Article for Public Sector Executive
December 2006
THE MICHELIN STAR OF IT SECURITY
Only by achieving ISO 27001 certification can public bodies deliver on the promise of eGovernment, says Alan Calder
The uptake of online services is one of the critical delivery issues facing the public sector. It holds the key to greater efficiency but ultimately depends upon the general public’s confidence that its data is secure – no easy task when public IT systems are the focus of most of today’s online threats. For that reason, all government bodies need to be seen to have the best IT security processes, and ISO 27001 represents the global best practice that the Cabinet Office wants to see widely adopted. However, despite its work to promote this agenda, too few public authorities have actually been independently certified – many are perhaps telling themselves that, as they are ‘basically compliant,’ the additional hurdle is unnecessary. Senior managers take note: organisations that claim to comply but don’t have the badge on the wall are only deceiving themselves, which has a direct impact on their ability to meet performance targets.
Information security is a topic currently undergoing a thorough reappraisal in the minds of senior executives, in public and private sectors alike. Once seen as just the preserve of the IT department’s backroom boys, it has recently emerged as a boardroom concern that makes the difference between strategic success and failure. With most public service delivery now relying on technology, IT security is a critical element in the risk management approach being advanced by the Cabinet Office.
For senior executives from a non-IT background – the vast majority - information security is a complex issue. Every information asset is subject to multiple threats and the interwoven mesh of related compliance regulation is such that there are no simple solutions. The appropriate response therefore has three components: technological controls, procedural controls and user behaviour. In combination, these form a critical weapon in the executive armoury, the Information Security Management System (ISMS).
Under the requirements of the CSIA (Central Sponsor for Information Assurance) within the Cabinet Office, every central government department needs to appoint a board level information risk owner, who is responsible for ensuring that departmental information security procedures are governed through an appropriate ISMS. Whilst this principle has been expressed in terms of central government departments, the concept of alignment with an accepted standard and the ongoing monitoring of effectiveness are applicable across the wider public sector. For example, local authorities have been instructed to comply with such requirements under their Implementing Electronic Government requirements.
The CSIA’s required route is for authorities to adopt ISO 27001, which was launched last year as the successor to BS 7799 and is the global ‘gold standard’ in information security. It provides the specification for an ISMS and, in the related code of practice ISO 17799, draws on the knowledge of top information security professionals from around the world in setting out best practice. An ISO 27001 compliant system provides a systematic approach to identifying and combating the entire range of potential risks to the organisation’s information assets, which in the case of public sector systems can amount to hundreds or even thousands of attacks in a day. It also provides public sector managers with a systematic way of meeting their obligations under the Data Protection, Human Rights and Freedom of Information Acts.
The benefits of ISO 27001 compliance are therefore plain, and there has been a notable acceleration in the number of organisations becoming independently certified to the standard: it took about seven years for the first 1,000 BS 7799 certificates to be issued, but only two further years for the next 2,000. Yet this remains the tip of the iceberg, and many more organisations need to put their houses in order.
Just as in the private sector, I suspect that a large amount of foot dragging is explained by the perceived chore of undergoing the certification process. However, this is largely a misconception, perhaps based on the limited amount of guidance material on how to take a project forward – the only manual presently fulfilling this role is ‘IT Governance: A Manager’s Guide to Data Security and BS 7799/ISO 17799’. As this book demonstrates, whilst entailing a moderate amount of time and organisation, it is well within the capabilities of most bodies to implement ISO 27001 in-house, on a modest budget and to achieve certification within months rather than years.
I believe that organisations professing to be ISO 27001 compliant but holding back from certification feel they have something to hide, fearing that external examination would show their systems to be inadequate. This is of course doubly foolish and self-defeating: it is in the interests of any organisation to ensure that its security is fully up to the task, and also to demonstrate visibly to customers, clients, partners and employees that this is the case. As the CSIA plainly states on its website, “Implementation of the ISO standard and the application of information risk management are vital for promoting public trust in government.”
At a time that the public is asked to put increasing faith in electronic systems that few fully understand, it is vital for there to be a badge of trust that can be relied upon. ISO 27001 is the Michelin star of information security - a clear signal that a holder has rigorous standards that withstand external scrutiny. With threats to information assets growing inexorably, such reassurance will increasingly be demanded from organisations around the world. Without this crucial enabler I believe that few public bodies seeking to tap the potential of online service delivery will be able to come close to realising its benefits within a desired timeframe.
Alan Calder is chief executive of IT Governance Limited and author of ‘IT Governance: A Manager’s Guide to Data Security and BS 7799/ISO 17799’. Further information is available at www.itgovernance.co.uk/page.bs7799