In today world along with the growth of technologies new threats to information have also become a fact for most organizations. That being said information security has become one of the main pillars of any IT organization with a company. Simply put Information security is the process by which an organization implements controls in place which ensure that business critical servers and applications are protected from unauthorized usage. This requires deployment, compliance and implementation of appropriate protection and prevention mechanisms.

ISO27001 Approach

ISO 27001 is the international standard defining the desired methods of controlling the confidentiality, integrity and availability of information. The CIA triad is the pillar on which the ISO 27001 implementation would revolve. CIA (Confidentiality – Integrity – Availability)

• Confidentiality: Keeping private information away from individuals who should not have access.
• Integrity: Integrity means that data is consistent and that it hasn't been modified.
• Availability: Availability means to have reliable and timely access to the data and resources you are authorized to use

AN ISO27001 implementation would also help evolve effective ISMS (Information Security Management System). A typical ISO27001 policy follows a PDCA (Plan – Do – Check –Act) cycle.

Establish ISMS – This would help to define the scope and boundaries of the ISMS. As simple as this may sound this is where most companies struggle to strike a balance between the costs of implementation with the scope of activities with the certification. Once the scope is finalized define the ISMS policy and decide on the risk assessment methodology, the risk treatment options and prepare the statement of Applicability (SoA). The RA will help identify critical assets that need to be protected and controls that exist / need to be implemented. Organizations need to decide on the acceptable levels of risk since control implementation will have costs associated with it.

Implement and operate ISMS – This follows your RA and evaluation of cost of controls. Identified risks for critical assets need to be reduced to bring it down to the acceptable levels of risk. This could be through implementing new controls or just modifying existing controls. What remains are also knows as residual risk.
Post implementation organization would need to

Monitor and Review ISMS – The organization would need to undertake periodic review of the effectiveness of the ISMS in order to ensure that control objectives are being met and are aligned with business objectives. This review is should be conducted by the MISF.
Following a typical PDCA cycle, organization also need to continuously review the ISMS implementation in order to ensure that identified improvement measures get executed.

Conclusion: The way ahead for ISO is that it should be flexible to deal with the growing complexity and scale of information security threats to the organization.
It should ensure that the supporting information security policy is sound and enforceable and recognize that people and processes are critical, and that technology is just a small part of an overall IT Framework.

In business and accounting, Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. A good information security system should be implemented by subject matter experts in information security – people who understand risk as well as the importance of using the right internal / external controls that will not only protect data but also contribute towards meeting organizational objectives. To be effective it is also important that the information security policy being implemented also has good management support. This is where the problem begins because many companies that have chosen to set up an expensive information security system but don’t always realize why or how they came to choose its implementation in the first place.

So why should a company measure the information security policy it has implemented. A few industry pointers are listed below:

• To show ongoing improvement,
• To show compliance (with Standards, contracts, SLAs, OLAs, etc),
• To justify any future expenditure (new security software, training, people,
• To identify where implemented controls are not effective in meeting their objectives, and
• To provide confidence to senior management and stakeholders that implemented controls are effective

While on the topic, organizations should also highlight to its stakeholders various advantages of measuring the effectiveness on the security policies which are;

• Proactive tools to measure can prevent problems arising at a later date (e.g. slow networks’, Denial of service, disk failures etc),
• Reduction of incidents,
• Staff motivation, and
• Visible  evidence to auditors, and assurance to senior management

Once organizations have defined the objective and realized that measuring the effectiveness of the security policies has advantages the question arises “What do I measure”

Again industry best practices would suggest that you can break down the information security implementation into the following categories:

1. Management Controls:
These would typically include the Security Policy and procedures IT Policies, and corporate strategy for information security and awareness, Business Objectives, Management Reviews.
2. Business Processes:
This would include conducting the actual risk assessment Risk Assessment & Risk mitigation measures that will be implemented and acceptable risk, as well as data retentions and disposal measures.
3. Operational Controls:
This consists of the Operational Procedures for providing support to the IT services being delivered. Hence processes like change, incident, availability management etc would be a part of the operational controls
4. Technical controls:
These would typically consist of activities like firewall configurations, AV updates, patch management, content filtering etc.

To measure the controls organizations can also have KPI’s defined for the controls so that the controls can also be mapped back to the organizational objectives.

Sometimes organizational security is one of the top victims of budget cutting in a cost cutting exercise. The most common logic is that although it costs money to implement a information security policy the benefits are not very tangible. This makes it difficult to justify the cost incurred. However organizations need to realize that information security benefits become visible only when a control fails. But when that happens the costs incurred may be too high. Hence the need to measure the controls implemented and presents the benefits to all stakeholders. This helps them understand the many benefits that it can bring to business and also help them understand how they can leverage a well implemented policy to drive the business and shape future organizational policies.