t: +44 (0) f: +44 (0) e: w:

Transcription

1 t: +44 (0) f: +44 (0) e: w: white paper Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright 2009 Gael Products Ltd. Executive Summary For organisations seeking compliance with more than one management standard, satisfying multiple legal and regulatory requirements is a challenge. Increased time and effort, the duplication of effort and increased resource expenditure are only some of the consequences of segregating the management of compliance actions and activities. Solutions that enable the adoption of a holistic approach to compliance management enable radical reductions in the time required to achieve certification to standards, and dramatically decrease the duplication of effort in satisfying legal and regulatory requirements. By adopting an integrated approach to compliance management, compliance with standards, including ISO 9001 and ISO 27001, can be achieved, as well as enhancing the maintenance and improvement of quality and information security. contd. >>> 1

2 This paper examines the operational challenges faced by organisations in extending an ISO certified quality management system (QMS) to manage information security and achieve certification to ISO 27001, and explores solutions that enable an integrated approach to the management of compliance with the legal and regulatory requirements of both ISO 9001 and ISO Introduction In today s global economy, organisations must comply with the requirements of an increasing number of national and international laws and regulations. However, in managing compliance with legal and regulatory requirements, organisations must identify and address risks in complying with numerous laws and regulations, such as increasing duplication of time, effort and cost, to the extent that is achievable without the costs outweighing the benefits. With the penalties for failing to comply with laws and regulations also increasing, achieving compliance with legal and regulatory requirements is increasingly important for organisations in reducing time and effort, reducing the duplication of effort and reducing resource expenditure. However, the lack of harmonisation at national and international levels has resulted in multiple overlapping legal and regulatory requirements. International standards such as ISO 9001 enable organisations to meet multiple overlapping legislative and regulatory requirements by providing the framework for a formal management system. However, having identifying the common requirements for regulatory compliance, organisations may need to conform with more than one management system to comply with the laws and regulations with which organisations must comply. By implementing a management system within a legislative and regulatory framework such as ISO 9001, organisations can demonstrate compliance and reduce exposure to risk. In addition, by extending an existing quality management system (QMS) to encompass the requirements of an information security management system (ISMS), organisations can enhance their compliance and achieve improvement throughout the organisation. Extending an existing quality management system (QMS) to encompass the requirements of an information security management system (ISMS) enables organisations to comply with an increasing number of legal and regulatory requirements and enables the adoption of an integrated approach to compliance management. 2

3 To reduce cost and avoid duplication and increase effectiveness, organisations should integrate their management systems. By reducing duplication between multiple standards, an integrated approach to compliance management enables organisations to conform with more than one management system, lowering costs, avoiding duplication and increasing effectiveness throughout the organisation. Extending an existing quality management system to encompass the requirements of an information security management system enables organisations to adopt an integrated approach to compliance management. The need to manage multiple legal and regulatory requirements drives the adoption of an integrated approach to compliance management: identifying and cost-effectively satisfying common requirements for legislative and regulatory compliance. By adopting an integrated approach to compliance management, organisations can assure customers, certification bodies and regulatory authorities that systems and controls satisfy an increasing number of legal and regulatory requirements, as well as to demonstrate compliance with standards, including ISO 9001 and ISO 27001, can be achieved, as well as enhancing both customer satisfaction and competitive advantage. Extending a QMS to encompass the requirements of an ISMS By identifying the requirements common to a broad range of laws and regulations, organisations may need to conform with the specifications of more than one management system to achieve compliance with required laws and regulations. In adopting an integrated approach to compliance management, organisations can meet requirements common to multiple laws and regulations. At national and international levels, the increasing number of legal and regulatory requirements with which organisations must comply requires organisations to implement more than one management system. By extending an existing quality management system (QMS), organisations can encompass the requirements of an information security management system (ISMS) and avoid duplicating time, effort and cost in its implementation. For ISO 9001-certified organisations competing in a global marketplace, maintaining and improving the quality of processes is no longer enough in meeting and exceeding the requirements of the customer: organisations must also maintain and improve the confidentiality, integrity and availability of the information on which people, technologies and processes depend. 3

