Extending the scope of your organisation’s Information Security Management System: information for organisations

The majority of organisations now generally have a number of information security controls in place. Whilst this is laudable, there is, unfortunately, still a problem which Krypsys sees on a recurring basis. Without a formal Information Security Management System (ISMS), these security controls have a tendency to be disorganized, haphazard or disjointed. The reason for this is simply down to the fact that the controls have usually been implemented partly as specific solutions for specific situations, or introduced as a matter of convention. The security controls in operation today, unfortunately, only typically address certain aspects of IT or data security, leaving non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable. Sometimes business continuity planning and physical security might be managed independently of IT or information security, whilst Human Resources practices may not recognise the need to define and assign information security roles and responsibilities throughout the organization. The ISO/IEC 27001 standard was introduced to address these issues.

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

ISO/IEC 27001 requires that management:

  • Systematically examines the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts.
  • Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
  • Adopts an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an on-going basis.

The Krypsys approach to ISO 27001 compliance

Our approach in the majority of ISO 27001 engagements with clients is to firstly carry out a Gap Analysis of the organisation against the clauses and controls of the standard. This provides us with a clear picture of the areas where companies already conform to the standard, the areas where some controls in place but there is some room for improvement and the areas where controls are missing and need to be implemented. For some organisations this will be the extent of the assistance required. However, following the Gap Analysis and debrief, it may be necessary to provide additional assistance by way of advice, guidance and project management for the implementation of suitable controls in order to qualify for the documentation that will be required to meet the standard, in preparation for any external certification, particularly if a business is considering extending the scope of the ISMS to cover the wider organisation.

Extending your ISMS Scope

Once you have an established ISO 27001 Information Security Management System (ISMS) working effectively, you may decide to extend the ISMS to cover the wider organisation.  This may include additional business functions, departments, or new locations like satellite offices.  This type of phased approach to extending an Information Management Security System is something Krypsys routinely helps our clients to achieve.

In order to ensure effective and successful inclusion into your ISMS you will need to consider the following for each new site or department:

  • Local threats and vulnerabilities in your ISMS risk assessment.
  • Ensuring all staff have had the relevant information security training in your policies and procedures.
  • Tracking incidents, events and weaknesses at each of these sites.
  • Ensuring they have the resources available to comply with your policies and procedures.  If, for example, you require that files be locked away at night, do they have lockable storage?  Or, if your policy states that all confidential documents must be shredded when no longer needed, do they have access to a shredder?
  • Updating your Statement of Applicability to include compliance evidence at these additional sites or departments.

Whilst control and management of the ISMS remains central, you may wish to appoint local ‘Security Controllers’ within the extended scope.  Their responsibilities would be to look out for new risks, report local incidents and support/ensure compliance at a local level.

Any additional sites, departments or processes must also be covered by your Internal Audit activities.  Your External Auditors will also need to be informed in advance of your intention to widen the scope as this will have directly affect their audits.  Each site included in the scope will need to be visited, although this can be done on a sampling basis at each surveillance visit.

If your business needs help with security compliance, penetration testing or web security solutions from Barracuda Networks, Check Point, Alien Vault and Netwrix, please contact Krypsys on 0845 474 3031 or [email protected].