Interview with CSA

Call today! 1 866 3 NYMITY

Interview with CSA

January 2007

Interviewee: Michael Henville, Canadian Standards Association(CSA)

Interviewer: Terry McQuay, President of Nymity

Subject: ISO 27001 and how it helps organization Eliminate Breaches

Nymity: What is ISO/IEC 27001?

CSA: Many are familiar with ISO 9001 - a management system standard for quality, or ISO 14001 – a management system standard for the environment. Similarly, ISO/IEC 27001 is a management system standard for Information Systems Security.

“ISO” is the International Organization for Standardization. ISO’s 9001 and 14001 standards have experienced tremendous success around the world, as evidenced by the number of organizations registered (certified) to these standards. Somewhat due to ISO 9001, the ISO standards are now quite common in North America. IEC is the International Electrotechnical Commission, these two organisations have a Joint Technical Committee, (JTC1) which is responsible for the development and publication of international information system technology standards.

We expect that ISO/IEC 27001, which is new (adopted as a Canadian standard in December 2006), will also be very popular. Also, it is the replacement for BS7799-2 which is already popular around the world and has been used by many organizations in Canada as the basis of their information security platform.

Nymity: How do the ISO management system standards work?

CSA: ISO management system standards require organizations to follow a disciplined process to manage their “quality”, “environmental” or “information security” issues, while at the same time allowing the organization the flexibility to set objectives, targets and controls that make sense to their business. Organizations can become registered to an ISO management system standard like ISO 9001 or ISO/IEC 27001, which means that they have been audited by a 3rd party as meeting the requirements of the standard. For example, thousands of companies around the world have been registered by QMI, as a division of CSA Group, as to meeting the requirements of ISO 9001. We expect that over the next few years hundreds of organizations will become registered to ISO/IEC 27001, which QMI is positioned to support.

Nymity: Who is QMI? How does QMI help organizations wanting to be certified to ISO/IEC 27001?

CSA: QMI, which stands for Quality Management Institute, is North America’s leading management systems registrar and a leader in helping organizations use the registration process to make real and lasting improvements in their business. QMI’s customers come from all industry sectors - since 1984, QMI has registered more than 11,000 manufacturing and service locations to a wide range of ISO and industry standards for quality and environmental systems. In terms of ISO 27001, QMI provides training for organizations wishing to learn about ISO 27001 and provides registration services for those who wish to get registered. To learn more about training, visit www.nymity.com/partners/QMI.asp.

As QMI provides registration services, they can’t provide consulting services to help organizations become certified. It is expected that many small and large consulting firms will be offering ISO 27001 consulting in 2007. In fact, it is expected that many consulting organizations will be taking the QMI training mentioned above.

Nymity: Why become registered to ISO/IEC 27001?

First, it is important to understand that there are many benefits in using ISO/IEC 27001, beyond becoming registered. But for organizations that choose to become registered, they will gain the additional benefit of:

being able to promote their organization as ISO registered;
demonstrating due-diligence to commissioner offices; and
demonstrating due-diligence to customers and the public.

Nymity: What are the other benefits of implementing all or part of ISO/IEC 27001?

CSA: ISO/IEC 27001 is a comprehensive “Information Management Security System” that helps organizations eliminate security and privacy breaches of information. ISO/IEC 27001 takes the guess work out of implementing a security system. It provides a risk based process to help an organization identify where measures (called controls) should be implemented. In fact, ISO/IEC 27001 provides a listing of 130 controls an organization can choose to implement if they wish to do so.

The benefits using ISO/IEC 27001 is help eliminate breaches for security or privacy reasons and reduce the risk of:

loss of business;
loss of brand equity;
the need for breach notifications;
loss of productivity and increased call centre operations;
cost to repair and add additional controls;
litigation;
fines; and
violating contractual requirements and the potential loss of customer contracts.

Nymity: What is Information Security? What is Privacy?

CSA: ISO/IEC 27001 defines information security as “preservation of confidentiality, integrity and availability of information”. GAPP defines privacy as “The rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information”. As ISO/IEC 27001 addresses all information, including personal information, this would include organizational obligations to keep personal information secure.

Nymity: How does a company find out if ISO/IEC 27001 makes sense for their business?

CSA: To find out if implementing ISO 27001 in your business makes sense for your business, you can start by asking yourself a couple of questions:

does my organization have a process in place for eliminating security and privacy breaches?
could we benefit from a risk based approach to managing our information security risks?

In addition to asking yourself these questions, you may wish to participate in an upcoming QMI training course on ISO 27001:

QMI offers a 2 hour webinar on the standard (first one scheduled for February 9, 2007);
as well as a 2 day Essentials course:

See www.nymity.com/partners/QMI.asp for more details.