is the online magazine of BSI Group, highlighting the vital role that standards play in today's business environment by helping organizations improve quality, save money, reduce risk and be more sustainable. Features include interviews with leading business figures, as well as news on the latest developments in management systems, standards, testing, healthcare and certification.
Safe and secure
24 Apr 2007
Topics: Information security, ISO/IEC 27001, Japan
Failure to manage information security risks can have potentially disastrous consequences. Just ask UK retailer TK Maxx: in March 2007, it was announced that hackers had stolen over 45 million credit card numbers from the UK clothing stores between 2003 and 2004. According to The Times, "the theft of customer records held on computers at the company's British headquarters in Watford, Hertfordshire, and in the United States, Puerto Rico and Canada, is the biggest theft of credit card information in the world". In addition, "customers of the fashion chain's 210 stores in Britain have already had their card details used to make fraudulent transactions" and details of the cards have appeared for sale on websites known to be used by organized crime.
As a consequence, the Information Commissioner's Office in the UK has launched an investigation into the retailer's security measures, to determine whether or not there are grounds for prosecution under the Data Protection Act. As pointed out in The Times, "if found guilty, the potential fine is unlimited". Headline-grabbing cases such as this highlight just how vulnerable organizations can be and show how easily information security can be compromised if the right controls aren't in place.
Providing a robust framework for protecting confidential and sensitive corporate and personal information is the role of an international standard for information security management, ISO/IEC 27001. It provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system. ISO/IEC 27001 is the world's only certifiable information security standard and it is suitable for any organization, large or small, in any sector or part of the world.
"A lot of companies rely on information these days and to lose that information would cripple the business - it could also significantly damage their brand," says Robert Whitcher, BSI Management Systems' global product manager responsible for ISO/IEC 27001. "The standard is an investment in the business and in the future of that business."
Organizations that implement the standard must create an information security management system (ISMS), develop a documented information security policy and take steps to manage identified risks. Although the standard can be applied to the security management of information in any form - paper or electronic - the shift to e-commerce and new ways of doing business is an important demand driver for the standard. This is where related standard ISO/IEC 17799 - soon to become ISO/IEC 27002 - comes in, as it provides further guidance for organizations developing and implementing an ISMS.
"We do all our business electronically - including electronic auctions and electronic tendering. Any form of compromise and we just couldn't do business," says Mark Buggy, IT delivery manager for the NHS Purchasing and Supply Agency (NHS PASA).
Certification to ISO/IEC 27001 not only helps NHS PASA to protect information, but the assurances it provides means the organization is able to leverage the benefits of e-commerce on an unprecedented scale.
"The positive benefit is very simple: it means we can exist completely electronically," says Buggy. "We were able to do the first major electronic auction for IT equipment with absolute certainty that all the procurement rules were met - as a result of which, the health service saved about £60 million."
The real value of ISO/IEC 27001 lies in the fact that it is a certifiable standard. Companies that choose the certification route not only comply with the requirements of the standard, but can also prove their compliance to independent third-party auditors - and do so on an ongoing basis.
Because certification provides valuable assurances to customers and regulators, and therefore a vital competitive edge, a growing number of companies and organizations are choosing certification. Since the launch of ISO/IEC 27001 in 2005, more than 3,000 certifications have been achieved globally, most through market leader BSI Management Systems - and the number is increasing daily.
For example, Reuters is one of a growing number of companies that have chosen certification to ISO/IEC 27001. Founded more than 150 years ago, the company pioneered the idea of harnessing technology to distribute information. Today, Reuters provides text, data, pictures and video to newsrooms and financial markets, as well as direct to consumers.
"Information is what Reuters does," says Malcolm Kelly, head of Europe, Middle East and Africa Risks and Controls at Reuters. "Ensuring that it is accurate, timely and available to the right people has always been vitally important to us. Gaining formal certification is a way of continually raising the bar for service security and quality."
As the world's largest financial information source, Reuters is serious about safeguarding the security and quality of the proprietary and third-party information that flows through its systems: "We've taken steps to formalize the information security management systems at our major data centres and the operational services they provide - including attaining certification to two industry-proven standards: ISO 9001 and ISO/IEC 27001," says Kelly.
What makes ISO/IEC 27001 particularly valuable is that it encourages businesses to consider the relative importance of information assets in the widest sense. Confidentiality, integrity and the ability to guarantee the availability of information are part of the equation.
