Key Strategies for Implementing ISO 27001

In 1995, the British Standard Institute (BSI) published British Standard (BS) 7799, a widely adopted set of
best practices that help organizations implement effective information security management systems (ISMSs)
and establish security controls for specific business areas. In October 2005, the standard was adopted by the
International Organization for Standardization (ISO). As a result, implementing BS 7799 — now ISO 27001:
2005 — has become a major focus of attention for European-based companies and those working in the
region.

Depending on the organization's size, the nature of its business, and the maturity of its processes,
implementing ISO 27001 can involve a substantial investment of resources that requires the commitment of
senior management. In addition, because of its emphasis on data security, many internal auditors perceive the
standard to be focused solely on technology and often recommend that IT departments comply with the
standard's requirements without understanding the amount of time and resources required for compliance. To
ensure across-the-board acceptance and success, initial analyses and planning are vital. Because internal
auditors are in the perfect position to add value to an organization's IT processes, they can help IT
departments prepare the groundwork for an effective and efficient ISO 27001 implementation strategy during
the initial planning phase. This will help companies ensure their IT processes are better aligned with the
standard's requirements and ensure long-term compliance.

RECOMMENDATIONS FOR EFFECTIVE ISO 27001 COMPLIANCE

Implementing ISO 27001 can take time and consume unforeseen resources, especially if companies don't have
an implementation plan early in the compliance process. To enhance compliance efforts, internal auditors can
help companies identify their primary business objectives and implementation scope. Auditors should work
with IT departments to determine current compliance maturity levels and analyze the compliance process'
return on investment. These steps can be conducted by a team of staff members or external consultants who
have prior experience implementing the standard. External consultants should work in collaboration with an
internal team of representatives from the company's major business units. Below is a description of each
recommendation.

Identify Business Objectives

Plans to adopt ISO 27001 must be supported by a concrete business analysis that involves listing the primary
business objectives and ensuring a consensus is reached with key stakeholders. Business objectives can be
derived from the company's mission, strategic plan, and existing IT goals and may include:

• Ensuring effective risk management, such as identifying information assets and conducting accurate
risk assessments.
• Maintaining the company's competitive advantage, if the industry as a whole deals with sensitive
information.
• Preserving the organization's reputation and standing among industry leaders.
 • Providing assurance to customers and partners about the organization’s commitment to protecting
data.
• Increasing the company's revenue, profitability, and savings in areas where protective controls operate
well.

The standard also emphasizes compliance with contractual obligations, which might be considered another
key business objective. For instance, for an online banking division, implementing the standard would provide
customers and partners greater assurance that risks stemming from the use of information systems are
managed properly.

Select the Proper Scope of Implementation

Identifying the scope of implementation can save the organization thousands of dollars and time. In many
instances, it is not necessary for an organization to adopt companywide implementation of a standard. The
scope of compliance can be restricted to a specific division, business unit, type of service, or physical
location. In addition, once successful compliance has been achieved for a limited, but relevant scope, it can be
expanded to other divisions or locations.

Choosing the right scope is one of the most important factors throughout the compliance cycle, because it
affects the feasibility and cost of the standard's implementation and the organization's return on investment.
As a result, it is important for the selected scope to help achieve the identified business objectives. To do this,
the organization may evaluate different scope options and rank them based on how well they fit with each
objective.

Organizations also may want to sign memorandums of understanding (MOU) or service level agreements
(SLAs) with vendors and partners to implement a form of indirect compliance to the standard. For example, a
garment manufacturing company may have a contract with a software provider for application maintenance
and upgrades. Therefore, the manufacturing company will not be responsible for the application’s system
development life cycle compliance with the standard, as long as it has a relevant MOU or SLA signed with
the software vendor.

Finally, the organization's overall scale of operations is an integral parameter needed to determine the
compliance process' complexity level. To find out the appropriate scale of operations, organizations need to
consider their number of employees, business processes, work locations, and products or services offered.

Determine ISO 27001 Maturity Levels

When assessing the organization’s compliance maturity level, auditors should determine whether or not the
implementation team is able to answer the following questions:

Does a document exist that specifies the scope of compliance?

According to ISO 27001, a scope document is required when planning the standard's implementation. The
document must list all the business processes, facilities, and technologies available within the organization,
along with the types of information within the ISMS. When identifying the scope of compliance, companies
must clearly define the dependencies and interfaces between the organization and external entities.
Are business processes and information flows clearly defined and documented?
Answering this question helps to determine the information assets within the scope of compliance and their
importance, as well as to design a proper set of controls to protect information as it is stored, processed, and
transmitted across various departments and business units.

