By: Lisa DuBrock, CPA, CBCP, MBCI
Recently in an article written by Subrata Guha entitled “New ISO IEC 20000-1: Alignment with ISO 27001”, Guha makes the point that, “…. since ISO 20000-1 and ISO 27001 are so closely linked, there is a strong argument that these two standards should be implemented as a single management system – and, that the new release of ISO 20000-1 makes this process easier than ever before.”
I contend that the melding of those 2 standards is certainly an excellent idea —especially since some well-defined areas such as incident management, change management, and security management link up so well. And, I believe that many companies have done just that; whether they implement the standards together or individually and then knit the individual management systems and overlapping control structures together.
What I’d like to propose today is — depending on your own corporate and organizational culture — to consider a coupling of two other standards that have a natural affinity to work together. Those standards are ISO/IEC 27001:2005 Information Security Management System and ASIS SPC.1 Organizational Resilience: Security, Preparedness and Continuity Management System.
Both the ISO 27001 and the ASIS SPC.1 standards build their foundation on the concept that management identifies, adopts, implements, monitors, updates and, most importantly, manages their related management system(s) based on that particular organization’s appetite for risk – i.e. Risk Appetite.
As with any organization’s business management system (BMS), the process of implementing that BMS to a standard (i.e. ISO 27001 or ASIS SPC.1) begins with and is based on the scope that the organization sets for its BMS.
In this instance, both ISO 27001 and ASIS SPC.1 adhere to the management system requirements of: Management Commitment (including resourcing, training and awareness, and approval of the system), Internal Audit, Management Review and Continual Improvement.
Both of these standards also require a statement of applicability (SOA). However they differ in how the SOA is defined. In SPC.1 the SOA documents the strategic weighting of security management, preparedness, emergency management, disaster management, crisis management and business continuity management. In ISO 27001 the SOA is a documented statement describing the control objectives and controls that are relevant and applicable to the organizations ISMS.
What really differs between these standards, however, is the context of the risk process. For ISO 27001, the context is based on the information assets identified within the scope of the management system. Within SPC.1 the Organizational Resiliency Management System is based on legal and other requirements, information about significant hazards and threats and protection of critical not just information assets (physical, intangible, environmental and human).
By having an organization integrate the implementations of both ISO 27001 and ASIS SPC.1 standards simultaneously, it would almost be a certainty that a stronger and more clear understanding of risk and what is needed for that organization’s mitigation of those risks (i.e. to be more secure) would be achieved.
If you agree or not with this opinion, please share your comments and inputs regarding this potential integrated approach.