FEATURE
Is ISO 27001 worth it?
Cath Everett, freelance journalist
Even though the internationally recognised ISO 27001 information security
management system standard has been around in various guises for the past
decade, uptake is not as widespread as might be expected.
According to the International Register
of ISMS Certificates, out of a total of
6,942 organisations accredited world-
wide, the UK comes fourth in the rank-
ings with only 454 under its belt, while
the US languishes in eighth place with
a mere 96. The biggest advocate of ISO
27001 by far is Japan, accounting for
more than half of the total at 3,657,
trailed by India and China at 509 and
495 respectively.
As Mike Gillespie, director at informa-
tion security consultancy Advent-IM,
says: For the last 10 years, Ive been
saying that this will be a big year for ISO
27001, but its only really this year that
Ive started seeing significant adoption.
Conformance is perceived
to require huge amounts of
time, effort and money
So what is going on? And given an
apparent widespread respect for the
standard, why have adoption levels
remained so low? Giri Sivanesan, senior
manager for policy, risk and compliance
at risk management consultancy Pentura,
attributes the poor showing in the US
at least partially to a nationwide prefer-
ence for SAS 70 (Statement on Auditing
Standards Number 70). This situation
stems from the fact that SAS 70 includes
fewer formal security requirements than
its more focused ISO cousin and enables
organisations to pick and choose the
areas in which they wish to be audited.
But another more general explanation
for the low uptake in most countries
including the UK, where the standard
was originally developed by the govern-
ments then Department of Trade and
January 2011
Industry is that conformance is per-
ceived to require huge amounts of time,
effort and money.
Alignment rather than
accreditation
Nonetheless, the numbers can be decep-
tive, Sivanesan argues. While only a small
number of UK organisations may have
gone down the full accreditation route,
he estimates that 20-40% of large to
medium-sized businesses in the UK have
at least reached a level that he describes as
aligned or working towards it.
It can be tricky simply to
convince budget holders
of the value/business and
operational benefits of such
a move or to push it high
enough up the senior man-
agement agenda to have it
taken seriously
The issue is that it can take anything
from a few months to a few years to
become fully compliant, says Sivanesan.
You have to have the proper policies,
procedures and controls in place, but
to be audited, they have to be enforced
through the entire company and for
large organisations, that takes time.
One repercussion of this scenario is that
it can be tricky simply to convince budget
holders of the value/business and opera-
tional benefits of such a move or to push
it high enough up the senior management
agenda to have it taken seriously. But
cost-benefit analyses can help here.
Such activity involves working out
how much it would cost an organisation
Catherine Everett
both financially and in terms of time to
undertake a compliance initiative. This is
weighed against the potential economic
impact of not doing so in terms of
damage to reputation, fines or even the
inability of the business to function fol-
lowing an information security incident.
Ideally, it should also include evidence
of more active benefits, such as enabling
the company to reduce overheads or
introduce new products and services.
While making satisfactory cost argu-
ments is always going to be challenging
in a difficult economic climate character-
ised by a number of priorities competing
for limited resources, decisions about
whether to act are likely to rest on the
risk appetite of the organisation as well
as whether it has suffered a serious secu-
rity breach in the past. That can help to
focus minds.
Who is doing what
and why?
The sectors that have been the most
forthcoming in terms of compliance are
financial services, defence, energy and
telecoms. But the retail industry has also
started to move since the Payment Card
Industrys Data Security Standard (PCI
DSS) became obligatory. This is because
the gap between the two standards is
relatively small, and the need to focus
on protecting payment card data often
raises awareness that other sensitive data
requires safeguarding too.
Although compliance has been man-
dated for central but not local gov-
ernment departments in the UK for
some time, conformance is still patchy,
with alignment or lip-service being the
5
Computer Fraud & Security
 FEATURE
general order of the day. Interestingly
though, such compulsion has had
spin-off effects on the private sector.
While not all public authorities are fully
compliant or accredited to ISO 27001
and some arent even close central
government bodies in particular often
include accreditation as a requirement in
their tenders these days.
It ensures that were water-
tight when dealing with a lot
of client data and our own
its a reputational thing
Charles Hughes, partner and head of
the IT practice at management consul-
tancy AT Kearney, which recently became
accredited, explains: ISO standards
are becoming increasingly significant in
terms of scoring for public sector tenders.
Compliance enhances your chances of
winning and weve seen the requirement
emerge more in some central govern-
ment department tenders lately, although
its not consistent across the board. It
depends on the tendering authority.
Although the firms compliance initia-
tive was only one element of a wider
quality assurance programme, which also
included work on other standards such
as ISO 14000 for environmental man-
agement, it was deemed an important
one given the amount of sensitive client
data that it holds.
For us it was important because it
ensures that were watertight when deal-
ing with a lot of client data and our own
its a reputational thing, Hughes says. managers are notoriously hard to come
Market forces
Public authorities are not the only ones
to increasingly demand compliance.
Large private sector companies again,
regardless of whether they are themselves
compliant are likewise jumping on the
bandwagon, or at least encouraging sup-
pliers and partners to consider taking
action. Sometimes this insistence is for no
other reason than to bring some standard-
isation to bidding and procurement proc-
6
Computer Fraud & Security
esses for example, to avoid repeatedly
having to fill in detailed questionnaires,
each of which is worded slightly differ-
ently, on what they are doing to comply
with the standards 133 controls.
Advent-IMs Gillespie says: It was the report to the board, the corporate
same with quality management in the
1980s where telcos, utilities and the like
demanded compliance even though they
werent compliant themselves. But a situ-
ation like that snowballs and eventually
leads to more widespread adoption due
to market forces.
Although the need for conformance
today will undoubtedly depend on each
organisations business model and the
sectors that they operate in, for some
it will definitely be worth it now, while
others are likely to find that they require
it in the future.
Although most organisa-
tions perceive information
security to be an IT prob-
lem, it is a business govern-
ance matter and, as such,
has to be dealt with via the
management of processes,
policies and people
For those organisations that do decide
compliance is of imminent value, how-
ever, one of the most important consid-
erations is understanding information
risk. Despite the fact that too few com-
panies today have directors responsible or
accountable for this issue at board level,
and well-trained and experienced risk
overall quality improvement
by, establishing what the business risks are
and working out how to mitigate them to
an acceptable level and cost is crucial.
Just as critical, however, is obtaining
buy-in at board level, because without
that high-level sponsorship, any initiative
will be doomed to failure. The big issue
here is that, although most organisations
perceive information security to be an IT
problem, it is, in fact, a business govern-
ance matter and, as such, has to be dealt
with via the management of processes,
policies and people.
Identifying gaps
As a result, information security pro-
fessionals tasked with implementing
the standard should, in an ideal world,
governance or quality management
function. However, if this is impossi-
ble, they should at the very least try to
ensure that information risk is added
to the corporate risk register, which
today tends to include only business
operational, financial and health and
safety risks.
As Gillespie points out: While
60-70% of the 133 controls in ISO
27001 are IT-oriented, which means that
they tend to be put in the hands of the
IT director, you could actually be accred-
ited to the standard without having a
single computer in the business.
AT Kearneys Hughes agrees. The
most useful element of the compliance
programme, he found, was going under-
taking a thorough risk assessment as it
helped the organisation identify gaps in
its processes. It really helped us tighten
up there and ensure that things were
fully and consistently documented and
kept up to date. So its also about the
rigour that youve got to apply and the
thinking about what needs to change,
he explains.
We looked at what worked
for the business in order to
protect our own and our
clients data as part of an
programme and we were
certified first time around
Another frequently misunderstood
point, however, is that it is not neces-
sary to adhere slavishly to the stand-
ard or, worse still, adopt a tick-box
approach to implementing controls. As
long as there are good documented rea-
sons for justifying decisions made and
actions taken, or not taken, based on
the companys risk profile and appetite,
auditors will be happy.
January 2011
 FEATURE

