Will ISO 27001 become the National Information Security Standard? 

Author: John DiMaria

Many organizations are subject to a slew of laws and regulations aimed at information security such as Gramm-Leach-Bliley (privacy), HIPPA, Federal Financial Institutions Examination Council (authentication and online banking), and Payment Card Industry (card security). There also exists California's and other states' data breach disclosure laws, the Sarbanes-Oxley Act, which requires IT to test the effectiveness of controls over financial-reporting systems, the European Union's privacy laws, etc. While these laws and regulations do a good job of defining the scope of information security and spelling out the role of information security in risk management, they have little to say about what constitutes effective information security or how to achieve it.  

ISO 27001 does precisely that. By adhering to this standard, your organization can go a long way towards satisfying regulatory compliance requirements. 

Many countries around the world have adopted (or are in the process of adopting) ISO 27001 as their framework for information security; Japan being the most aggressive. People have asked how Japan came about adopting ISO 27001 as the framework of choice for ISMS compliance and protection of personal data. 

We have identified two driving forces that caused Japan to adopt ISO 27001. 

First, Act No. 57 outlines the high level requirements and puts the burden on local Japanese governments to ensure compliance and write detailed laws for their areas of concern. Something that also makes a big difference is that Article 7 of Act No. 57 states that “The Government shall establish a basic policy on the protection of personal information (hereinafter called the "Basic Policy") in order to ensure the comprehensive and integrated promotion of measures for the protection of personal information.” 

“Integrated” is the key word here. We know of no federal or private requirement in North America that mandates an integrated approach. In the US, there is no direct statement that publicly-funded companies are to be certified against ISO 27001. But according to Japanese Law and its Act on the Protection of Personal Information (Act No. 57 of 2003), there are rules (in chapter 2, etc.) that require public bodies within Japan to meet certain requirements.  

Second, the Japanese government has established Japan's own scheme of "ISMS" which is identical to ISO 27001 under the Japanese accreditation body called JIPDEC (http://www.isms.jipdec.jp/en/). This "ISMS" scheme is well promoted and almost becomes a prerequisite condition for trade. Japan's unique scheme has now already merged with the ISO 27001 scheme. 

Recently the National Institute of Standards and Technology released the final draft of FISMA 800-53 (Federal Information Security Act) which is fully harmonized with ISO 27001. 

Currently, FISMA will only affect government entities and subcontractors, but one must ask…..is this the start of adoption of ISO 27001 by the US government?  No one knows but if you are implementing a new ISMS or improving the program you have, it would be a safe bet to consider ISO 27001.

Will FISMA facilitate the acceptance of ISO 27001 as the national information security standard?

This issue and many more are discussed during a one-on-one interview with Dr. Ron Ross of NIST.

Dr. Ross discusses how NIST is working with all facets of government to ensure a consistent pro-active process that will facilitate decreasing the risk to our critical infrastructure.  If you are involved with planning, implementing or designing your organizations information security program, you need to listen to this Podcast.

Click here to listen to the podcast. https://cc.readytalk.com/play?id=alzn4x

This plan includes working with the international community and harmonizing with the international standards.

This trend is growing around the world in such countries as India, UK, and Japan.  The US now has 95 certified organizations and is continuously picking up momentum. Organizations should carefully consider this when implementing or improving their ISMS. As the popularity grows, so will the requirements to be ISO 27001 certified.

Article posted October 28, 2009