Planning your Infosec strategy with ISO 27000

This post is about how to establish your strategy to properly implement the security controls your company needs most, based on the global security standard ISO 27000. First things first, if you never heard of ISO 27000, here’s a short explanation about it:

“The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).” Source:

In other words, ISO 27000 is a series of documentation that defines, suggests and explains what you, as a manager, need to be worried about when defining the information security strategy of your company, by using security controls to mitigate risks. There are a few other frameworks that provides guidance on this matter, like NIST Cyber Security Framework and SANS Critical Security Controls but for this post I’ll be referencing ISO. ISO is also the worldwide standard for most companies and is recognized as the best practices around the information security matter.

My point here isn’t to get in every single detail of the standard but to bring awareness to everyone who’s seeking out for directives, good practices or even something to start off in your company, from small to big business, ISO’s directives can be applied based on your company’s needs.

Talking about business focus/needs, this should be the first thing you need to have in mind before drawing your strategy, knowing what your business does and what it’s willing to do is key.

  • Get to know your business needs, worries and how flexible it is to changes in the short-medium term;

As I stated before, this step is key because your business will be very inflexible or even intolerant to changes that impact their operation or sales. You even can get in a complicated situation trying to force safe behaviors in your company, so it’s very important to work with your business, not against it.

  • Summarize the main risks that your business is exposed to;

Map the risks that your company is exposed to, for example, if the core business of your company is to transport goods, I would say that the main risks are related to goods transportation, storage and inventory (in a very simplistic analysis). You should then check for controls that mitigate these risks.

  • Check the ISO (or any other framework) for suggested security controls regarding the high risks you’ve mapped before;

Using the example stated before, ISO have a few directives for physical access controls that may make sense applying in this business scenario. If you check the directives from controls A11, for example, you can observe that there are controls for security perimeters, physical entrances, protection against external threats, etc. You can always look for other market standard if ISO doesn’t cover all the gaps, mixing up more than one standard like ISO, PCI and SOX will always increase your security maturity.

  • Start with the quick wins first, anything that is easy to implement, any controls that just need some tweak, security policies and standards or even security awareness;

Based on your maturity ruler (all ISO controls) map the quick wins and show how much progress could be made with them. Showing your directive board how they can mitigate risks with quick and cheap actions is a good way to acquire their support. Once the board have seen how valuable these risks mitigating actions are, it will be a lot easier to move on the hard ones later.

  • Plan the rest of your actions accordingly. Invest yours and company’s resources in actions that will bring valuable results to what the business is worried about;

It is not interesting for a company that doesn’t have or doesn’t see the IT department as a core resource for the business, to implement all ISO’s controls aiming a possible certification.

In the end, remember that 100% secure will never be possible and even at some companies 50% secure can be a real challenge, you should then be realistic about the current situation and what’s reliable to do. I’m summarizing below some key success factors that you should take note before creating your strategy:

  • Align your strategy to the business. Define how much compliance to the framework is enough to your company to mitigate the main risks;
  • Don’t push long term cultural changes in short periods of time. Losing stakeholders or sponsorship can end your strategy and even your position;
  • Work with the quick wins first and show the results. In other words, use the 80-20 strategy, fix 80% of the problems with 20% of the effort/resources;
  • After doing the quick wins, show how far your company can go in terms of security, risk mitigation and money saving if more resources were invested in the security plan;
  • Spread security awareness and mentality. The more people you have thinking about security, the more attention and sponsorship your work gets.

By the end of the day, following these tips, planning your strategy aligned to your company reality and going one step after another, you job as information guardian should be done successfully. Companies need to follow the technology evolution in other to keep up the market pace and business is always looking for the profit, it’s your job to keep their feet on the ground and guide them minimizing the security risks.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s