Implementation of ISO 27001 The implementation of quality management systems (QMS) in Slovenian companies has increased in the last decade and this has also paved the way for new, more specific management system for information security which follows the requirements of ISO/IEC 27001:2005. The standard is well recognized in the IT circles and it helps the companies to achieve more stable and controlled IT environment. Since 2006 when there were 3 certified companies, the implementation of some or all requirements of the standard came into the management process in many organizations and now we have 7 certified companies. Implementation trends show us that managers and owners of the companies have realized that information is the key for long term presence on the market. Besides the business impact the legislation is becoming stricter and some of the requirements in the standard are also on the need to know basis for companies that are interested in providing outsourcing digital archives, back-up and restore centers and other storage of sensible information. SIQ certified 6 out of 7 companies - Palsit, Elektro Ljubljana, Astec, Simt, Krka and Unistar LC. All the last five companies saw potential in implementing this standard and the basic knowledge of the management systems they received came from implementation of quality requirements from ISO 9001:2000. The acquired knowledge helped the companies in the way that they adapted quickly to the new standard requirements and as they improved their knowledge about the standard, they were more aware about the risks to the information from the environment and the company itself. Mina Žele, Ph. D., CISA from Astec d.o.o. has worked on the implementation of the standard and now works as the head of information security in the company. She explains the benefits that the company had from the implementation and the troubles they faced from the beginning until now: "The main activity of the company Astec is the design, development, implementation and maintenance of information technology solutions as well as consulting regarding information security. The information security has always been considered as an important element in providing services. The initiative to achieve compliance with ISO/IEC 27001:2005 standard came from the company management who recognized ISO/IEC 27001:2005 certificate as a reliable proof of company's ability to treat information with appropriate care and can therefore increase credibility of company services. The project of implementing ISO/IEC 27001:2005 standard started in the beginning of 2006 while the final intensive preparations for certification of information security management system (ISMS) began in September 2006 and took approximately six months. Although Astec is a medium enterprise with 50 employees and could lean on an already implemented quality management system, a lot of time and resources were still required to fully establish and operate ISMS according to ISO/IEC 27001:2005 requirements. At the start the main challenge was to involve the responsible employees to provide relevant information for setting the scope and performing the gap analysis which is described in ISO/IEC 27002:2005 - Code of practice for information security management - standard that establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management. At this point it was crucial that the company manager declared the importance of ISO/IEC 27001:2005 compliance for the company's future business strategy and clearly conveyed the message at several meetings with all the employees. The most time consuming activity was making the state inventory, collecting the existing documents, verbal policies and procedures regarding information security. Based on gathered information a risk analysis was performed where all the information security risks that the company is facing, were assessed using a single criteria. The results of the risk assessment helped us in deciding which procedures should be changed or improved and what technical security mechanisms should be introduced and implemented." The applied technical controls were mainly related to physical security and were much easier to apply compared to organizational procedures that are equally important in order to achieve the desired level of information security. A lot of effort was devoted to establish regular meetings of the security forum to perform internal ISMS audit, to train the employees to follow newly introduced rules, such as information security incidents reporting, dealing with visitors and classification of information. Compliance and certification according to ISO/IEC 27001:2005 brought several benefits. By introducing new security mechanisms and procedures the overall level of information security was increased. The ISMS documentation such as inventory of assets, roles and responsibilities contributed to a better control of IT environment. Documented procedures for secure information handling reduced the time that employees used to spend to find out what the valid procedure is in each specific case. One of the most important effects was also a better awareness of the employees regarding security threads and the value of information. Since the effectiveness of ISMS was assessed by an external organization during the certification process the certificate is also a proof that Astec provides a high level of information security and as such contributes to a better competitive position in the market." The value that information represents for the companies today is much bigger than ever before and the cost for protecting that asset is increasing. Therefore the security must be effective and cost efficient. The standard ISO/IEC 27001:2005 helps in a way that all good practices for protecting information are implemented in the controls of the standard. As the technology is changing, new risks for information assets are appearing and we must be able to control our information environment. The best solution for this is to implement controls of the standard within the context of the organization's overall business risks. Authors: Miha Ozimek, Spec., SIQ Mina Žele, Ph. D., ASTEC d.o.o. www.siq.si