ISO 17799: Our Two Cents
ISO 17799 was adopted in a fast-track process by the International Organization for Standardization in 2000.
The standard's predecessor was BSI 7799 (British Standards Institute), which was originally adopted in 1995 and revised in 1999. The British standard contained two parts: Part One addressed best practices for security management and Part Two addressed certification. BSI submitted and ISO accepted only the best practices portion of BSI 7799.
ISO 17799 has been controversial from the beginning. Some of its critics focus on the fast track adoption process where there was little opportunity for resolving conflicts between BSI 7799 and existing standards. Other critics point to the standard's lack of technical depth and its failure to specify security solutions. Others point out the impracticality of certification and its expected excessive cost. Still others point out that in BSI's effort to make its standard general and flexible enough to be used by every organization, it offers value to none.
Our comments below are distilled from discussions with many organizations about ISO 17799 and from actually performing ISO 17799 assessments for companies ranging from one of the country's largest financial firms to very small application service providers (ASPs).
For years, organizations have been searching for an objective benchmark to measure the security of potential business partners and to distinguish the quality of their own services. There hasn't been a common vocabulary and agreed upon list of items that should be in a properly secured environment. Security practitioners have their own list of topics they work from. The most astute security professionals subscribe to a comprehensive view of security, but others focus primarily on particular mechanisms. While one can still argue about the benefits or weaknesses of various security solutions, ISO 17799 is emerging as that long needed common framework. It provides the vocabulary and defined set of areas to assess, compare and discuss.
The critics have some valid points, but they are missing the big picture. The critics generally view the standard from the perspective of an industry insider and not as a security professional or executive trying to make his or her organization's systems more secure. The critics also discount the fact that organizations need a generally accepted framework to ground discussions about the security of their services with regulators, potential customers or business partners. The fact that the standard doesn't mandate specific security technologies and instead defines the various dimensions of the security space, is its greatest strength.
Many organizations have a sincere desire and business need to improve the security of their IT infrastructures and applications. Too many of them face the problem of either (a) not knowing what needs to be done or (b) lack of support from corporate management to fund what needs to be done, or (c) a disheartening combination of both. One fundamental misunderstanding that exists between executives and security practitioners is that security can be achieved by deploying a single product or even a set of products. Even in large, technically sophisticated organizations we routinely hear, "We have firewalls, we don't have to worry about security any more." ISO 17799 is a valuable tool for helping organizations understand that security is a multi-faceted problem that must be addressed through process, technology and personnel.
Since ISO 17799 is a framework for describing areas that need to be assessed and not a set of specific practices, it isn't meaningful to talk about compliance today. Nevertheless, because it is an international standard, the topic of compliance and certification arises. Many organizations worry that like ISO 9000, the compliance and certification costs will be enormous, and in many instances will dwarf the potential benefits. Right now, organizations are capitalizing on the standard's current flexibility and choosing security solutions that make the most sense for their businesses. Down the road, however, compliance and certification costs remain as looming obstacles.
Think Outside the Box
Since the compliance portion of the ISO 17799 standard is not well accepted, we recommend that you responsibly use this flexibility to your advantage. Before heading down the traditional compliance path, consider the following two alternatives. Many organizations will find that these practical approaches will meet their ISO 17799 needs at a fraction of the cost of the traditional alternatives.
Preliminary ISO 17799 Assessment
For organizations that want to take advantage of ISO 17799 and plan to consume the results internally, an informal preliminary assessment is often the best starting point. The objectives of a preliminary assessment are fourfold. They are to help an organization:
- become knowledgeable about ISO 17799;
- understand its business risks and control requirements in the context of the ten ISO 17799 topic areas;
- understand how its current security program compares to the ISO 17799 framework;
- get started on a path towards ISO 17799 self-sufficiency.
Typically, preliminary assessments of this type last from one to three days. During that time, a small team of consultants works closely with an organization and walks through the standard in the context of that organization's security requirements. Usually, findings and recommendations are then documented in a brief informal report.
Validated Preliminary ISO 17799 Assessment
Some organizations need a slightly more formal assessment. This is often the case where an outside regulator or business partner will review the results. In the validated preliminary assessment, the client provides evidence that each claimed security control is in place. For example, if they say they have an escalation plan, the consultants review it. If they say that their employees don't have passwords on post-it notes, the consultants look in the offices to make sure that's true.
A validated preliminary assessment takes a little longer but not much - often in the two to five day range. Since the report is intended for external consumption, it tends to be more formal.
ISO 17799 and Traditional Security Reviews
Clients regularly ask us whether an ISO 17799 review is sufficient by itself or whether it should be combined with a traditional security review. The answer to that question varies. If the client is looking for a relatively fast assessment of how it measures up and doesn't need much advice on how to remedy deficiencies that are found, an ISO 17799 review is an excellent starting point. If the client needs more help in figuring what to do about its problems, the ISO 17799 review should be performed as an extension to a traditional security review.
ISO 17799 currently offers the best promise of the long sought objective standard framework for information security. It will help many organizations realize that there is more to security than simply installing a firewall. Even with its obvious deficiencies in the area of certification, most organizations will benefit from the assessment process and working to resolve control weaknesses. However, except in very unusual circumstances, formal certification doesn't make sense at this time.
Jonathan Gossels is president and Richard Mackey is principal with SystemExperts Corporation (www.systemexperts.com).