to become certified?

The ISO 27001 ISMS requires the consideration of the 114 controls specified by the ISO 27002 standard (also listed in Annex A of ISO 27001). They cover the full lifecycle of information related risk management:

  • Management’s Role (e.g., Promulgation and Governance)
  • Organizational Elements (e.g., Segregation of Duty, Teleworking, Contact with Authorities)
  • Human Resources (e.g., On/Off Boarding, Screening, Responsibilities)
  • Asset Management (e.g., Inventory, Acceptable Use, Information Classification, Media)
  • Access Control (e.g., Provisioning, User Rights Management)
  • Cryptography (e.g., Appropriate Use, Key Management)
  • Physical/Environmental (e.g., Physical Access Control, Power, Cooling)
  • Operations (e.g., Change Management, Malware, Backups, Logging, Vulnerability Management)
  • Communications (e.g., Network Segregation, Electronic Messaging, Network Controls)
  • Systems Acquisition/Development (e.g., Security in the Systems Development Life Cycle)
  • Vendor Risk Management (e.g., Security in Agreements, Monitoring)
  • Incident Response (e.g., Detection, Evidence, Recovery, Learning)
  • Information System Business Continuity (e.g., Planning, Testing)
  • Compliance (e.g., Identification, Records, Independent Review).

Why use this approach versus NIST/FISMA?

Both NIST/FISMA and ISO 27001 are information security frameworks; that is, well rationalized collections of controls that you can use to effectively manage information security risk. There are three predominant reasons why ISO 27001 is more widely used than NIST/FISMA:

  • ISO 27001 is an international standard, which means that it is more widely accepted by both US and international clients.
  • ISO 27001 is a certifiable standard. NIST/FISMA has no formal certification scheme. You can have an accredited third party follow an accredited audit framework to assert to your stakeholders that the ISMS is effective.
  • NIST/FISMA is a more “prescriptive” standard than ISO 27001; which means you have less flexibility in accepting risks and choosing controls.

For law firms, another reason to work with ISO 27001 versus NIST/FISMA is that it has become the de-facto standard for the legal vertical. At the time of this blog, dozens of the Am Law 250 have achieved or are pursuing certification.

How much time should a firm commit to gaining certification?

Certification takes most firms somewhere between ten months and two years. It can be done faster, but the dynamic nature of law firms makes that challenging.

Who is involved in the certification process?

Most law firms choose to leverage an ISO 27001 consulting firm to help them get prepared to be certified, as they often do not have the expertise on staff or “bandwidth” to get the considerable amount of work done that needs to be done. Those consultants work hand-in-hand with a broad cross-section of the firm, including: system admins, network admins, network security, application development, DMS admins, Human Resources, legal practice personnel (Partners or paralegals), facilities, compliance, etc. to develop an ISMS that is reasonable and appropriate to manage the firm’s information-related risk. Once the firm is prepared to be certified, it will engage a “registrar” to conduct the actual certification audit.

Will ISO certification impact client matters?

ISO 27001 certification is likely to require some changes that will impact client matters, but those changes are not likely to be dramatic. For example, you may need to add a process to track drives containing client matters that are brought in by a transfer partner, and ensure that they are either stored or disposed of properly. ISO 27001 requires that you reduce information-related risk to a level, and in a manner, that is acceptable to “top management.” So impacts to matters are generally limited to those changes that Partners understand to be necessary to be secure and maintain clients.

Where do you begin?

The first step is figuring out if you are going to perform the ISO 27001 preparation internally or use a consulting firm for support. If it’s internal, if you lack expertise, training is a requirement. If you are going to leverage a consulting firm, selecting one that has both ISO 27001 subject matter expertise and legal vertical experience is recommended. In either case, the process should look the same:

  1. Determine the scope of the ISMS.
  2. Conduct a Risk Assessment against the defined scope.
  3. Understand existing controls critical to managing risk and develop Risk Treatment Plans to reduce risks that are not acceptable.
  4. Gap Assess the Risk Treatment Plan against your current practices to identify gaps.
  5. Develop a Gap Remediation Plan.
  6. Execute the Gap Remediation Plan.
  7. Conduct an ISMS Internal Audit to validate the effectiveness of the ISMS.
  8. Have Management review the Internal Audit and approve Corrective Action Plans.
  9. Stage 1 of the Certification Audit.
  10. Stage 2 of the Certification Audit.
  11. Receive Certificate!

For someone just getting started, how would you recommend they attempt to estimate the total cost of certification (TCC)?

There are four potential components to TCC:

  • Consulting Costs: $0 (DIY) - $200K+ dependent upon scope, approach, and consulting firm. A tighter range based on the most typical approach we have seen is $60K - $100K.
  • Certification Costs: $20K - $75K+ dependent upon scope, approach, and registrar. A tighter range is based on the most typical approach we have seen is likely $20K - $32K.
  • Capital Expenditures: $0K - $50K+ dependent upon Risk Treatment Plan. Most plans do not require capital expenditure of note.
  • Operational Expenditure: $0 – 150K+ dependent upon scope and approach. Firms not using a consulting firm are more likely to add head count than firms using a consulting firm. Firms using consulting firms rarely add head count during or after ISO certification.

Should a law firm consider aligning with ISO-27001 rather than getting ISO-27001 certified?

If a law firm does not yet have a compelling reason to get ISO-27001 certified (e.g., it is not a requirement being imposed by a customer) pursuing ISO-27001 alignment still provides many benefits:

  • Having a well vetted recipe like ISO-27001 simplifies the process of becoming secure.
  • ISO-27001 alignment will significantly reduce your actual information related risk.
  • ISO-27001 alignment will allow you to successfully “pass” most customers security questionnaires and/or on-site audits.
  • ISO-27001 alignment will allow you to become ISO-27001 certified in a compressed time-frame if that becomes an urgent requirement.

Please read the blog post on NIST answering similar questions about the certification. You can find that posting here: http://connect.iltanet.org/blogs/karen-campbell/2016/05/05/what-is  

Listen to our ILTA Radio session called “ISO 27001 - What Is It Anyway?” where CIO Mark Combs interviews me about ISO 27001 and gets many of his (and your) questions answered.  You can find the recording here: http://connect.iltanet.org/communities/community-home/librarydocuments/viewdocument?DocumentKey=6b62c1c4-3471-4937-bfbb-7eb621d9dfca  




#LegalSEC
0 comments
527 views

Permalink