ISO 27001 – Lessons from the Trenches
1
ISO 27001 ImplementationLessons from the Trenches
2015 Ontario Connections Conference
May 20 – 22, 2015
TorontoCal Marcoux – Chief Information Security Officer
Hassan Gesso – Senior Program Consultant, InfoSec
2
AgendaAgenda
• About CIHI
• A brief history of CIHI’s ISMS
• Key lessons from ISMS implementation and• Key lessons from ISMS implementation and certification
• Discussion / Q&ADiscussion / Q&A
3
About CIHIAbout CIHI
• Independent, not-for-profit organization that provides essential information on Canada’s health system and the health of Canadians.
• Our stakeholders use our broad range of health databases, measurements and standards, together with our evidence-based reports and analyses in theirwith our evidence based reports and analyses, in their day-to-day decision-making.
4
About CIHIAbout CIHI
Unique role in Canada’s health care system. q y
Since 1994: • Helped improve depth/breadth of health data• Helped improve depth/breadth of health data• Built/maintained pan-Canadian databases • Released analyses on health/health care inReleased analyses on health/health care in
Canada • Promoted understanding/use of data through g g
education, reporting tools and strategies• Developed information standards to understand,
d th d t ff ti lcompare and use the data effectively
5
CIHI’s ISMS A brief historyCIHI s ISMS – A brief history2006
CIHI h d f i l t it t b t l t it f i f ti• CIHI had fairly strong security posture, but low maturity of information security processes
• Began looking at ISO 27001 as assurance for our stakeholders and as a way to mature our InfoSec programy g
• Some preliminary work started2007-2011• CIHI’s InfoSec program matures – alignment with Privacy programCIHI s InfoSec program matures alignment with Privacy program,
policy/procedure development, staff awareness campaigns, etc.• Continued to contemplate ISO 27001, but no organizational commitment2012• CIHI’s CEO includes ISO 27001 certification on his performance objectives • Project initiated20142014• ISO 27001:2005 Certification
6
CIHI’s ISMS ScopeCIHI s ISMS – Scope
From our certificate:“…management of information security for the provision of platform services relating to the protection of CIHI’s information assets ”information assets.
• Two physical data centres (Toronto, Ottawa)i l d h i l i t l it– includes physical, environmental security
• Hardware
• Platform Software – OS, Web Server, App Server, DB Server
• Single purpose network and security appliances
7
CIHI’s ISMS ScopeCIHI s ISMS – Scope
In-Scope Departments
• Information Security Branch
• Infrastructure Services Department
• Technology Services Department
“Boundary” Departments
• HR
• Procurement
• Corporate Admin
• Privacy & Legal Services
8
CIHI’s ISMS ScopeCIHI s ISMS – Scope
9
About this presentationAbout this presentation
• Lessons learned from our perspective
• May or may not ring true for other organizations
• Experience is a function of organizational maturity• Experience is a function of organizational maturity (PMO, IT, Risk Management), willingness to embrace change, etc.
10
Lessons
11
Organizational CommitmentOrganizational Commitment
CIHI’s Experience
• It took us a number of years to “warm up” the organization to the implementation of an ISMS
Lesson
• If we had attempted to start implementation beforeIf we had attempted to start implementation before obtaining CEO commitment, we would have failed
• You WILL fail if you don’t have organizational y gcommitment at the highest level – resources, funding, governance, willingness to change, …
12
Dedicated ResourcesDedicated Resources
CIHI’s Experience
• Nobody was allocated 100% to this project
• We were successful but required heroics throughoutWe were successful, but required heroics throughout and conflicting priorities were the norm
LessonLesson
• Suggest at least one employee dedicated 100% to the projectp j
• All affected employees should be allocated time as well – even if they’re minimally impactedy y p
13
Change ManagementChange Management
CIHI’s Experience
• Implementing the management system, and all associated processes, governance, etc. was a big change for us, especially “IT geeks”
Lesson
• Don’t underestimate the amount of churn this might create in your organization– people will be fearful, resistant, resentful, etc.