Does a list of information assets exist? Is it current?

All assets that may affect the organization's security should be included in an information asset list.
Information assets typically include software, hardware, documents, reports, databases, applications, and
application owners. A structured list must be maintained that includes individual assets or asset groups
available within the company, their location, use, and owner. The list should be updated regularly to ensure
accurate information is reviewed during the compliance certification process.

How are information assets classified?

Information assets must be classified based on their importance to the organization and level of impact, and
whether their confidentiality, availability, and integrity could be compromised.

Is a high-level security policy in place?

Critical to implementing an information security standard is a detailed security policy. The policy must clearly
convey management's commitment to protecting information and establish the business' overall security
framework and sense of direction. It should also identify all security risks, how they will be managed, and the
criteria needed to evaluate risks.

Has the organization implemented a risk assessment process?

A thorough risk assessment exercise must be conducted that takes into account the value and vulnerabilities of
corporate IT assets, the internal processes and external threats that could exploit these vulnerabilities, and the
probability of each threat. If a risk assessment methodology is in place, the standard recommends that
organizations continue using this methodology.

Is a controls' list available?

Necessary controls should be identified based on risk assessment information and the organization's overall
approach for mitigating risk. Selected controls should then be mapped to Annex A of the standard — which
identifies 133 controls divided in 11 domains — to complete a statement of applicability (SOA) form. A full
review of Annex A acts as a monitoring mechanism to identify whether any control areas have been missed in
the compliance planning process.

Are security procedures documented and implemented?

Steps must be taken to maintain a structured set of documents detailing all IT security procedures, which must
be documented and monitored to ensure they are implemented according to established security policies.

Is there a business continuity (BC) management process in place?

A management process must be in place that defines the company's overall BC framework. A detailed
business impact analysis based on the BC plan should be drafted and tested and updated periodically.

Has the company implemented a security awareness program?

Planning and documentation efforts should be accompanied by a proper IT security awareness program so that
all employees receive training on information security requirements.

Was an internal audit conducted?

An internal audit must be conducted to ensure compliance with the standard and adherence to the
organization’s security policies and procedures.

Was a gap analysis conducted?

Another important parameter to determine is the organization's level of compliance with the 133 controls in
the standard. A gap analysis helps organizations link appropriate controls with the relevant business unit and
can take place during any stage of the compliance process. Many organizations conduct the gap analysis at the
beginning of the compliance process to determine the company's maturity level.

Were corrective and preventive actions identified and implemented?

The standard adheres to the Plan-Do-Check-Act" (PDCA) cycle (PDF, 62KB) to help the organization know
how far and how well it has progressed along this cycle. This directly influences the time and cost estimates to
achieve compliance. To complete the PDCA cycle, the gaps identified in the internal audit must be addressed
by identifying the corrective and preventive controls needed and the company's compliance based on the gap
analysis.

Are there mechanisms in place to measure control effectiveness?

Measuring control effectiveness is one of the latest changes to the standard. According to ISO 27001,
organizations must institute metrics to measure the effectiveness of the controls and produce comparable and
reproducible results.

Is there a management review of the risk assessment and risk treatment plans?
Risk assessments and risk treatment plans must be reviewed at planned intervals at least annually as part of
the organization's ISMS management review.

Analyze Return on Investment

Based on the groundwork done so far, companies should be able to arrive at approximate time and cost
estimates to implement the standard for each of the scope options. Organizations need to keep in mind that the
longer it takes to get certified, the greater the consulting costs or internal staff effort. For example,
implementation costs become even more critical when implementation is driven by market or customer
requirements. Therefore, the longer compliance takes, the longer the organization will have to wait to reach
the market with a successful certification.
1) What is Internal Audit?
Internal Audit is a service to the management and constituents of Summit County as an
independent, objective, assurance and consulting activity designed to add value and improve an
organization's operations. Internal Audit can provide management with important and useful
information. It can help determine whether there are appropriate internal controls over
administrative processes and/or systems and recommend ways to improve the efficiency and
effectiveness of these processes as well as other areas. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.

The Summit County Internal Audit Department (IAD) consists of auditors and staff who are
County employees, who all report to the Summit County Audit Committee as mandated by Article
X of the Summit County Charter.

2) What are the objectives of an internal audit?

