The NSW Government Digital Information Security Policy (version 1.0, dated November 2012) requires that all NSW Government Departments, Statutory Bodies and Shared Service Providers must have an Information Security Management System (ISMS) based on a comprehensive assessment of the risk to digital information and digital information systems.
Certification to AS/NZS ISO/IEC 27001 is required for all shared service providers and any Department (or part thereof), Statutory Body or Public Sector Agency under the control of a Department or Statutory Body that has a risk profile sufficient to make certification necessary. The next mandatory milestone stated in this Policy is an implementation progress report for all Departments, Statutory Bodies and Shared Service Providers, required by 31 July 2013.
These requirements may send shivers down the spine of the delegated “Senior Responsible Officer”. This article is intended to provide some helpful advice to those involved with establishing a project to develop, implement and certify an ISMS to the AS/NZS ISO/IEC 27001 standard, and how to select the right certification partner to ensure the process is smooth and successful.
There are a number of buzzwords that are normally placed in front of ISO/IEC 27001 services, such as “compliance to,” “aligned with,” and “based on.” While these services may sound like they meet the requirements of this Policy, they simply do not. Certification to AS/NZS ISO/IEC 27001 is the required outcome for those entities with a risk profile sufficient to warrant certification.
Based on previous experiences, organisations encounter difficulties with ISMS implementation and certification if the resources involved do not have demonstrated ISMS implementation and certification experience (meaning preparing for, and being part of, the audit process). This has resulted in failure to achieve certification or lengthy delays as identified non-conformances are remediated. It is important to note that resources with requisite skills and experience will be the difference between a “pass” or “fail” result during the certification audit process.
Here is a high level, sample approach that can be used to design, develop and implement an ISMS and achieve AS/NZS ISO/IEC 27001 certification:
Phase 1 – Determining ISMS Scope, Assets and Risks
Determining the ISMS scope, associated information assets and risks to those assets are the first activities that need to be conducted in designing, developing and implementing an ISMS.
Phase 2 – ISMS Development
Developing the mandatory management systems documentation, processes and controls to support the scope, associated information assets and risks to those assets is the second set of activities required in an ISMS implementation.
Phase 3 – ISMS Implementation
The next step is ensuring correct implementation of the ISMS documentation, processes and controls and providing appropriate training, awareness and communications to the applicable staff.
Phase 4 – Audit Preparation
Ensuring the ISMS has been through at least one continuous improvement cycle is the next phase. Key activities should include completion of the management review and internal audit, and ensuring all remedial tasks are complete.
Phase 5 – ISO/IEC 27001 Certification
The certification process typically comprises two separate audits, known as a pre-certification (stage 1) audit and a certification (stage 2) audit. Provided the above phases have been completed successfully, there should not be any findings that will impact a successful certification result.
In summary, achieving AS/NZS ISO/IEC 27001 certification is not an insurmountable task for all NSW Government Departments, Statutory Bodies and Shared Service Providers if the resources involved have demonstrated ISMS implementation experience and have previously led organisations through the end-to-end ISO 27001 certification process.
Mark Jones and Russell Clarke are Directors at RMSEC. RMSEC is an Information Security service provider which leverages the skill sets of a wide range of resources Australia-wide, delivering the entire gamut of Information Security services. RMSEC is also a niche Information Security service provider of ISO 27001 compliant ISMS implementation and certification activities.