ISO 27001 Compliance, 2nd Person

Hillside Software
Glasgow, Scotland

2ndPerson records and tracks information security risks affecting our information assets. It helps the organization comply with the requirements of the ISO 27001:2005 standard for information security management. The application name "2ndPerson" relates to the 'segregation of duties' as a security control. For critical business processes, a "second person" is often used so a single person does not have complete control over, for example, large financial transactions. Segregation of duties can help ensure that mistakes are detected and the potential for deliberate fraud is reduced.

Hillside Software is formally certified as meeting the BS 7799-2:2002 standard from which the new ISO 27001 standard has been derived. We plan to upgrade our certification to new international standard by the time Bureau Veritas, our certification body, next visits.

Every business needs to take the security of its own, and its customers', information and IT assets seriously. This is especially important with the very real threats posed by the increased use of online systems and the Internet. Our certification to the BS7799 standard demonstrates that we have a structured approach to identifying and evaluating the information security risks affecting our business. It also shows we implement effective controls. The controls include use of virus detection software, encryption, backups, firewalls, and a range of policies and working practices aimed at ensuring our information and IT assets are available when needed — intact, and only accessed by those who are authorized to do so.

ISO certification means that our customers and partners have increased confidence in our information security management arrangements. Finally, it shows that "we practice what we preach", which is important, since a subset of our training courses portfolio focuses on IT security topics.

Application size and scope

The application uses a single Microsoft Access database containing 18 tables. The biggest table, which is the set of standard information security controls, contains 203 records. There are nine main Web pages and 11 Web pages for maintaining look-up data.

The project

The project took a single person less than a day to complete, including constructing the database structure from scratch. No special code extensions were created and no third-party components were added. A minimum of programming was involved.

Code extensions and customizations

No special code extensions were created and no third party components were added. A minimum of programming was involved.

Page layout customizations

We used the standard Iron Speed Designer design theme, 'Sinai'.

Metrics for success

The key objective was to enable our risk management data to be viewed and updated on the intranet by all relevant employees and contract staff. This objective was achieved.

Iron Speed Designer impact

Without Iron Speed Designer, the project would have been feasible but would have taken at least six times as long.

Next steps

The next step is to add automation to remind users when re-evaluations of risks are due. We are also thinking of providing a free copy of the tool to delegates at one of the information security courses that we offer. We also need some role-based security changes to bring the application up to the level expected by delegates.

About the developer

Richard Murray has more than 25 years experience as a software engineer, project manager and consultant. He works mainly with high integrity and safety-related information systems in the energy, defense and aerospace sectors. Richard is an Honours Graduate from the University of Glasgow, Scotland, and is a Fellow of both the British Computer Society and the Institute of Quality Assurance. He is well-known within the Scottish software community for his LOW-PAPER DIET approach to helping software developers comply with the ISO 9001 standard for quality management.