I have been examining the ISO 27001 Standard Document itself and feeling rather overwhelmed and that I am bashing my head against a brick wall.

I begin to rethink my strategy and flick backwards quickly to page 5.  This is where the ‘Statement of Applicability’ is mentioned.  This ties together the list of Controls and Objectives - the list of practical things one need to do to implement the standard - with the content of the standard itself so its probably a good place to start.  There is a lot about Risk Assessment before the Statement of Applicability which I don’t understand but I can come back to them later.  I’ve got the Statement of Applicability as a short term objective - a buoy to swim towards that perhaps I can cling onto for a while.  So I type “Statement of Applicability ISO27001″ into Google and start trawling through the results.

Almost immediately I come across http://www.iso27001security.com/.  By its basic but functional design this site just looks like the kind of site that could cut to the chase and ‘deal the deal’.  There are a few scary bits like mentions of other ISO27002, ISO 27003 but what catches my eye immediately after this is a FREE ISSO27k toolkit.  Amazingly, I don’t even have to register on the site to get access to it.

Hard Drives after Destruction.

I spend quite a while opening documents up on the site and reading them.  The documents here have been developed by ISO 27001 implementers and then put up on the site.   This site clearly doesn’t offer a complete toolkit or total solution to my problems but it does give applied examples of certain documents and there is comparatively little in the way of guff.  Most of the contributions are made by two individuals but there are other contributors too.

The fourth document I open off the site is a Statement of Applicability.  This is a blank template - which is not populated with data - but I still get the jist - more than having see an actual example of one, I quickly see its primary purpose.  The list is a spreadsheet for all the Controls and Objectives listed in Appendix A of the standard.  There are several columns and notes I don’t understand yet  but clearly what one has to do is go through each of these 120 or so items and record what one has done to cover them off in one’s own organisation.

Against each row is a “Controls” column and a “Selected Controls” and a “Reasons for Selection” group of columns.  Reasons for Selection are broken down into four types ‘LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent.

On the right there’s a ‘Remarks (Overview of implementation)’ column where one should record the  to the specific action taken to meet the control.  This could be introducing a swipe card system on doors, creating a written policy or implementing a procedure to verify the destruction of hard drives.

I don’t get the whole picture yet, but what I do get is that the ISO 27001 Standards sets a defined series of things called “controls” with which my data destruction company needs to comply.  I will need to go through this list one by one and check that I can practically meet them.

The buoy I spotted in the distance has turned out to be a rubber ring.  Thanks to this I am now riding higher in the water and time to float home for the night.

I had an automated email from Alan Calder the author of the IT Governance Toolkit today. Alan tells me that I get five times more content in the full version. Well that’s shrunk by half from a couple of days ago. “Maybe he’ll reduce his prices accordingly,” I think fleetingly. Then I realize the follow up email adds some value but he’s really just stoking up the pressure so that I buy the Toolkit.

Chapter 4 of A Manager’s Guide to Data Security and ISO27001/ISO2700 is about the organisation of information security. I am beginning to see the value in this book. Mr Calder does a thorough job in explaining the various individuals and committee or groups who will have responsibilities for the implementation of an ISMS in a large organisation. He explains what their roles should be and the competences required. Also buried in the text are some references or web links for further information. For example, he mentions the 3 magazines he believes to be the most useful magazines to read: SC Magazine, Infosecurity Today and Information Security. This is really, really useful up to date information.

The difficulty for me is that most of this information is not relevant to me. I am not running a large corporate but a business which will only have a handful of employees to start. I still need to know what practically I have to do to to get this certification or whether it just isn’t going to be possible.

The title of chapter 6 is more promising. Its about two things I don’t have much experience of – Risk Assessment and Statement of Applicability.

There are a few sentences that spring out from the page. These include: “for every control that the organisation might implement, the calculation would be that the cost of implementation would be outweighed, preferably significantly, by the economic benefits that derive from, or economic losses that are avoided as a result of, its implementation”. In other words there is a clear indication of a “reasonableness” judgement here. In that case a small organisation might be excused from certain requirements on account of its size. I have been told that ISOs can apply to any organisation. However, I am not sure if there are actually minimum technical or staffing requirements which must be met and, if so, what are they?

Mr Calder then goes on about Quantative Risk Analysis and its Elements. I switch off again – if only he’d give an example of one he did before (like Blue Peter) then I’d grasp it so much more quickly than I would reading the theory behind the process and a description of it with no example to hand.

Key sentence number two: “Controls are countermeasures to risks.” Great, nice, concise …. but it doesn’t stay simple for long. Controls can either be directive, preventative, detective, corrective or recovery controls.

Key sentence number 3 “the Standard.. requires the organisation to select appropriate control objective sand controls …it clearly invites organisation to do this exhaustively..” The word “invite” normally has an enjoyable indirect object I think to myself eg a party. It doesn’t here.

Based on notes from my diary from May 2008.

ITG offers a series of toolkits which can be downloaded for something between £400 and £1,000 depending on the contents.

I am sceptical about paying this sort of money for a download from the internet which isn’t actually software – it will be a series of templates. Anyways, there’s a free trial which I download. The confirmation email tells me it contains 10% of the contents of the full toolkit.

The first document I open up is the Toolkit Contents and Change History which is six sides long. All this does is list all the changes made to all the documents within the Toolkit and gives them lots of reference numbers. This is a massive turnoff. I gulp –I can’t even find an index at the moment.

The Toolkit talks on about Tier1, Tier 2 and Tier 3 documents but there isn’t an abvious explanation what this means. It also talks about a ‘Statement of Applicability’ - I am similarly confused.

There’s an Introduction to the Toolkit document which I can understand because it’s the one which encourages you to buy the proper versions and spend £500 plus quid.!! I understand most of the contents. The contents list is thus

 Next there are some user instructions – in fact there are 48 of them over 5 pages. These are legible and understandable. There’s good, frank advice embedded in here like “ Creating your ISMS documentation is a big task”.

The User Instructions document is one you can work to but you’d have to sit down and study it. But, man, are we gearing up for a massive project here? This is the first document which divides the task out into stages and is the closest to a bullet point methodology I’ve seen. It refers to many other documents, Risk Assessments and other phenomena, many of which I don’t know what they are. It does at least tell me the order in which I have to begin trying to understand them.

Based on notes from my diary and other records from May 2008.