Compliance regulations are a pain in the butt. There, I said it. They’re difficult to understand, there’s TONS of room for personal (and often incorrect) interpretation, and quite frankly there’s a lot of gray area regarding whether or not any legislative body actively enforces them.
Even with all the difficulty, the number of compliance regulations out there in the wild abound. NIST, HIPAA, PCI, GLBA, are just a few of the compliance regulations one might bump into on their travels. Honestly, there are enough compliance acronyms to make your (and my) head spin if you decide one day to try and learn them all.
I won’t even begin to pretend that I’m an expert on compliance. I’m not. It’s not something that I focus on every day (I am after all just a humble marketing guy). However, just because I’m (almost) ignorant on the subject at hand, my friends and colleagues here at Security7 are not, and they understand the need to be on the look-out for new, or at least emerging, regulations that’ll change the compliance landscape.
My CTO, Brian Thomas suggested I familiarize myself a bit more regarding compliance by giving Darrin Maggy, the vCISO over at Ezentria a call and pick his brain.
“I keep hearing about ISO 27001 being a better choice than NIST,” he said. “Find out more about that. Ezentria knows compliance inside and out. They’ll be able to help you understand what’s going on with that.”
So I did, and to be quite frank, I was impressed with what I found out.
Drafted by the International Organization for Standardization, ISO 27001 is designed specifically to help build an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to implement.
- Prepare a statement of applicability.
Maggy said when you’re trying to understand just how vital ISO 27001 is you need to start at the beginning.
“The most notable thing about ISO 27001 is that it is the only internationally-accepted and recognized information security standard in existence,” Maggy said. “An awful lot of the information security (compliance) guidelines in existence today borrowed heavily from ISO 27001which is one of the many reasons Ezentria is so bullish on the standard.”
ISO 27001 is such a flexible standard that it can be implemented in any organization (regardless of size), in any vertical, a kind of ‘Compliance Chameleon,’ if you will. Retail, Finance, Healthcare, Education, Public Infrastructure, you name it, ISO 27001 fits the bill.
But how does ISO 27001 do that?
“It’s purposefully designed to accommodate what your organization does,” Maggy said. “It’s mostly concerned with the assets you have in your organization that enable you to do business, the value of those assets, and how those assets may be at risk. It’s both context-based and risk-based. This means you can better achieve a balanced information security spend while vastly improving your information security posture.”
“The flexibility of ISO 27001 makes it an ideal umbrella framework beneath which you can manage multiple requirements. Once you have implemented the ISO 27001 ISMS you can easily nest everything else beneath it,” Maggy said. “SSAE 16, SOC 2, GDPR, PCI, HIPAA, we can document an organizations alignment and compliance to all of these and more by using cross-mappings. It’s a very cost-effective and powerful approach.
“After we implement the Information Security Management System (ISMS), a third-party auditor (certification body) comes in to validate everything. That certification body ultimately determines ISO 27001 suitability and issues the certification.” “Ezentria’s success-rate is 100%”.
And that certificate is what drives people crazy for all the right reasons. ISO 27001 is a business enabler for today’s complicated threat landscape.
“Once you have that certification you can unseat incumbents, you can differentiate yourself effectively from competition,” Maggy said. “Your ISO 27001 certification demonstrates to your customer, partners and stakeholders that you take information security seriously and that you have been determined by an objective third-party to be secure to an accepted criteria.”
The cost of getting your ISO 27001 certification can, of course, vary depending on the size of your business and asset composition. However, people shouldn’t be intimidated by the cost, considering the benefits typically outweigh or at lease subsidize the costs.
“In general there is no true return on investment when it comes to information security spending,” Maggy said. “At best the expense may save you future costs by not getting breached but there is no typical return. “ISO 27001 is an exception to this rule because you can market your new certification creating new valuable opportunities and relationships with organizations seeking secure partners and a secure supply chain which translates to an increased bottom line.” This idea is gaining traction more and more each day here in North America. ISO 27001 is more popular than it has ever been before on this side of the pond and is experiencing impressive adoption rates.
“The need for ISO 27001 is popping up more and more,” Maggy said. “Our customers and clients see it everywhere. The Information Security questionnaires they receive as a part of many supplier risk programs now include the question ‘do you have ISO 27001 certification, yes or no.’ In some cases suppliers are being told by their clients ‘If you do have ISO 27001, we can work with you. If you don’t have it, we can’t work with you.’”
Part of obtaining the ISO 27001 certification is the organizations commitment to continual improvement, this includes making sure you’re up to date when it comes to things like software patches and other information security best-practices.
“If Equifax were ISO 27001 certified then the patch management program would have been an auditable part of the program,” Maggy said. As part of the ISO 27001 program, you’re committing to the fact that you’re going to remediate known vulnerabilities and apply patches, that you’re going to have mature controls implementations, that you’re going to have met all of your contractual obligations, and you will strive to continually improve the Information Security Management System into perpetuity. ”
But Equifax was hacked. How does ISO 27001 hold up against something like WannaCry and other malware-based attacks?
“Early reporting indicated that none of the companies affected by WannaCry were ISO 27001 certified,” Maggy said. He added that the policies and procedures put in place by ISO 27001 would have created a prescriptive system precluding this events impact.
“Let’s say that somebody on the floor has some strange flicker on their screen, they’re concerned about it; they need to escalate it. In a lot of organizations that individual would not know what to do next,” Maggy said. “With ISO 27001 in place, they would be able to determine who in their organization they need to alert and how to reach them. They’d know which information they need to provide to begin the incident triage process. It’s very prescriptive. There are a lot of tools there for everybody from the endpoint to third-party suppliers to anyone else within the organization to leverage on a daily basis.”
ISO 27001 isn’t some wonder drug or miracle product that fixes everything once it comes out of the box. It’s a commitment to a better security posture that takes time to develop.
“One of the mandatory requirements of ISO 27001 is to have 100% management support,” Maggy said. “The management support is not just someone saying ‘yeah, we’re going to fund this,’ or ‘yeah we’ll get behind this.’ You need to commit to the entire lifecycle of this strategic information security program. You need to stay on top of the mandatory requirements such as performance metrics, continual improvement, and everything else that comes in between the three-year certification cycles.”
“The audits ensure all of your policy documentation is up to date and your security controls are properly deployed and configured, amongst other things” Maggy said. “They’ll come in and make sure you’re holding your information security steering committee meetings, that your vulnerability management programs are up to spec, that your patch management is up to spec, that all of the security controls documented in the statement of applicability document are being cared for and nurtured and continually improved upon.”
Maggy says as long as you’re maintaining all of those things you should be in pretty good shape.
“There’s no such thing as a 100% foolproof security posture, but ISO 27001 gives you a very real blueprint from which you can ultimately build your security defenses in an practical and effective way which enables an organization to safely conduct business amidst dynamic threats.”