An ISO 27001 compliance project for a cyber security service team

Abstract

The ISO 270011 standard from the ISO/IEC 27000 family is a well-known reference framework for information security management. It defines and details controls and processes required for compliance with security practices. It provides companies with guidance and tools to adequately protect their technological environment and their information against security breaches, thereby simultaneously increasing the trust of their customers. Being ISO 27001 compliant provides a real competitive advantage and is even a requirement for some RFP tenders. Being ISO 27001 compliant or other equivalent governance frameworks, such as COBIT,2 is not a luxury for certain companies, especially those offering cyber security services. This framework has become a must to work with certain companies who have specific regulatory and legal constraints, such as PCI and SOX for banking environments, SOC I & II or NERC for companies operating in operational technology (OT) (SCADA/ICS) environments in North America. This paper puts forth a practical use case inspired by a real project initiated to reinforce the security governance framework of a major IT company offering cyber security (Bell Multi Services [Bell MS]) to financial firms and OT (SCADA/ICS) companies. To avoid advertising or unintentionally revealing confidential information, some information which is too specific and not relevant to this paper has been removed. The security and compliance programme executed for this company will be identified by a fictive name: SecurePhoenix programme. The objective of this programme was clearly to enhance the level of security services (risk management, logging and monitoring management, incident management, vulnerability management, identity and access management, etc.) offered by Bell Canada3 Multi Services security team for multi clients (here referred to by the fictive name Bell Security Operational Center [Bell SOC]). A year after SecurePhoenix launched all projects, the triad parameters (budget, time, quality) were all in the red. Bell Canada — or, more specifically, Bell MS — therefore hired the current author’s company, project management, audit and cyber security expertise to bring it the programme back on track.