Keep an eye on any assets been added to your infrastructure. Usually in large organizations it is quiet obvious that you tend to skip this task and get surprises during your next audit. There are also possibilities that an asset has been removed from the infrastructure. Identify the assets, do a risk assessment, update your risk treatment documents and the SOA if required. Since you are already certified, I assume the process of adding assets or removing has already been defined, communicated and followed.

User awareness should be an ongoing process. Try to avoid giving the same details over and over again. Employees will be interested in knowing the latest threats and

• how that can impact the organization
• what measures have we taken to avoid this risk
• by implementing information security practices how have we taken care of such threats
• how much value they as employees have added

Never forget to check the effectiveness of the awareness sessions. You can conduct quizzes, scenario based training programs, online training programs etc, which can be made mandatory by having the performance of individuals mapped directly to their appraisals.

Internal audit should be carried out at regular interval. The interval of audits will be as per your internal policy. There are different areas were the audits has to be conducted. I am sure you would have experienced this during your certification audit. Some of areas are as listed below. For more details on what to look for under each of these areas, refer to my article called “ISMS Implementation guide” which is posted in the same site.

• On floor audit
• Desktop audit
• Awareness audit
• Technical audit
• Social engineering

Some of the other activities that should be carried out on a regular basis, apart from the awareness are as mentioned below:

• Fire drills
• Check for the expiry dates on fire extinguishers
• Penetration testing, Vulnerability assessment
• Testing of BCP implementation

The last one on this article is to measure the effectiveness of your implementation. There is something that you have implemented and you need to know if what you have implemented is useful, valuable to the organization which includes employees and effective. This will also help you in your surveillance audit to a great extent in showing improvements.

How to measure your controls effectiveness is a topic by itself. I am looking forward in writing an article at the earliest. In the meantime there is a document from National Institute of Standards and Technology (NIST), sp800-80, which is still in a draft stage. You can get this document from the following location.

Guide for developing performance metrics for information securitydraft sp800 80

Please download the document here:
ISMS Implementation Guide

Refer to your BS ISO/IEC 27001:2005 document under point 1 Scope.

1. Scope
1.1 General
This international Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This international Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

The ISMS is designed to ensure the selection of adequate………….

NOTE 1: References to ‘business’ in this International Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization’s existence.

Look carefully at the words that I have highlighted above. It clearly says that if you are doing a partial implementation of Information Security practices using BS ISO/IEC 27001:2005 at your organization, choose those departments that has activities that is core to the existence of the organization. BS 7799-2:2002 had the flexibility of implementing at or choosing any departments that the organization is comfortable with and in the process most organization chooses department that are much easier to implement.

For example: if you are implementing Information Security practices in an IT organization, you should choose the development department/team for implementation as that is the core business of an IT organization, without which an IT organization might not exists.

Those organizations who are already BS7799-2:2002 certified for some of their departments which is not core to their business process need not worry. You can go ahead with the upgrade as is, but should make sure that the scope is extended to the core business process. It also makes more sense in doing so, cause ultimately, what is that we are trying to achieve…??? We need to protect our information assets, which is critical in those departments that are core to the business.
Couple of other points that we need to keep in mind are as mentioned below:

Note down the points under Management review of the ISMS point 7 of BS ISO/IEC 27001:2005. Make sure every point in this section is discussed at all your security committee meeting. Even if you do not have anything specific to discuss on points in this section, please mark appropriately in your minutes of meeting document.
Make sure your Statement of Applicability (SOA) document mentions that all controls that are applicable have been implemented. If any of those controls is not been implemented, list down those controls in the SOA document. Often, some of the organization will mention that BCP is an applicable control but will be implementing the same only after 6 months. You can still go ahead with the certification process, but mention this in your SOA specifically and have all your supporting documents ready.
If you are doing a partial implementation of Information Security practices in your organization, you need to clearly justify the exclusion of other departments in your scope document. Clearly mention why you choose this department and what were the reasons for excluding other departments and have the management approval documents prepared for audits.

These are some of the points that I would like to highlight, which I feel would be of some help to all who is intending to implement Information Security practices in your organization using the BS ISO/IEC 27001:2005 standards.

File Download: Right-click on the link below and select “Save target as”. Once the download is complete, change the extension from “.pdf” to “.xls” and you are ready to go.

2000v2005

Risks:
Management Commitment — Management has one of the key roles in the implementation of ISMS practices. The management should have the thirst, drive and understanding for the requirement of ISMS practices in the organization.

Availability of Internal Resources — This is a very common problem that everyone faces. We will require the participation of other team members, right from the initial phase until implementation is completed and further to practice the implementation. To address certain areas like, asset inventory, risk assessment etc, it will difficult to get some of the resources, since they will also be busy with their routine tasks.

Asset Inventory — There are two risks to this phase.

Identifying and recording all the assets from all the departments. It is sometimes not possible to sit with each and every team and help them in identifying their assets. So the common practice is to have a workshop with one of the members from those teams and then request to identify the assets in their department. So the information that comes back from the team members are the ones they have identified and most times you can have surprises.
The implementation project in an organization with 500 – 1000 employees would take a minimum of 6 to 8 months. During this period there will chances that new assets are added to the infrastructure and you go unnoticed. So keep you eye open to see and understand, if there any proof of concept (POC) going on for any products or anything budgeted for the current year.

Hiding non-existence of Controls — While you are carrying out your control assessment, it is quite obvious that the nominated persons to assist you in taking you through the exisiting controls might hide certain weak areas or areas where there are absolutely no controls. This is very often done cause the nominated persons do not completly understand the meaning of a control assessment and mistake it for an audit and fear of you reporting non-conformities to the senior management. If this is not been communicated properly, make sure that you take about 5 minutes before you start of with your control assessment exercise to brief the person assisting you on the impact. If you fail to identify the areas where there is no control, this would impact your risk assessment exercise.

Manpower/Budget — During the implementation phase there will be controls recommended which can be both technical and non-technical. At times it has been seen that there will be lack of man power or lack of expertise for implementation of these controls or the organization would not be ready with the budget required for the purchase of these products. So watch out for these risks and have a buffer of both in place.

User Awareness — There are numerous workarounds for other implementations, tell me one workaround for lack on awareness in the organization…??? I don’t see any and would certainly consider this as one of the critical risks to the organization. Even before you think of implementing ISMS practices, collect the required information and start training the employees on regular intervals. At a later stage if you decide not to implement ISMS, you still do not loose anything.