4 In today s global economy, information is the lifeblood of business: in the UK alone, 66 per cent of businesses would suffer serious disruption if information within their systems was corrupted; and 56 per cent would suffer serious disruption if information within their systems was unavailable. (Source: DTI Information Security Breaches Survey) The inefficient and ineffective management of information security increasingly exposes business to threats, from viruses and unauthorised access to inappropriate use and theft: 62 per cent of UK businesses suffered a security incident in the last two years; however, the number of reported incidents rose 50 per cent, with average costs also rising 20 per cent. With organisations required to comply with an increasing number of national and international laws and regulations, the penalties for failing to do so are also increasing: the UK s largest building society was recently fined for exposing customers to risk, following the theft of a laptop on which details of 11 million customers were stored. Despite failing to have effective systems and controls in place and exposing customers to an increased risk of financial crime, the society s customers, not the directors, had to pay the record 1 million fine; increasingly, customers are also concerned by the threats to which they are exposed by the inefficient and ineffective management of information security. For organisations competing in a global marketplace, meeting and exceeding customer expectations is increasingly important in achieving a competitive advantage. Organisations that store confidential customer details can meet and exceed present and future customer expectations and safeguard the security of customer information by extending their existing quality management system (QMS) to encompass the requirements of an information security management system (ISMS). ISO enables organisations to comply with multiple overlapping legal and regulatory requirements, such as US Sarbanes-Oxley legislation, EU BASEL II regulations and UK FSA requirements. ISO offers formal systems and controls for managing information security around a framework of best practice, enabling organisations to demonstrate information security processes that meet an international standard to certification bodies and regulatory authorities, and to assure customers of the confidentiality, integrity and availability of information. ISO also enables organisations to establish a foundation for corporate governance: 87 per cent of UK businesses reported that certification had improved their business continuity and 85 per cent reported that it had minimised damage to their business from security incidents. (Source: DTI Information Security Breaches Survey) 4

5 In addition, by providing systems and controls for managing information security, ISO enables organisations to harmonise multiple compliance activities and management systems; the alignment of clauses between ISO and ISO 9001, such as document management requirements, enables organisations to develop a management system that can harmonise the compliance activities of both management standards and that can also be externally certified to both. For organisations that already have a certified QMS in place, the ISMS can be integrated with the existing QMS, as the numbering systems and document management requirements of both ISO 9001 and ISO have been designed to enable organisations to develop management systems that integrate the requirements of both standards: for example, clauses 4.3, and of ISO 27001, which specify systems and controls for documentation, document control and records respectively, can be met by extending the documentation control requirements of the existing ISO 9001 QMS. Organisations can provide assurances to both the business and its partners that information security is protected, as well as removing barriers to trade, and offering competitive advantage in markets in which legislative and regulatory requirements relate to the protection of information security. By extending an existing QMS to encompass the requirements of an ISMS, organisations can achieve compliance to an internationally-recognised standard, which also enables compliance with several regional legal and regulatory requirements. In addition, organisations can demonstrate the increased security in place around their information to internal and external auditors, as well as their customers, enhancing the QMS by meeting and exceeding customer expectations to achieve and retain customer satisfaction. In extending an existing management system to encompass the requirements of an information security management system, organisations can dramatically decrease duplication of effort as well as short- and long-term one-off and on-going costs, and increase return on investment (ROI). By adopting a holistic approach to managing quality and information security, organisations can integrate the processes common to both ISO 9001 and ISO 27001, such as document and record control, corrective and preventive action, audits and management review. With a management system that integrates a holistic approach to compliance with international best practice, organisations can demonstrate compliance with both standards to customers, certification bodies and regulatory authorities. In addition, by integrating the management of quality and information security, organisations can demonstrate both the quality and security of their quality and information security processes, as well as achieve significant competitive advantages. 5

6 Solutions that enable the adoption of an integrated approach to compliance management enable radical reductions in the time required to achieve certification to standards, and dramatically decrease the duplication of effort in satisfying legal and regulatory requirements. By putting an integrated compliance management solution into place, organisations can achieve compliance with ISO 9001 and ISO and enhance the maintenance and improvement of quality and information security. Management Solutions in an Integrated Approach Extending an ISO 9001-certified management system to encompass ISO enables organisations to demonstrate compliance with numerous legal and regulatory requirements as well as to integrate a holistic approach to compliance management with international best practice. However, managing multiple on-going compliance activities can result in increased exposure to risk, increased duplication of effort and increased compliance and operational costs. In addition, segregating compliance activities reduces ROI and increases costs associated with exposure to risk as well as compliance with future legal and regulatory requirements. By putting a comprehensive management system in place that demonstrates best practice in both quality and information security management, adopting a holistic approach to compliance can reduce the duplication of effort that multiple on-going compliance activities can incur, as well as to more closely integrate compliance activities to reduce gaps between systems and controls. Integrating compliance management systems enables effective risk and cost management while enabling continual improvement. By reducing operational risks and reducing duplication, integration enables the reduction of compliance and operational costs, as well as enabling future requirements to be met with reduced costs. In addition, by leveraging value from a project that is perceived as a cost, integration enables return-on-investment that considers costs associated with compliance and potential risks. 6