The objectives of an internal audit are to:

>Identify the areas of risk in the area being audited;

>Identify the controls in place to address those risks and review their adequacy;
>Check whether the County’s financial regulations are being followed;
>Perform detailed testing of the controls being relied on; and
make recommendations where weaknesses or inefficiencies are observed.
>Determining the reliability and integrity of operating and financial information.
>Determining the degree of compliance with policies, procedures, law, and regulations.
>Assuring assets are properly safeguarded.
>Determining if operations are accomplishing objectives and goals.

3) How does Internal Audit do this?

Through independent and objective reviews of a department's operations and procedures,
Internal Audit will assist you in the effective management of responsibilities by providing
analysis, recommendations, and pertinent comments concerning the review activities. This
involves:

>Evaluating the soundness and adequacy of the internal control structure.

>A review of policies, procedures, laws, and regulations to assess the County's compliance.
>Reviewing the reliability, adequacy, and application of accounting, financial and other operating
controls, and promoting effective control at reasonable cost.
>Evaluating the reliability of internal data by reviewing controls and security features over data
processing.
>Verifying the existence of assets and ensuring that they are properly accounted for and
safeguarded from loss.
>Evaluating the economy and efficiency with which resources are used, and recommending
improvements in operations.
>Reviewing security of resources and infrastructure.
>Conducting special examinations and reviews as requested by management.

4) Do professional standards apply to Internal Audit?

Yes, the Institute of Internal Auditors develop and publish professional standards, codes of
conduct, and statements of responsibilities for internal auditors. Summit County’s internal
auditors must complete a specified amount of annual continuing professional education hours to
remain apprised of any updates of these standards as well as compliance issues of County
governmental units.

5) What will Internal Audit do for your department?

>Evaluate your operations and recommend ways to improve your effectiveness and efficiency.
>Help you comply with various County, State and Federal policies.
>Ensure that you have proper controls in place to protect employees and the County.
>Provide advice regarding systems, policies, procedures, etc.

6) What activities are auditable?

Auditable activities consist of subjects, units, or systems which are capable of being defined and
evaluated. These activities may include:

>Overall operations of Offices, Courts, Agencies and their corresponding departments.

>General ledger accounts.
>Information systems.
>Grants, contracts, and programs.
>Countywide systems such as fleet management, payroll, purchasing, fixed assets, capital
projects.
>Functions such as electronic data processing, purchasing, marketing, production, finance,
accounting, and human resources.
>Transaction systems for activities such as sales, collection, purchasing, disbursement, inventory
and cost accounting, production, payroll, and capital assets.
>Laws and regulations.
>Policies, procedures, and practices.

7) Why would I want to request an audit?

An audit is very beneficial to assess operations within any area of the County. If you have
recently assumed new or additional supervisory responsibilities, an audit can review the
procedures to assess whether internal controls in your area are adequate. A periodic "checkup” to
review your department's activities can help ensure that procedures comply with County policies.
It is also beneficial to assess system controls and procedures when
new computer systems are installed.

Anyone within the County can request an audit, especially if you suspect fraudulent or
questionable activity is occurring in your area. All requests will be evaluated, and Summit County
Internal Audit Department will determine whether an investigation or review is warranted. To
request an audit, please contact Internal Audit at 330-643-2504 or by email at
tfretz@summitoh.net

8) Can I ask Internal Audit for assistance?

Yes. Whenever resources permit, Internal Audit is happy to advise on the County’s rules and
procedures, compliance matters, or assist in implementing new systems. Audits and special
projects require the approval of the Audit Committee. Internal Audit aims to work in partnership
to assist in improving procedures for the benefit of the County. If you need to contact someone in
Internal Audit click here to be taken to our staff contacts page. Alternatively, please use our
feedback facility.

9) How does Internal Audit decide when to perform an audit?

Internal Audit has a five-year plan that covers County operations. The audits are determined by
the Countywide Risk Assessment model and the level of risk that they represent.

10) What happens during an internal audit?

Internal Audit initially meets with management to find out what systems are used and what
controls are in place. We are required to consider operational risks and controls so we may
discuss areas such as safety and information systems as well as controls over financial processes.
We may also need further interviews with other members of staff to obtain more detailed
information on the controls that are used.

Tests are carried out to check that controls are adequate and are operating effectively. This may
require sampling, observing work being performed, reviewing notes of meetings and holding
discussions.

We will then meet again with the designated management lead assigned to oversee the audit to
discuss our findings and any recommendations we wish to make in the report.

After this meeting, a draft report is produced. The report includes an action plan that summarizes
the recommendations, the agreed actions and timeframes for implementation.

