Development of the information technology accelerates growth of globalization, however, this relationship is two-directional. Global economy affects the ways of thinking about information management. Awareness of this fact among the companies executives grows, but still is insufficient. The major roles in top management decisions are played by economic effects, whereas information security problems are often overlooked.
Correct calculation of the costs should, however, take into account the risk of security problems. The awareness and appreciation for information security of personnel can be significantly less in some countries. Moreover, there should be considered other threats, e.g.: political risk, industrial espionage, intellectual property theft, as well as disaster recovery issues. The cost cutting results also in reduction of audits number in overseas departments. Lack of control can lead to loosening of security procedures, and increase of security incidents.
Information Security Management System (ISMS) is meant to be answer to such problems. It was first published in 2005 and updated in 2013. Its scope comprises of the development of the security policy at the strategic level, the evaluation of the risks, the determination and implementation of security controls aimed at eliminating threats, and also the monitoring of the system with the aid of internal audits and a management review. It has been reflected in the structure of ISO 27001:2013 standard that comprises of eleven chapters. The first four chapters contain an introduction, a description of the scope of the standard, normative references, and also terms and definitions. Key chapters focus on the organisational context and stakeholders, information security leadership and high-level support for policy, planning an information security management system, supporting it, making it operational, reviewing its performance and corrective action. Such a structure corresponds to other standards established by the ISO that relate to management systems. Current standard was significantly changed compared to the previous version. Its structure and clarity of requirements is much higher than in ISO 27001:2005.
The key part of ISO 27001:2013 is Annex A that contains a list of security controls concerning among others: information security policy, system organization, security of staff, assets management, access control, cryptography, physical and environmental security, security of systems operation, communication, development of systems, relations with suppliers, incidents management, business continuity, compliance with the law. The security groups are strictly related to the contents of the ISO 27002:2013 standard where detailed guidelines concerning the implementation and monitoring of security controls may be found. It should be noted that in many cases the ISO 27002:2013 standard deals with an information technology system, however, in the case of implementing the information security management system, it should be interpreted more broadly, as an information system.
Apart from ISO 27002, implementation of information security management system requires knowledge related to other standards of this family: implementation guidance (ISO 27003), principles of measurement (ISO 27004), risk management methodology (ISO 27005, which refers to ISO 31000).
While developing standards for management systems, the International Organisation for Standardisation complies with the principles of their compatibility and complementarity. Apart from ISO 27001, the most popular standards in this field also include systems of quality management, environment and occupational safety. The compatibility is seen in the application of similar management methods and tools, e.g. principles of supervision over documents and records, the development of organisational policies, carrying out management system reviews, internal audits, identification of non-conformities, corrective actions. This approach makes ISO 27001 standard easier to implement in organizations which already have certified ISO 9001 system.
Organization's interfaces are particularly vulnerable to information security problems. It is no different in case of cooperation with suppliers. The standard mentions in appendix A six main controls related to information security management in context of relationships with suppliers:
- A.11.1.6. Delivery and loading areas,
- A.15.1.1. Information security policy for supplier relationships,
- A.15.1.2. Addressing security within supplier agreements,
- A.15.1.3. Information and communication technology supply chain,
- A.15.2.1. Monitoring and review of supplier services,
- A.15.2.2. Managing changes to supplier services.
The main provision of ISO 27001 concerning suppliers is information security policy for supplier relationships (A.15.1.1). This is new requirement, which was added in amendment of 2013. It is expected that requirements of information security should be agreed between organization and supplier and documented. It should reduce risks related to supplier's access to organization assets. This is legal protection, which should be reinforced by additional organizational, technical and IT protection. The organization should identify groups of suppliers, evaluate their access to information, determine and implement restrictions of access which will improve security and at the same time won't worsen conditions of cooperation. Suppliers can influence the business continuity, therefore organization should discern its fault tolerance. In case of close cooperation, it may be desirable to plan staff awareness training not only for own personnel, but also for supplier's employees.
In case of suppliers who are able to access, process, store, transmit information or provide ICT infrastructure, organization should establish agreements to ensure that duties of both parties are known and well understood (A.15.1.2). The common misunderstanding about ISO 27001 controls is their limitation to ICT problems, while most of them are related to whole organization. This control is good example. In fact most of suppliers have access to organization's information which should be protected (tenders, specifications, technical documentation). Agreements should regulate issues of methods of protection used by both parties, rules of acceptable use of information, intellectual property, dealing with incidents and others.
ISO 27001:2013 introduces new requirement concerning communication in supply chain management (A.15.1.3). Sensitive information in supply chain can be transferred not only to direct supplier, but also to subcontractors. It is important to implement information security policy that will embrace not organization and its suppliers, but all parties in supply chain.
Supplier services should be monitored and reviewed on regular basis (A.15.2.1). Monitoring should include service level, accordance with the requirements of the contract, review of supplier reports, incidents management and audits if appropriate. Monitoring is important part of maintaining supplier relationship.Organization can identify early signals of problems and help solve the supplier problems before they induce problems within the organization. To improve communication, both parties should appoint personnel responsible for relationship management and problem solving.
All changes to supplier services should be managed to assure compliance with current information security policies, procedures and controls (A.15.2.2). According to requirements of ISO 27001 new agreements as well as all changes should be examined in the process of risk assessment.
According to A.11.1.6, organization should supervise delivery and loading areas or other points where unauthorized persons may try to enter. This includes identification an authorization of personnel having access to loading areas, reorganization of loading areas and procedures to allow suppliers to operate without need of special authorization, verification of supplies for hazardous materials and violations during transport before further transfer, recording supplied materials, physical separation from outgoing deliveries. Those requirements may entail reconstruction of delivery zones. Suppliers should be informed in advance about procedures of delivery.
Apart from above mentioned controls, cooperating companies should share some common policy of information security incident management, aspects of business continuity management and intellectual property rights.
The ISO 27001:2013 focuses on the planning of cooperation processes which includes: identification of risks, determination and implementation of legal, organizational and technical protection means. Information security management system shouldn't be restricted to logistic cooperation, as it will work properly only when all controls will be implemented. Thanks to the system approach and compatibility with other management systems standards, It allows the company to enhance information security in whole organization.
Recommended external sources: