What Developers and Testers need to know about the ISO 27001 Information Security Standard
Late in 2013, the International Organization for Standardization released a new version of its ISO 27001 information security standard. The standard covers requirements applying to all organizations and ones relevant only for organizations with in-house software development and integration projects. They impact testers, developers, and release managers. This article summarizes the relevant facts and points out topics that testing and development teams have to work on.
Why Managers Like ISO 27001
Managers are held accountable for security incidents, even if they have no information security expertise. Gregg Steinhafel illustrated this involuntarily. He is a former CEO of Target, the second biggest discount retailer in the USA. Steinhafel was the first CEO of a major corporation to lose his job due to a data leak. Thus, managers cannot rely simply on a statement from their Chief Information Officer – “Security? Everything is fine! ” – without risking the company’s and their personal future. Here, ISO 27001 comes into play. It brings together, first, a list of best practices for information security and, second, an auditing and certification industry. The best practices prevent basic mistakes or leaving security topics completely unaddressed. External auditors validate whether the best practices have been implemented. This external validation gives CEOs and stakeholders extra confidence.
Three Popular Misunderstandings about Information Security
Information security is a widely used term. Everybody has his own definition, which can differ from ISO 27001’s understanding. The three most common misunderstandings are: Misunderstanding 1: Information security focuses (mainly) on protecting sensitive data
Information security requires the protection of sensitive data. However, this is only one of the three aspects of the CIA triangle, a core concept in information security. The “C” represents confidentiality: protecting sensitive data against unauthorized access. The “I” stands for integrity: Information must not be changed inappropriately, either accidentally or intentionally. Finally, “A” stands for availability: Users must be able to retrieve information when needed; no data must get lost. ISO27001 covers all three aspects of the CIA triangle. Thus, organizations must address all of them for their certification.
Misunderstanding 2: Information security fights (mainly) hackers and malware coming from the outside
Outside hackers and malware pose a threat to every organization, but employees pose a risk as well. Humans make mistakes, even if they handle sensitive data. Worse, employees might engage into criminal actions. Snowden illustrated how one single person only can harm a large organization. Thus, information security must also address risks from internal employees.
Misunderstanding 3: Information security looks (mainly) at production systems
Production systems store and process sensitive data, but sensitive data can also reside in development and test environments. This refers to the confidentiality aspect. When looking at availability, bad code and wrong configurations are risks as well. They can harm the stability of production systems. Thus, IT departments have to address the risk associated with their change and release process, too.