ISO 27001 – Lessons from the Trenches

1

ISO 27001 ImplementationLessons from the Trenches

2015 Ontario Connections Conference

May 20 – 22, 2015

TorontoCal Marcoux – Chief Information Security Officer

Hassan Gesso – Senior Program Consultant, InfoSec

2

AgendaAgenda

• About CIHI

• A brief history of CIHI’s ISMS

• Key lessons from ISMS implementation and• Key lessons from ISMS implementation and certification

• Discussion / Q&ADiscussion / Q&A

3

About CIHIAbout CIHI

• Independent, not-for-profit organization that provides essential information on Canada’s health system and the health of Canadians.

• Our stakeholders use our broad range of health databases, measurements and standards, together with our evidence-based reports and analyses in theirwith our evidence based reports and analyses, in their day-to-day decision-making.

4

About CIHIAbout CIHI

Unique role in Canada’s health care system. q y

Since 1994: • Helped improve depth/breadth of health data• Helped improve depth/breadth of health data• Built/maintained pan-Canadian databases • Released analyses on health/health care inReleased analyses on health/health care in

Canada • Promoted understanding/use of data through g g

education, reporting tools and strategies• Developed information standards to understand,

d th d t ff ti lcompare and use the data effectively

5

CIHI’s ISMS A brief historyCIHI s ISMS – A brief history2006

CIHI h d f i l t it t b t l t it f i f ti• CIHI had fairly strong security posture, but low maturity of information security processes

• Began looking at ISO 27001 as assurance for our stakeholders and as a way to mature our InfoSec programy g

• Some preliminary work started2007-2011• CIHI’s InfoSec program matures – alignment with Privacy programCIHI s InfoSec program matures alignment with Privacy program,

policy/procedure development, staff awareness campaigns, etc.• Continued to contemplate ISO 27001, but no organizational commitment2012• CIHI’s CEO includes ISO 27001 certification on his performance objectives • Project initiated20142014• ISO 27001:2005 Certification

6

CIHI’s ISMS ScopeCIHI s ISMS – Scope

From our certificate:“…management of information security for the provision of platform services relating to the protection of CIHI’s information assets ”information assets.

• Two physical data centres (Toronto, Ottawa)i l d h i l i t l it– includes physical, environmental security

• Hardware

• Platform Software – OS, Web Server, App Server, DB Server

• Single purpose network and security appliances

7

CIHI’s ISMS ScopeCIHI s ISMS – Scope

In-Scope Departments

• Information Security Branch

• Infrastructure Services Department

• Technology Services Department

“Boundary” Departments

• HR

• Procurement

• Corporate Admin

• Privacy & Legal Services

8

CIHI’s ISMS ScopeCIHI s ISMS – Scope

9

About this presentationAbout this presentation

• Lessons learned from our perspective

• May or may not ring true for other organizations

• Experience is a function of organizational maturity• Experience is a function of organizational maturity (PMO, IT, Risk Management), willingness to embrace change, etc.

10

Lessons

11

Organizational CommitmentOrganizational Commitment

CIHI’s Experience

• It took us a number of years to “warm up” the organization to the implementation of an ISMS

Lesson

• If we had attempted to start implementation beforeIf we had attempted to start implementation before obtaining CEO commitment, we would have failed

• You WILL fail if you don’t have organizational y gcommitment at the highest level – resources, funding, governance, willingness to change, …

12

Dedicated ResourcesDedicated Resources

CIHI’s Experience

• Nobody was allocated 100% to this project

• We were successful but required heroics throughoutWe were successful, but required heroics throughout and conflicting priorities were the norm

LessonLesson

• Suggest at least one employee dedicated 100% to the projectp j

• All affected employees should be allocated time as well – even if they’re minimally impactedy y p

13

Change ManagementChange Management

CIHI’s Experience

• Implementing the management system, and all associated processes, governance, etc. was a big change for us, especially “IT geeks”

Lesson

• Don’t underestimate the amount of churn this might create in your organization– people will be fearful, resistant, resentful, etc.

