The 27K Summit: The First U.S. Conference Focusing on the ISO/IEC 27001 Family of Standards

Ron Ross, NIST Fellow, delivers his keynote presentation

Last week, May 12th through 14th, 2015, through the efforts of atsec information security corporation, the very first "27K: The Security Summit for the Americas" was held in Austin, Texas. In fact, this was the first conference focused on the ISO/IEC 27001 standard for Information Security Management Systems (ISMS) ever organized in the U.S.

The ISO/IEC 27001 standard is a globally accepted standard for ISMS. It is widely used in Europe and Asia, but to date it has not been as widely adopted in the United States, this first conference of its kind in the U.S. was held last week in Austin, Texas.

atsec initiated the organization of the conference due to the history of atsec and the ISO/IEC 27001 standard. Sal La Pietra, atsec CEO, in his closing remarks at the conference said, "We organized this conference because we believe in the 27K standard and atsec owes the foundation and growth of the company to the standard." Much of atsec's early business in Europe was related to the ISO 27001 standard. atsec was assisted in the development of the conference by Cyberdefenses and BSI.

A day of pre-conference workshops was followed by the conference opening with keynote presentations by

• David Cannon, President & CEO, CertTest Training Center,
• Ron Ross, Fellow, National Institute of Standards and Technology (NIST),
• Scott Bullock CCSK, CISSP, CISM, Information Security Manager, Websense Cloud Services,

The conference was capped with a summary panel discussion on the subject of Integrating ISO/IEC 27001 with Existing Management Systems. The panel was moderated by Vern Williams, Chief Security Officer of CyberDefenses, and consisted of Fiona Pattinson, VP of atsec information security, John DiMaria ISO Product Manager of BSI Group America, Timothy Woodcome, Director of NQA USA, and David Ochel, Senior Information Security Manager of Rêv Worldwide. It was clear from the enthusiastic participation and discussion of the attendees that a conference on the subject of ISO/IEC 27001 has been needed and was valued highly by the community.

Vern Williams moderates the summary panel

In his closing remarks, Sal La Pietra, atsec CEO, stated that just as with the International Cryptographic Module Conference (ICMC), also initially organized by atsec, "We are not interested in owning the conference. We are giving it back to the community we managed to bring together for these two days. Of course we will continue to support future efforts, but we will discuss in what way after we see the results of this conference."

Thank you to everyone for attending! We are truly sorry that the typically beautiful Austin Spring weather chose not to cooperate on the week of the conference.

The conference organizers would like to thank Vern Williams and Willibert Fabritius for their invaluable contribution to the organization of the conference. We would also like to thank all of the conference sponsors: BSI, CyberDefenses, Inc., SGS, UL DQS Inc., DEKRA Certification, Inc., National Quality Assurance, The Open Group, SecuraStar, and Developing Telecoms. We are also grateful for the able assistance of Bill Rutledge of Cnxtd (“Connected”) Event Media Services.

ISO/IEC 27001

 Here at atsec we are fans of internationally recognized security standards that are closely scrutinized by security experts. There are "a ton" of national security standards or self-contrived private “seals of approval” for information security out there. However, national security standards usually do not work well for companies working internationally, because nobody outside of the country of origin cares about a local security standard. With “seals of approval” invented by security companies, the benefit depends completely on the trust your customers have in the company which created the seal.

Unfortunately, trust nowadays is in short supply…

The only available internationally recognized standard for Information Security Management is ISO/IEC 27001. The standard describes how information security can be implemented systematically. Please bear in mind, this is about INFORMATION security, not just technical IT security. So, ISO/IEC 27001 is not the typical “IT standard” which can be completely covered by your IT department. It requires direct involvement and supervision from business management to succeed.

ISO/IEC 27001 uses a risk-based approach, which helps to custom-tailor information security measures to the size and the risk situation of a company. Smaller companies or companies in a low risk market are not required to implement the same measures as companies facing high risks. This makes the standard achievable both for small companies and worldwide enterprises.

The goal of ISO/IEC 27001 is to implement an Information Security Management System (ISMS), which helps to organize security management in a consistent and structured way. This ISMS is not a technical system, but the sum of all security processes and documentation in a company.
   
ISO/IEC 27001 plays well with other security standards. It integrates without problems with other ISO standards. Common integrations are with ISO 9001 (Quality Management), ISO 14001 (Environmental Management), ISO/IEC 20000 (IT Service Management) and ISO 22301, formerly BS 25999 (Business Continuity Management). Other security requirements can also be seamlessly integrated into an ISMS based on ISO/IEC 27001, e.g., PCI-DSS or local data protection requirements.

Let’s have a look at the numbers for ISO/IEC 27001 certificates. The ISO survey 2012  shows a steadily increasing number of certificates for all regions. At the end of 2012, nearly 20,000 ISO/IEC 27001 certificates were issued. East Asia and Pacific (EAP) and Europe together are covering 85.6% of all ISO 27001 certificates. Europe leads in annual growth in absolute numbers in 2012, with 1,095 new certificates being issued.

Diagram from the 2012 ISO survey of certificates

North America with a ratio of 2.8% of all ISO/IEC 27001 certificates is currently lagging behind the rest of the world, which is the result of a strong focus on national standards. Note that the preliminary version of the  NIST led Cybersecurity Framework has included ISO/IEC 27001 in its core of security management standards, alongside the national FISMA suite of standards including SP 800-53 and the COBIT standard that is also well adopted in the U.S.
  
In September 2013, ISO released a new version of the standard, eight years after the release of ISO/IEC 27001:2005. This new standard is called ISO/IEC 27001:2013. The release of a new version of the standard is relevant for existing certificate holders, since after a transition period of 2 years all existing certificates must be migrated to ISO/IEC 27001:2013. Companies which are “nearly finished” with their preparation for ISO/IEC 27001 certification can (and should) perform the certification based on ISO/IEC 27001:2005.

If you are just planning to start your preparations, it will very likely be best to directly go for ISO/IEC 27001:2013 and save the time for a later migration.
 
The update of the standard will probably not directly lead to an even higher number of ISO/IEC 27001 certificates. The generally simpler requirements for Risk Management might entice some undecided companies, but most of the changes helped to tidy several legacy issues in the standard without dramatically changing the requirements. This shows that ISO/IEC 27001 is a standard which is actively developed and which is steadily aligned with the other ISO standards.

The events of this year emphasize the requirements for strong information security. Companies that offer IT services will be forced by their customers to prove a high level of security. Otherwise the customers will just switch to another service provider with a higher level of security. ISO/IEC 27001 helps companies to prove their commitment to information security and helps management to perform due diligence regarding information security.

Matthias Hofherr - atsec Munich