Chapter 11: Leveraging ISO27001 – Selling Information Security to the Board


The International Standard for best practice in information security management is ISO/IEC 27001. This standard provides a detailed specification for how an organisation should select information security controls, on the basis of a risk assessment, to counter threats to the confidentiality, integrity and availability of the organisation’s information assets.

The Standard is written to be technology neutral and sector agnostic; it is as applicable to large organisations as to small, and to the private sector, the public sector and the third, or voluntary, sector. Any organisation that complies with the Standard can have its management system audited by an accredited third party certification body and will then be able to state publicly that its information security practices are formally certificated as compliant with best practice.

There are many circumstances under which such a certificate might have significant commercial value and the case for pursuing ISO27001 can be made on many levels and for many circumstances. An overriding argument can be built around the general risk environment in which the organization is operating. Such an argument7 starts like this:

Business rewards come from taking risks; managed, controlled risk-taking, but risk-taking nonetheless. The business environment has always been full of threats, from employees and competitors, through criminals and corporate spies, to governments and the external environment. The change in the structure of business value has led to a transformation in the business threat environment.

The proliferation of increasingly complex, sophisticated and global threats to this information and its systems, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is forcing organisations to take a more joined-up view of information security.

Hardware-, software- and vendor-driven solutions to individual information security challenges no longer cut the mustard. On their own, in fact, they are dangerously inadequate.

News headlines about hackers, viruses and online fraud are just the public tip of the data insecurity iceberg. Business losses through computer failure, or major interruption to their data and operating systems, or the theft or loss of intellectual property or key business data, are more significant and more expensive.

Against such a background, a trusted adviser would be able to demonstrate to senior management how an ISO27001-certificated information security management system could position the organisation ahead of its less well- organised competitors and, at a cost considerably less than the potential impact of the significant risks out there, ensure that the bottom line is protected. ISO27001 provides management with a best practice, risk-based, management-directed structure for identifying, controlling and mitigating this wide range of rapidly evolving information risks.

Compliance with ISO27001 can also be used to demonstrate effective compliance with information security laws and regulations which, while precise in what must be done, usually contain little guidance on how it should be done. The UK DPA, for instance, says (at Principle 7 of 8) that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

ISO27001 is a best-practice model for achieving exactly this objective and the same principle can be applied to data protection legislation8 elsewhere in the world. In the UK, there is now even a standard that specifically deals with the ‘how’ of DPA compliance: BS10012, the personal information management system standard.

7 There is extensive, detailed guidance on how to make this case in The Case for ISO27001, Alan Calder, ITGP (2005).

8 This argument is developed in detail in Information Security Law: The Emerging Standard for Corporate Compliance, Thomas Smedinghoff, ITGP (2008).