• Use best practices for managing change, give your organization the necessary time

14

External Professional ServicesExternal Professional Services

CIHI’s Experience

• We engaged EPS to help us implement

• We struggled at first due to different experience andWe struggled at first due to different experience and approaches to implementation

LessonLesson

• EPS can be an important part of your project, but choose and manage carefullyg y

• Select based on a true, successful certification in a similar organizationg

15

Scope of ISMSScope of ISMS

CIHI’s Experience

• We spent a long time contemplating scope

• We engaged lots of opinions (internal and external)We engaged lots of opinions (internal and external), including Certification body

LessonLesson

• Scope selection is key to success

M t b d bl b t l t t th i ti• Must be do-able but relevant to the organization

• Carefully consider boundaries when contemplating scopescope

16

GovernanceGovernance

CIHI’s Experience

• We implemented a solid governance structure early in the project

• Project Steering Committee transitioned to ISMS Steering Committee seamlessly

Lesson

• Think carefully about governance, put in place accountabilities and responsibilities earlyaccountabilities and responsibilities early

• This is your opportunity to force good decision making and support within your organization (managers CISO etc cansupport within your organization (managers, CISO, etc. can push issues up the chain where they belong)

17

GovernanceGovernance

18

Staff Awareness and EngagementStaff Awareness and Engagement

CIHI’s Experience

• Staff “on-the-ground” still don’t always feel like they’re part of the ISMS – they feel it’s some new administrative

i t i d threquirement imposed on them

Lesson

• Engage ALL affected staff early and feed them the Kool-Aid

• Find and utilize champions

• Avoid the language “ISO requires….”, “ISO says…”, etc.

• Expect this to be a long process

19

Project ApproachProject Approach

CIHI’s Experience• We struggled with PMLC role for this type of project

(organizational change)• We weren’t sure how to engage PMOWe weren t sure how to engage PMOLesson• PMO can absolutely be helpful, BUT this is not a “typical”PMO can absolutely be helpful, BUT this is not a typical

project where you’re building and delivering a product• Building Annex A controls lends itself well to traditional IT

PMLC but the organizational changes implementation ofPMLC, but the organizational changes, implementation of new management processes, etc. doesn’t

• Be sure your PMO is equipped – you may be breaking new ground in your organizationground in your organization

20

PDCA or not to PDCAPDCA or not to PDCA

CIHI’s Experience

• We started with gap analysis and Risk Assessment

• We found ourselves trying to implement and run anWe found ourselves trying to implement and run an ISMS at the same time

LessonLesson

• Before you get into the PDCA cycle, allocate some project time to aligning your information security p j g g y ycontrols to Annex A / ISO 27002

• This will make your first risk assessment much less ydaunting

21

ISMS Project OwnershipISMS Project Ownership

CIHI’s Experience

• Project run by InfoSec (CISO office)

• We had good breadth of organizational experienceWe had good breadth of organizational experience (management, technical, business, etc.) by nature of the resource mix

Lesson

• Staff your project team in such a way that you have y p j y ybroad experience in all aspects and domains of the ISMS

22

ISMS “Owner” WorkloadISMS Owner Workload

CIHI’s Experience

• CISO accountable for ISMS

• Project and ISMS Operations require significant j p q gtime/effort commitment to ensure consistency, continual improvement, etc.

LLesson

• Don’t underestimate the amount of commitment required by your ISMS Ownerrequired by your ISMS Owner.

• Be prepared to oversee work of others

You will be busy (!)• You will be busy (!)

23

Compliance along the wayCompliance along the way

CIHI’s Experience

• We relied on control owners and process owners to implement controls according to our guidance and to ensure effectiveness of the controls

Lesson

• Build in compliance audits into your project plan

• This avoids last-minute surprisesp

24

Just Do It!Just Do It!

CIHI’s Experience

• This was a tough road, but it’s worth the effort

• We’ve seen many benefits since implementing theWe ve seen many benefits since implementing the ISMS

• CMM InfoSec maturity by definition is increased byCMM InfoSec maturity by definition is increased by implementing an ISMS

Lesson

• Don’t be scared – go into it with your eyes open, but do it if and when it’s right for your organizationg y g

25

Key Messages

26

Key MessagesKey Messages

• Implementing an ISMS is likely more difficult than you i i (b i ’ VERY d bl )imagine (but it’s VERY do-able)

• Expect the unexpected

• Expect pushback and other organizational change challenges

Y ill d l t f h d h ldi d t ib ti t• You will do a lot of hand-holding and contributing to the others’ work

• Scope selection is key• Scope selection is key

• Implementing an ISMS does not mean you will have awesome security – it means you’ll have well-awesome security it means you ll have wellmanaged, continually improving security.

27

Questions / DiscussionQuestions / Discussion

Please feel free to contact us if you would like to discuss further.

Cal Marcoux – cmarcoux@cihi.ca

Hassan Gesso – hgesso@cihi.ca

If you would like a copy of this presentation with our speaking notes, let us know.

28