In the businesses of cyber security, IT development, and managed information services, security is paramount. If you can’t keep the information that’s been entrusted to you safe, then you might as well fold up your shingle and move on to a different career path. Today, every business that works with information is a target for cyber attackers, with data breaches becoming more sophisticated. While most companies don’t think it’ll happen to them, it’s best to adopt a “when, not if” mentality to cybersecurity and information security integrity. One such way is the implementation of ISO 27001. 

ISO 27001 certification has been available for some time, but recently, it’s gained traction and is enticing information technology companies to seek their ISO certification, not only to to secure their own data, but to also for compliance reasons, lower their potential costs from future security incidents, and achieve the competitive advantage that your certification offers over your competition. 

It is, however, a rigorous process that won’t exactly endear you to your software development team over the time it’ll take to achieve your certification and beyond. 

What Is ISO 27001 and What Is Its Purpose?

Properly known as ISO/IEC 27001:2013, this is a management standard designed for the certification of organizations’ information security. It details requirements for establishing, implementing, maintaining and continually improving your ISMS (Information Security Management System). It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The aim is to facilitate a process in which organizations of any size can make the information assets they hold more secure. In order to be certified, organizations need to meet the standard’s requirements and have an audit completed by an accredited certification body. 

The standard is known for not only providing companies with the necessary information to protect their most valuable assets, but by getting certified against ISO 27001 proves to customers and partners worldwide that the company takes the safeguarding of data very seriously. This certification standard helps you to comply with legal requirements, achieve a competitive advantage over competitors, keep your procedures organized, and mitigate costs from potential security breaches.

Getting yourself certified, and adhering to the rules and regulations of ISO 27001, however, takes time and effort that will definitely slow down your developers and internal processes (but will be 100% worth the time and investment).

The 3 Key ISMS Security Objectives

Specifically, the fundamental goals of ISO 27001 is to protect three aspects of information:

• Confidentiality: Only the persons with authorization can have the rights to access the information. 
• Integrity: Only the authorized persons can change the information in question.
• Availability: The information must be accessible to the authorized persons whenever they need it.  

Distilling it down to its simplest iteration -  a company needs to conduct risk assessments to find out what potential problems could happen to information, then define what needs to be done to prevent it from happening via the implementation of security controls and safeguards. 

An ISO-Compliant ISMS 

There’s no doubt that your organization has a robust Information Security Management System in place already, but is it ISO-compliant? Probably Not. An ISMS that complies with ISO 27001 stipulates a set of rules that the company needs to establish in order to:

1. Identify stakeholders and their expectations of the company in regards to their information security.
2. Clearly identify which risks exist for the information.
3. Define controls, safeguards, and other methods to mitigate risks and meet identified expectations. 
4. Set clear objectives on what the company needs to achieve with their information security.
5. Implement controls and other risk treatment methodologies.
6. Continuously measure if your implemented controls perform as expected.
7. Make continuous improvements to your ISMS to respond to evolving security threats.

These rules can come in the form of polices, procedures, or any other types of documentation, or it can be in the form of processes and technologies that you establish that may not necessarily be written down. When aiming for an ISO certification, however, there are certain documents and controls that are required at a minimum. 

ISO Certification Means Extra, Time-Consuming Steps... 

A company’s list of controls that should be implemented are required to live in a document called the Statement of Applicability. It’s this document that will serve to add additional work and time to your team’s bottom line with annexes and controls. Below you’ll find the specific reasons for the impediment to your speedy software development process. These are the required “controls/domains” listed in Annex A of ISO 27001, and they’re crucial to your certification.

1) Information Security Policies: 

A.5 - Any and all information security protocols should be directed from the top of an organization and communicated clearly to every single employee. 

Your security protocols are only as good as the people implementing them and using them on a daily basis. This means extra steps, more robust protocols, and time spent training and continuously auditing the protocols on an ongoing basis.

2) Organization of Information Security:

A. 6 - A management framework should support the organization’s information security operations, both on-and off-site. 

Accountability and division of responsibilities are key for a secure organization. Stakeholders and employees need to know who’s in charge, who to go to for any threats of risk, and someone should be spearheading the access management and permissions both inside the office, and remotely. 

3) Human Resource Security:

A.7 - Employees and contractors should be aware of their role in safeguarding the organization’s information both before and during employment. The organization’s information should also be protected.

There must be an effort to vet and monitor employees and their access. Not every (or any) developer in your production chain needs admin privileges for their systems. It means they might not get the tools they’d prefer, but it’s better than giving everyone a key, and then wondering why the door’s been left unlocked. It won’t make you popular, but it will make you more secure. 

4) Asset Management:

A.8 - Organizations should identify their physical and information assets and determine the appropriate level of protection necessary for each.

There is no ‘one size fits all’ solution to how your assets should be managed and protected, but implementing permissions, restricted access, and other defined protections may have immediate and short term consequences (i.e. frustration at the extra “hoops”), but will have long term benefits.