7 This approach also provides a foundation for extending the management system further to encompass additional standards, such as ISO 20000, as well as enabling organisations to build towards corporate governance. Implementing best practice also demonstrates compliant systems and controls to certification bodies and regulatory authorities, and assures customers of both the quality of processes and the security of information; in addition, it provides an extended system in which all information critical to business can be continually analysed to improve quality and security throughout the organisation. By implementing an electronic solution to streamline compliance activities, an integrated compliance management solution enables organisations to reduce the time, effort and cost spent certifying to ISO 27001, and to establish a foundation for corporate governance. With a solution that integrates compliance management with document and process management, organisations can put effective systems and controls in place to: automate their compliance activities to reduce the time, effort and cost spent extending their existing quality management system encourage interaction throughout the organisation to enhance ownership of the ISMS, and streamline their certification activities to establish a foundation for corporate governance. By adopting a holistic approach to managing quality and information security, organisations can integrate the processes common to both ISO 9001 and ISO 27001, such as document and record control, corrective and preventive action, audits and management review. Document and record control Where users can t report inaccuracies, or acknowledge or request changes at the point of need, the time and effort spent reviewing and revising documents increases, as well as the risk of inactive or obsolete documents remaining in circulation. In addition, as the volume of paper-based documents increases, so the cost of storing and disposing of documents securely also rises, in addition to the risk of unauthorised access and distribution. 7

8 An integrated compliance management solution enables organisations to: increase staff involvement and participation in the management system by offering point-of-need access to controlled documents enhance accuracy across documents and revisions by automating the change request process lower document control costs by reducing paper-based documents and automating administration activities reduce the time and effort required by the change control process by addressing outstanding acknowledgements and approvals at point-of-need Audit management Increasing information requires increasing resources to collate and analyse, which can result in increased preparation time. Longer preparation times can lead to audit cycle times increasing and a lack of ownership can lead to staff overlooking an increasing number of audit findings. An integrated compliance management solution enables organisations to: reduce disruption and enhance coverage throughout the organisation by managing the audit process electronically from scheduling to completion increase the identification and follow-up of audit findings by automating the notification and escalation of outstanding and overdue actions enhance the availability of information throughout the audit process by offering point-of-need access to pre- and post-audit reports increase management involvement and participation in the ISMS by providing access to incident and trend analyses for review on demand 8

9 Corrective and preventive action Without effective tools or techniques for analysing management system records, it s difficult to identify the root causes of issues. With issues in identifying how and where resources should be allocated can lead to escalating costs and recurring issues. Ineffective communication and a lack of ownership can result in actions being overlooked. An integrated compliance management solution enables organisations to: increase staff involvement and participation in the management system by offering point-of-need access to event records reduce the time and effort in reporting events and managing incidents by identifying and addressing actions at point-of-need identify opportunities for continually improving security and systems by collating and analysing incident records demonstrate evidence of corrective and preventive action on demand by providing controlled access to event records to customers and regulatory or certification bodies Asset management By limiting access to information and asset records, organisations can restrict and reduce staff involvement and participation in their ISMS. By preventing the reporting of events at an individual, group or register level, organisations can increase their exposure to risk as well as obfuscate opportunities for continual improvement. By manually administrating the notification and escalation of outstanding and overdue actions organisations can worsen the review of assets. By not addressing outstanding internal and external actions at point-of-need, organisations can increase the time and effort required to manage their assets. An integrated compliance management solution enables organisations to: increase staff involvement and participation in the ISMS by offering point-of-need access to information and asset records reduce exposure to risk and identify opportunities for continual improvement by reporting events at an individual, group or register level improve the review of assets by automating the notification and escalation of outstanding and overdue actions reduce the time and effort required to manage assets by addressing outstanding internal and external actions at point-of-need 9

10 Analysis Without effective tools or techniques to review performance, systems can leave organisations unable to analyse issues by occurrence or cost, which can lead to continually recurring issues and rising resource costs. Without access to up-to-date information, it s difficult to identify opportunities for continual improvement and, without the regular review of corrective actions and audit findings, problems will reoccur and risks will increase. An integrated compliance management solution enables organisations to: increase management involvement and participation in the ISMS by offering point-of-need analysis of management system information enhance event management at an individual, departmental or organisational level by analysing all areas of the organisation lower costs and repeat failures by analysing trends and identifying opportunities for improving the business enhance continual improvement analysis by providing on-demand access to comprehensive management system information 10

11 Conclusion In today s global economy, organisations must comply with the requirements of an increasing number of national and international laws and regulations. International standards such as ISO 9001 enable organisations to meet multiple overlapping legislative and regulatory requirements by providing the framework for a formal management system. Extending an existing quality management system (QMS) to encompass the requirements of an information security management system (ISMS) enables organisations to comply with an increasing number of legal and regulatory requirements and enables the adoption of an integrated approach to compliance management. For ISO 9001-certified organisations competing in a global marketplace, implementing an electronic solution to streamline compliance activities, enables organisations to reduce the time, effort and cost spent certifying to ISO 27001, and to establish a foundation for corporate governance. With a solution that integrates compliance management with document and process management, organisations can put effective systems and controls in place to: automate their compliance activities to reduce the time, effort and cost spent extending their existing quality management system encourage interaction throughout the organisation to enhance ownership of the ISMS, and streamline their certification activities to establish a foundation for corporate governance For more information on extending a compliance management system to adopt a holistic approach to compliance management, contact us now at infosec@gaelquality.com Gael Ltd, Orion House, S.E. Technology Park, East Kilbride, Scotland, UK, G75 0RD t: +44 (0) f: +44(0) e: info@gaelquality.com w: 11