"The standard urges you to mitigate risks, or remove them by applying controls," adds BSI's Robert Whitcher. But he warns that risk management is not just an IT-led responsibility. "The driver should come from the business and the risk assessments should be carried out at company level."
Changing information security
Introduced as an international standard in 2005, the current standard for information security management - ISO/IEC 27001 - replaced the earlier British Standard, BS 7799-2, which was first published more than eight years ago. In order to maintain certifications for their corporate information security management systems, companies that originally certified to BS 7799-2 must certify to the new standard.
ADP is one of the world's largest providers of outsourced payroll services. It's a global operation, with headquarters in the US. ADP India is a wholly-owned subsidiary of ADP and it services the company's US and other global operations.
"Part of our business was already BS 7799 compliant, so we were familiar with the majority of the requirements of the new standard," says Anoop Ratnaker Rao, senior manager in charge of information security and business continuity with ADP India. "The key difference with ISO/IEC 27001 came with the 133 controls that are there. It gives me a much more objective view of things. The risk-based approach highlighting the key focus areas and plotting them on a priority risk ranking has helped as well. It's a lot more data-driven and a lot more rigour goes into the whole process."
Traditionally, the strongest business relationships have been built on trust - both within organizations and between them. But globalization - and particularly outsourcing - means that building those relationships is more of a challenge. ISO/IEC 27001 plays an important role in strengthening international relationships. For companies that provide outsourcing services - and for the organizations that use those services - certification to ISO/IEC 27001 provides a trusted global benchmark.
Bleum is China's leading offshore software outsourcing provider. Based in Shanghai, the company's services include managing complete offshore development centres, developing and maintaining specific software applications, test outsourcing and staff augmentation (software internationalization and localization).
"Bleum chose ISO/IEC 27001 because it is the most widely respected security framework in the world," says Eric Rongley, Bleum's CEO. "Since we service large financial institutions our customers have high expectations for security with their outsource partners and they most often request ISO/IEC 27001 certification. We also found the risk management methods in ISO/IEC 27001 complemented Bleum's statistical management practice well."
Certification to the standard assists Bleum's customers in two ways: "First, the chance of a security breach is significantly reduced. Second, due to the rigour and credibility of ISO/IEC 27001, they also have an easier time convincing shareholders and regulators that knowledge assets are not being compromised through outsourcing." says Rongley.
ISO/IEC 27001 is designed to work alongside a suite of other management system standards including ISO 9001 and ISO 14001. It is trusted by some of the most security-conscious organizations in the world - ones that stand to lose far more than money and customers if they get it wrong.
"There are lots of US government agencies that are certified to ISO standards and I think what you'll find is that they appreciate the discipline, the focus and the timelines. I call it enforced common sense," says Monroe Ratchford, a consultant with the Institute for Quality Management (IQM), a US-based business performance specialist. IQM works with US government departments, including the Department of Defense, and major US intelligence agencies. Although these cannot be named for security reasons, at least one agency has been certified by BSI to ISO/IEC 27001. The fact that the standard is a trusted component of national security is a testament to its effectiveness.
"Standards are useful in providing a common language on how we're going to operate with each other," says Ratchford. "It's for better execution, teamwork, knowledge transfer and articulating budget needs. All of those come in to play when you do the ISO approach."
And for those that certify to ISO/IEC 27001, compliance means not just effective information security risk management, but greater business discipline. "It's based on the ?Plan-Do-Check-Act' cycle, so an organization can continuously improve itself," adds Whitcher. "If you know there's going to be an assessment visit, it provides a timescale and a goal, so it helps business focus. Certification is not the end game - it's the beginning."
>CASE STUDY: ISO/IEC 27001 in a nutshell
ISO/IEC 27001 sets out requirements for information security management systems and it can be applied in just about any organization that depends on information. It's an auditable and certifiable international standard, which means that companies and organizations can demonstrate their compliance with it by getting certified by an independent third party, such as BSI Management Systems. Certification proves that your organization has appropriate security controls to protect information assets. Certification does not mean that an organization is compelled to replace its IT infrastructure, but it does have to prove that it's managing information properly. The standard applies equally to electronic and paper-based information systems. A related international standard, ISO/IEC 17799 (soon to be ISO/IEC 27002), can be used as a guidance document to support the development and maintenance of an information security management system. However, it is not a substitute for ISO/IEC 27001, which provides the auditable management system framework against which organizations can be independently audited.
