ISO 17799 27001 Control or Standard

I recently came across an interesting article explaining the concept of ISO 17799/27001 being a control vs. a standard.   This is a good write up because it explains that the ISO documents are there as suggestions and guidance based on a risk assessment.   

Many times I talk to organizations that appear to be looking to implement the ISO controls, but there is an education gap.  In most cases these organizations are not looking to be compliant for an ISO audit but believe they are increasing the company’s security.  If you are not looking to be compliant then like all security solutions a risk assessment should be conducted to determine the controls implemented and their priority.  


Roles & Responsibilities in Policy

Risk Assessments almost always produce one finding consistently.  The finding is lack of roles and responsibilities defined.  The ISO 17799/27001 documents provide some guidance, but in many cases organizations do not know how to define clear security roles and responsibilities.  Before writing this I went through about 20 different organization policy documents to see if any listed roles and responsibilities the same.  In most cases I noticed three solutions.

Solution 1:

This solution did not include clearly define roles and responsibilities.  These documents contained few responsibility statements that were scattered through all different areas of the main security policy or policies.

Solution 2:

Solution 2 was the most consistent across all documents reviewed.  This solution usually defined three specific roles and responsibilities.  These are information owner, information custodian, and information user.  Each of these three roles had several statements defining their responsibilities, while there were additional statements scattered through all different sections of the policy document.

Solution 3:

Solution 3 was more consistent on policy documents that are broken up into smaller documents or much shorter in overall length.  This solution usually had specific roles such as Firewall Administrator, CSO, System Administrators, Compliance Officer, Audit, etc.  In most cases each of these roles had several bulleted responsibilities listed.

What Works?

The best solution is the one that works within your organization and causes less confusion.  If risk assessments are performed regularly then make sure the roles and responsibilities are written address the risk assessment requirements.  Two methods usually work.    

The first is to combine solution 2 and 3 and write a separate roles and responsibilities document or section of the overall policy.  This way there are many roles and responsibilities defined, which are easy to find because they are listed all in one place.

The second is to use solution 2 near the beginning (or in a separate policy document) of the policy document then in each different section of the policy (or each smaller policy document) write a roles and responsibilities sub section with more detailed roles.

New Links Page – Policy and Standards

I never seem to have all my links in where I need them.  Either they are on a work computer or my home computer and never in one place.  Therefore, I have created a Links page that I will continually be updating (I may separate into separate pages if it gets too large).  For now I have added a group of policy and standards pages that I may use from time to time.

If you have any links you think should be added to the library please post a comment on the blog and I will evaluate and add if it meets the criteria.

Writing Effective Policies Part I

How do you write an effective policy that actually works?  A coworker and I recently published a whitepaper.  The goal of the paper was to explain how to write an effective policy by providing both good and bad examples.  Click on the link below to access the white paper.


This is one in a series we are producing, so I will keep everyone posted on the next document.