Management will be asked to comment on the factual accuracy of the report before it is finalized.
As all the findings will have been discussed before the report was produced, there should not be
any surprises in what it says.
11) What are internal controls?
Internal controls are processes within a department or organization, which are designed to provide
reasonable assurance regarding the achievement of the following objectives:

>The reliability and integrity of information.

>Compliance with policies, plans, procedures, laws, and regulations.
>The safeguarding of assets.
>The economical and efficient use of resources.
>Effectiveness and efficiency of operations.
>Reliability of financial and operational reporting.

Internal controls help assure that operations are conducted according to plan. They are tools used
every day by managers, from the unit levels to the Officeholders, Judges, Executive Director’s, and
Superintendent’s of the County, which include written policies and procedures, organizational design,
and physical barriers.

Through careful design, internal controls can help your department operate efficiently and effectively
and provide a reasonable level of assurance that the processes, services, or products for which you
are responsible are adequately protected.

In short, a control is any action taken by the administration/management to enhance the likelihood
that established objectives and goals will be achieved. Implementation of internal controls is the
prime responsibility of County administrators and supervisors.
12) What is managements responsibility regarding internal controls?
Management is responsible for ensuring that internal controls are established and functioning to
achieve the missions and objectives of their department. Management must respond to any changes
that may cause the effectiveness of a control to deteriorate by creating additional controls or altering
existing controls to protect against loss.

13) Why is segregation of duties important?

A lack of segregation of duties is a significant contributing factor in almost all occurrences of fraud.
When duties are properly segregated the potential for loss or inappropriate use of Summit County
assets is minimized.
Supervisory review of work is always important, but it does not replace the need for segregation of
duties. Proper segregation of duties will assure that the County's assets are properly used and
safeguarded.

14) What are the Audit Committee's responsibilities?

(a) To review the effectiveness of the County’s financial and other internal control systems
(b) To review the external auditor's report and the outcome of its findings, and to have direct access
to the external auditor
(c) To review the scope and effectiveness of the internal audit's work including planning and
operation of the work and results of internal audit's reports
(d) To satisfy itself that satisfactory arrangements are in place in Summit County to promote
economy, efficiency and effectiveness
(e) To work with the State Auditor’s Office on the appointment and remuneration
of the external auditor
(f) To advise Summit County Officeholders, Courts and Agencies on risk management and the levels
of accountability for it
(g) To consider the draft audit reports for approval

15) What is the difference between an internal audit and the annual external audit?
External audit is a statutory requirement which checks that the County’s accounts present a true and
fair view of the financial position. The internal auditors report to the Audit Committee on the control
systems used within the County. They should have a more detailed knowledge of systems than is
required for external audit. Sometimes, the differences between the internal and external auditors
can be confusing. In Summit County, internal and external auditors have an agreed understanding of
how to work together and this is detailed below. This approach includes:

>Regular meetings
>Sharing planning information
>Consulting each other on risk assessments
>Where appropriate, consulting on audit testing programs
>Sharing audit findings

16) What is Audit Committee's role with respect to its Internal Audit Department and the
external financial audit?
The County’s Audit Committee has a role in measuring our effectiveness. This includes:
>Approving our plans;
>Approving our budget;
>The provision of internal audit resources;
>The appointment of the Director of Internal Audit;
>Approving audit reports
>Following up previous audit recommendations.

External audit’s report to the Audit Committee includes a management letter and A-133 audit report
of findings. External audit may also attend the meetings of the Audit Committee so that the
Committee can take a broad view of audit activity in the County

17) Does Internal Audit have any role producing the County's financial statements?
We have no statutory role in auditing financial statements. External audit is required to give an
opinion on the County’s audited financial statements.

18) What are the roles of external audit and Internal audit regarding compliance with
laws and regulations?
Through our risk-based approach, we consider controls in respect of legal requirements, as well as
requirements by other bodies and the County’s own rules and regulations.

19) What information should the County's government units provide to internal audit
regarding any new systems development?
We should be advised of all significant new systems being developed and will select those which we
wish to be involved with in order to assist with a successful implementation.

20) What safeguards does internal audit provide regarding fraud an how does external
audit utilize them?
Our work is designed and conducted to consider how well the controls prevent and detect fraud. In
addition, fraud is considered as a routine risk when planning audit work. We may also be involved in
any specific fraud investigations. External auditors consider our work in relation to fraud when
assessing the risk of material misstatement in the financial statements.