>CASE STUDY: Taking your business elsewhere
Transaction processing, call handling, manufacturing and software development are among the key business functions that are now routinely outsourced to territories where costs are lower. For those providing outsourcing services, the ability to prove that clients' confidential corporate and customer information is protected to the highest possible standards is vital. Certification to ISO/IEC 27001 provides that proof. "The biggest advantage is to provide the customer with confidence that their intellectual property or private data is secured using the world's best practice," says Eric Rongley, CEO of Bleum, China's leading software outsourcing provider. "The biggest advantage was in getting certified. Through systematic identification and mitigation of risk, Bleum reduced its risk exposure in its already secure development centre by more than 80 per cent."
>CASE STUDY: The lifeblood of organizations
BSI Management Systems' decision to join the Cyber Security Industry Alliance (CSIA), a leading information security advocacy group, underlines its commitment to playing a global leadership role. Gary Pearsons, president of BSI Management Systems Americas said: "Information is the lifeblood of organizations and in today's competitive business environment, it is increasingly at risk. We look forward to working with CSIA and its members to continue to improve cyber security policy through education, awareness and advocacy, both domestically and internationally." CSIA is led by CEOs from the world's top security providers and is the only group of its sort exclusively dedicated to ensuring the privacy, reliability and integrity of information systems through public policy, education and awareness. For more information on CSIA visit www.csialliance.org
>CASE STUDY: Credit check in Japan
Japan's privacy laws are amongst the toughest in the world. For organizations that handle personal information, such as banks and credit card companies, third-party verification of information security controls is a legal requirement. Certification to ISO/IEC 27001 is central to that requirement and this is one of the reasons Japan has more ISO/IEC 27001 registrations than any other country. Certified to ISO/IEC 27001 in 2005, Japanese credit card company JCB Co Ltd employs more than 2,500 people in 50 different departments. The need to mitigate risk and to ensure that customer data is protected are an integral part of the business operation. ISO/IEC 27001 provides a mechanism that systematically covers every aspect of information security risk throughout the company. JCB selected BSI Management Systems as its partner in the certification process.
"We chose BSI because of its ample assessment experience and on-target assessment techniques," says Haruhiko Hitsuji, ISMS project leader in JCB's compliance department. "A precise evaluation by an independent certification body such as BSI enables us to cover every aspect, including things which internal auditing and monitoring cannot spot. We know BSI's assessments will continue to further enhance our management systems."
For more information on ISO/IEC 27001 visit:
www.bsi-global.com/apr07infosec
Business Standards © 2010. Editorial produced by Caspian Publishing in association with The British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
Sapphire earns a standards hat-trick
Sapphire Energy Recovery, the waste processing and resource recovery business owned by Lafarge Cement, has achieved certification to three management systems standards (ISO 9001 Quality management, ISO 14001 Environmental management and BS OHSAS 18001 Health and safety management) from BSI. Sapphire is the UK's leading processor of used tyres, and sources and manages the logistics of a range of waste-derived fuels and raw materials for the cement industry.
A clear case for carbon neutrality
"Carbon neutral" sounds good on paper, but what does it really mean? Organizations are making claims about carbon neutrality for everything from products to travel, events, projects and buildings. The problem is that no one quite agrees what "carbon neutral" means or how far it extends.
Monarch Airlines chooses BSI for its European Union Emission Trading System (EU ETS) verification
Monarch Airlines has selected BSI as its provider of verification services against the requirements of the EU ETS directive. This comes in response to the industry's requirement to monitor its CO2 emissions and demonstrate compliance with the directive by submitting a verified annual emissions report by 31 March every year from 2011 onwards.
UK film industry pioneers sustainability standard developed by BSI
The British film industry, in conjunction with BSI, is taking the lead in the global entertainment market with the announcement at the Cannes Film Festival of a new British Standard that will improve the industry's environmental, social and economic impact. For example, in London alone, screen production accounted for 125,000 tonnes of carbon emissions in 2009, 40% of which came from studios and 28% from TV and film production.
BSI is planning an informal free lunchtime roundtable in central London on 10 December 2009 to explore how small businesses and their trade bodies can work more effectively with standards. Places are limited so to register your interest or request more information, please email bsi.survey@bsigroup.com or call +44 (0)20 8996 7750.
Question: Are health and safety issues at risk of being lost in the current financial turmoil?
When business isn't going well - whether it's due to a recession or simply because a company is going through a slow patch - there is a temptation to cut costs by cutting corners. Instead of treating an issue like product and consumer safety as vital to a organization's growth and reputation, it can become just another expense or regulatory requirement.
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