5) Access Control:

A.9 - Access to information and information processing facilities should be limited to prevent unauthorized user access. Users should be responsible for safeguarding their authentication information, such as passwords.

In line the previous control and subsequent point, every step should be taken to limit access where possible. On an individual level, users should have a defined and approved method to safeguard their personal login information as much as possible to mitigate breaches. This should include a policy on private device access or lack thereof. As well, there needs to be a protocol in place for employees who have left the company, so valuable IP doesn’t go with them.

For example the recent Orion/SolarWinds hack was due to someone figuring out the password to an update server. 

6) Cryptography:

A.10 - Policies on cryptography and the use of cryptographic keys should be developed and implemented to protect the confidentiality, integrity, and/or availability of information.

There needs to be a defined system of private and public key management, end-to-end encryption, and authentication, as well as the Private Key Infrastructure (PKI) to manage, exchange, and swap out keys when necessary. These processes may take a little longer and require more steps, but will ensure the integrity of your information. 

There also needs to be a hierarchy of access and authentication. Only certain stakeholders should have access to the most critical pieces of information. Segmenting access points and data across your production chain is crucial to your security status. 

7) Physical and Environmental Security:

P.11 - Controls should be introduced to prevent unauthorized physical access, damage, and interference to information processing facilities.

Even if you rely exclusively on cloud storage, your company still has vulnerable physical infrastructure, that should require controlled access via codes, keycards, and other security measures, including physical security. Might prove to be an annoyance to keep on scanning a card to move through your building, but the alternative is worse. 

8) Operations Security:

A.12 - Information and information processing facilities should be protected from malware, data loss, and the exploitation of technical vulnerabilities.

Periodic checks and updates of critical software could take time, and perhaps lead to some network downtime or hiccups, but this is how vulnerabilities are addressed and patched. Inconvenient, but entirely necessary.

9) Communications Security:

A.13 - Information should be protected in networks and as it is transferred, both within the organization and externally.

A solid end-to-end encryption (E2E) with a robust key management system should be a default.  ISO needs to know how you’re protecting your messages in transit, and how your organization manages the information. Even if it takes everybody some extra steps to do, and adds a slight measure of latency to your processes and procedures, it’s worth the delay.

10) System Acquisition, Development And Maintenance:

A.14 - Information security should be designed and implemented throughout information systems’ lifecycle. Test data should also be protected.

This goes without saying that no matter how inconvenient it is, your security systems should be tested regularly, undergo periodic maintenance, and upgraded when required. The security should be ingrained from the ground up and run through everyone in your organization.

11) Supplier Relationships:

A.15 - Any of the organization’s information assets that are accessible by suppliers should be appropriately protected.

It’s all too easy for a key stakeholder to log in to an external supplier site, and have their credentials potentially compromised. It could be as benign as a CTO logging into a third-party hosting platform that contains their blog, and someone else takes those credentials to publish inaccurate information. A more critical breach doesn’t need to be spelled out - we all know what can happen when a bad actor gets the keys to the kingdom. Every precaution should be taken, regardless of how tedious it may be. 

12) Information Security Incident Management:

A.16 - Information security incidents should be handled consistently and effectively.

There should be a consistent and clearly defined protocol for dealing with a breach. This defines appropriate policies and procedures, who’s responsible for which duty, and reduces lost time by employees. Periodic reminders and training are necessary, despite how much time they take. It only takes one moment of inaction or an errant reaction to a breach, and your credibility is lost.

13) Information Security Aspects of Business Continuity Management:

A.17 - Information security continuity should be embedded in the organization’s business continuity management practices.

What happens when there IS a breach? Time needs to be spent to spell out exactly what the system of prevention and recovery from potential threats to the company will be, and how personnel and assets are to be protected, and recover quickly in the event of a disaster. 

This will take time to implement and maintain a constant state of ready-ness for when the unthinkable happens. Again, more time away from software development, and more on security protocols (still never a bad thing).

14) Compliance:

A.18 - Information should be protected to meet legal, statutory, regulatory, and contractual obligations, and in accordance with the organization’s policies and procedures.

No one enjoys tedious rules, regulations, and processes. This point encompasses the salient details from the previous controls. Meeting the requirements of your ISO 27001 certification will mean that your policies, procedures, and workplace obligations will have to be redrawn to meet the pertinent criteria. This will mean a change in long-ingrained habits, and not everyone is going to like the new organization. But it’s for the best. Regardless of the extra steps in your production processes, you need to ensure that your information is locked down as tightly as possible.

...For The Benefit of The Company

The preceding portion of this blog was clearly meant to be tongue-in-cheek, but the subject matter couldn’t be more serious.  Depending on the complexity and size of your ISMS scope and your organization, this certification process will take a significant amount of time to get all the pieces together, implement the right processes, and find an auditor to break every single security feature you have on paper and in practice, to ensure that you meet the eligibility criteria.

Only then, can you display the certification on all of your marketing collateral and start facilitating new relationships in the information technology and development space. In no time at all, your new customers will see the benefits in working with a certified ISO 27001 organization.