Many entering the information security industry wonder about the basics, so what does it mean to be compliant? What are the pros and cons of making sure you adhere to a certain standard?
If speaking about ISO 27001 (the leading international information security management standard) being compliant means that an organization has adapted its internal processes so that they protect the confidentiality, integrity and availability of their most critical information.
And this is where most misconceptions about ISO 27001 come from – first of all, information security is not all about IT, because usually the weakest link in security are the people. Firewalls and anti-virus software are necessary, but they are not enough. An organization has to figure out how to protect its information in all the other cases, and that includes someone from the inside wanting to do damage. A comprehensive approach is therefore needed, and this is what ISO 27001 defines.
Further, ISO 27001 does not prescribe which type of firewall an organization must use or how it must configure it – this is something the organization needs to define by itself, based on the potential incidents that could happen. Those potential problems are called risks, and their identification (called “risk assessment”) is the foundation of any information security management. It’s only after you find out where the risks are that can you define what kind of security controls you need, and how much you must invest.
I've seen too many times how top management, thinking that information security equals IT security, pushes this kind of project onto the IT department. But the IT department usually doesn't have the knowledge of the business side of the organization or the authority to make necessary changes, so those project often run into trouble.
Regarding pros and cons – I would say that the main benefit is that you don't have to reinvent the wheel. The standard is written by leading information (and IT) security experts, so basically you don't have to learn from your own mistakes.
The biggest negative side when it comes to the use of this standard is that it won’t work as it should if there are no business benefits to its implementation. Many companies try to implement it because someone from the middle-management thinks it's quite fancy, but they don't get the support from the top management. After a while they realize they have invested a great deal of energy into something that isn’t needed.
With standards evolving to keep up with the threat landscape, what type of changes can organizations expect in the next five years?
I expect that in next 5 to 7 years it will be commonly understood that the biggest security problems lie in people and organization, and that technology is just a tool.
The other big trends are cloud computing and social networking. This means that you cannot protect your information on your company’s perimeter, because your information is being stored and processed beyond it. This challenge will certainly require new approach from both organizational and technological point of view.
Finally, we're witnessing a flood of various security certifications, both for organizations and for individuals. I expect the market to clear out, and only a few of them to remain as the mainstream. Of course, I bet on ISO 27001.