You can approach this at various
levels. Some people put in as little
effort as possible, while others go in
so deeply that it becomes a mam-
moth effort, Hughes says. But we
approached it very pragmatically. We
looked at what worked for the business
in order to protect our own and our
clients data as part of an overall qual-
ity improvement programme and we
were certified first time around.
And all in all, he believes that the
couple of months of concerted effort
required to achieve accreditation was
worth it. It was a valuable learning
exercise and helped us to identify gaps
so we feel now that our processes are
more robust and resilient as a result
of bringing in best practice, says
Hughes. Its not that onerous and it
does provide a base standard, which
assures our clients that our data
and theirs is protected and managed
properly.
About the author
Cath Everett is a freelance journalist
who has been writing about business and
technology issues since 1992. Her special
areas of focus include information
security, HR/management and skills
issues, marketing andhigh-end
software.

Towards near-real-time
detection of insider trading
behaviour through social
networks
Sumit Gupta, Liaquat Hossain, University of Sydney

The monitoring of capital frauds and malicious trading behaviours, and imple- of professionals.1 As a result, now its
menting changes to correct traders and firms behaviour, is increasingly seen as a not only corporate officers, directors and
priority in todays financial markets. Many governments and financial institutions managers who are considered as insiders
are investing capital and resources to maintain the integrity of their markets and but also professionals such as lawyers,
promote fair-trade practices. Of all the capital scams, insider trading is one of the investment bankers, printers, auditors
hardest to detect and therefore the most difficult to prove in a court of law. and so on who work within or alongside
the organisation. When these people
There has not been a great deal of empiri- and surveillance of such activity. First, its trade in company stock and other securi-
cal research conducted or published on important to explain the domain problem ties, this is deemed to be insider trad-
the detection of insider trading. The ie, insider trading. Second, well discuss ing. Although the term, in general use,
traders self-learning and self-adaptive the application and relevance of social means the same everywhere, the laws
capabilities make it almost impossible to networks, behavioural and co-ordination against insider trading vary from
detect such acts in time and to therefore theory for such detection. Last, we
undertake corrective actions to eliminate present and discuss our research model
the practice. Further, inconsistencies in in a single framework integrating social
the legal definition of the term insider networks, behavioural and co-ordination
trading between nations make it even theory in proposing STARS, leading to a
more difficult to apprehend the perpe- conclusion and discussion of our work.
trators. To address these challenges, we
propose an approach combining social Insider trading
network analysis, behavioural theory The term insider is used to refer to
and co-ordination theory in a single those who hold managerial positions
framework referred to as a Surveillance within organisations. However, recent Figure 1: Types of insider trading. These three
enforcement practices have broadened categories are mutually inclusive and thus an
Tracking and Anomaly Revelation System insider trading act covers all three categories.
(STARS) that would enable the detection the context by focusing on various types

7
January 2011 Computer Fraud & Security