• Use best practices for managing change, give your organization the necessary time
14
External Professional ServicesExternal Professional Services
CIHI’s Experience
• We engaged EPS to help us implement
• We struggled at first due to different experience andWe struggled at first due to different experience and approaches to implementation
LessonLesson
• EPS can be an important part of your project, but choose and manage carefullyg y
• Select based on a true, successful certification in a similar organizationg
15
Scope of ISMSScope of ISMS
CIHI’s Experience
• We spent a long time contemplating scope
• We engaged lots of opinions (internal and external)We engaged lots of opinions (internal and external), including Certification body
LessonLesson
• Scope selection is key to success
M t b d bl b t l t t th i ti• Must be do-able but relevant to the organization
• Carefully consider boundaries when contemplating scopescope
16
GovernanceGovernance
CIHI’s Experience
• We implemented a solid governance structure early in the project
• Project Steering Committee transitioned to ISMS Steering Committee seamlessly
Lesson
• Think carefully about governance, put in place accountabilities and responsibilities earlyaccountabilities and responsibilities early
• This is your opportunity to force good decision making and support within your organization (managers CISO etc cansupport within your organization (managers, CISO, etc. can push issues up the chain where they belong)
17
GovernanceGovernance
18
Staff Awareness and EngagementStaff Awareness and Engagement
CIHI’s Experience
• Staff “on-the-ground” still don’t always feel like they’re part of the ISMS – they feel it’s some new administrative
i t i d threquirement imposed on them
Lesson
• Engage ALL affected staff early and feed them the Kool-Aid
• Find and utilize champions
• Avoid the language “ISO requires….”, “ISO says…”, etc.
• Expect this to be a long process
19
Project ApproachProject Approach
CIHI’s Experience• We struggled with PMLC role for this type of project
(organizational change)• We weren’t sure how to engage PMOWe weren t sure how to engage PMOLesson• PMO can absolutely be helpful, BUT this is not a “typical”PMO can absolutely be helpful, BUT this is not a typical
project where you’re building and delivering a product• Building Annex A controls lends itself well to traditional IT
PMLC but the organizational changes implementation ofPMLC, but the organizational changes, implementation of new management processes, etc. doesn’t
• Be sure your PMO is equipped – you may be breaking new ground in your organizationground in your organization
20
PDCA or not to PDCAPDCA or not to PDCA
CIHI’s Experience
• We started with gap analysis and Risk Assessment
• We found ourselves trying to implement and run anWe found ourselves trying to implement and run an ISMS at the same time
LessonLesson
• Before you get into the PDCA cycle, allocate some project time to aligning your information security p j g g y ycontrols to Annex A / ISO 27002
• This will make your first risk assessment much less ydaunting
21
ISMS Project OwnershipISMS Project Ownership
CIHI’s Experience
• Project run by InfoSec (CISO office)
• We had good breadth of organizational experienceWe had good breadth of organizational experience (management, technical, business, etc.) by nature of the resource mix
Lesson
• Staff your project team in such a way that you have y p j y ybroad experience in all aspects and domains of the ISMS
22
ISMS “Owner” WorkloadISMS Owner Workload
CIHI’s Experience
• CISO accountable for ISMS
• Project and ISMS Operations require significant j p q gtime/effort commitment to ensure consistency, continual improvement, etc.
LLesson
• Don’t underestimate the amount of commitment required by your ISMS Ownerrequired by your ISMS Owner.
• Be prepared to oversee work of others
You will be busy (!)• You will be busy (!)
23
Compliance along the wayCompliance along the way
CIHI’s Experience
• We relied on control owners and process owners to implement controls according to our guidance and to ensure effectiveness of the controls
Lesson
• Build in compliance audits into your project plan
• This avoids last-minute surprisesp
24
Just Do It!Just Do It!
CIHI’s Experience
• This was a tough road, but it’s worth the effort
• We’ve seen many benefits since implementing theWe ve seen many benefits since implementing the ISMS
• CMM InfoSec maturity by definition is increased byCMM InfoSec maturity by definition is increased by implementing an ISMS
Lesson
• Don’t be scared – go into it with your eyes open, but do it if and when it’s right for your organizationg y g
25
Key Messages
26
Key MessagesKey Messages
• Implementing an ISMS is likely more difficult than you i i (b i ’ VERY d bl )imagine (but it’s VERY do-able)
• Expect the unexpected
• Expect pushback and other organizational change challenges
Y ill d l t f h d h ldi d t ib ti t• You will do a lot of hand-holding and contributing to the others’ work
• Scope selection is key• Scope selection is key
• Implementing an ISMS does not mean you will have awesome security – it means you’ll have well-awesome security it means you ll have wellmanaged, continually improving security.
27
Questions / DiscussionQuestions / Discussion
Please feel free to contact us if you would like to discuss further.
Cal Marcoux – [email protected]
Hassan Gesso – [email protected]
If you would like a copy of this presentation with our speaking notes, let us know.
28