ISO 27001 certification process of electronic invoice

in the State of Minas Gerais

Lindemberg Naffah Ferreira Silvana Maria da Silva Constante, Alessandro

Information Systems Course Mrcio de Moraes Zebral, Rogrio Zupo Braga,
Anhanguera College of Belo Horizonte Helenice Alvarenga, Soraya Naffah Ferreira
Belo Horizonte, Brazil Department of Information Technology Secretariat of Finance of the State of Minas Gerais
Belo Horizonte, Brazil
{silvana.constante,alessandro.zebral, rogerio.zupo,
helenice.alvarenga, soraya.naffah}

Abstract This paper presents the process by means of which

the Secretariat of Finance of the State Minas Gerais intends to I. INTRODUCTION
get an ISO 27001 certification of the Electronic Invoice Asserting that information is an essential resource for the
authorization. In 2007, the Secretariat of Finance of Minas modern organizations, whether public or private, is almost a
Gerais started the project of Electronic Invoice - NF-e, which truism. In fact, nobody living in 21st century can deny the role
involves replacing the conventional invoice, on paper, by a
of information on everyday activities. Its importance is even
document issued and stored electronically that exists only
digitally. The purpose of the Electronic Invoice is documenting
greater for organizations dealing with finance, such as banks,
the movement of goods occurring between the seller and the insurance companies and Secretariats of Finance or
buyer, which is subject to State taxes. The legal validity of the Departments of Treasury.
Electronic Invoice is guaranteed by the issuer's digital signature In recent years, with the arrival of the Internet and
and by the reception of the data by Secretariat of Finance of electronic transactions, the risks related to information security
Minas Gerais before of the movement of the goods . The have increased exponentially. In fact, the Information Security
information technology architecture of the Electronic Invoice
Breaches Survey 2013, carried out during the conference
authorization process of the Secretariat of Finance of the State of
Infosecurity Europe, whose results were analyzed by Price
Minas Gerais is intended to ensure three basic objectives: 1)
availability;2) scalability and 3) elimination of single point of
Waterhouse Consulting, commissioned by the Department for
failure. So, the Secretariat of Finance of the State Minas Gerais Business Innovation and Skills from British government, states
concluded that the ISO 27001 certification of the information that the average cost of a security breach during the year of
technology production environment, undergoing evaluation by 2012, among the large organizations surveyed (i.e, those with
external entities, namely, certification bodies, would demonstrate 250 employees or more), ranged from 450,000 to 850,000
explicitly the commitment of the State of Minas Gerais with the British pounds, with many incidents resulting in losses of more
general public and entrepreneurs who are based in the Minas than 1,000,000 de British pounds. According to the same
Gerais and with those who intend establish themselves in the report, in total, the cost to UK plc of security breaches is of
State of Minas Gerais in near future. This work presents some of the order of billions of pounds per annum - its roughly tripled
the difficulties faced by the Secretariat of Finance of the State over the last year.[1]
Minas Gerais during the preparation for the ISO 27001
certification, which is a major step to ensure the security That is why, among other reasons, the Secretariat of
requirements of information assets that are critical to the Finance of the State of Minas Gerais SEF/MG decided to
business. To the best of our knowledge this is the first ISO 27001 pursue a security certification for the scope of its electronic
certification process of the Electronic Invoice authorization in invoice (NF-e, for its acronym in Portuguese) authorization
Brazil, and the first ISO 27001 certification process in the system, in the production environment. The electronic invoice
executive branch of the direct administration in Brazil, in all (NF-e) system, which is part of the Public Digital Accounting
three levels of government. System (SPED, for its acronym in Portuguese), is extremely
important for the SEF/MG, as well as for all the state-level tax
Keywords ISO/IEC 27001;Information security;Electronic authorities in Brazil and also for Secretariat of the Federal
invoice Revenue. This system is critical, too, for companies based in
the State of Minas Gerais, since it can affect its
II. ELECTRONIC INVOICE Stallings [3] defines confidentiality as the property which
The electronic invoice system (NF-e) intends to replace ensures that the information in a computer system and
almost all hard-copy invoices issued in business-to-business transmitted information are accessible only for reading by
transactions in Brazil with electronic documents whose authorized parties. The same author explains that integrity is
existence is solely digital. These electronic documents must the property which ensures that only authorized parties are
adhere to a format in XML approved by the Permanent able to modify computer system assets and transmitted
Technical Commission of the National Finance Policy Council information. He explains further that availability is the
(COTEPE/CONFAZ, for its acronym in Portuguese), and must property which requires that computer system assets be
be digitally signed. The use of electronic invoices brings huge available to authorized parties when needed.
benefits for the taxpayers, as well as for the tax authorities and Quoting Arnason and Willet [4], ISO 27001: 2005,
to society in general, providing greater agility for businesses Information Security Management Systems Requirements,
and improving the capacity of fighting tax evasion. In fact, provides, as stated by its name, requirements for an
using an electronic invoice makes easier to accomplish Information Security Management Systems ISMS and
integrated and coordinated tax oversight actions involving describes a process on achieving such. This standard has its
authorities from different government levels. It simplifies, also, origins connected to the British standard BS 7799 Part 2. The
the data exchange between those authorities and allows the ISO 27001 is part of a family of standards, known as the ISO
cross-checking of information provided by taxpayers. From a 27000 family, which contains other important standards, such
society's perspective, the use of electronic invoices reduces the as ISO 27002 (whose origin is related to BS 7799 Part 1), a
paper consumption and the cost of commercial transactions. It Code of Practice for Information Security that contains 12
creates, also, new opportunities for businesses that intend to chapters addressing security controls. This standard provides
develop invoicing software. knowledge about security controls to protect information, but
It is worth to mention that electronic invoicing in Brazil has doesnt explain how to apply these controls. On the other hand,
strict regulations for taxpayers, but also for the government. In ISO 27001 provides direction on how to establish a
fact, the electronic invoice (NF-e) must be received and management system that helps to select controls and to
validated by tax authorities before any transaction occurs. If establish good practices to apply the security controls[4]. The
the transaction isnt authorized by the government, the ISO 27001 standard proposes a four-phase approach to
transportation and/or the delivery of the goods is illegal and establishing the ISMS, namely, the Plan-Do-Check-Act
can result in sanctions. For this reason, the authorization of (PDCA) cycle. In this cycle, the Plan phase (establishing the
Brazilian electronic invoice (NF-e) has challenging service ISMS) consists of the definition of the information security
levels, such as availability 24 hours a day, 365 days a year. policy and of the procedures related to risk management, as
Besides, the invoices received must be processed in up to 3 well as the establishment of the ISMS objectives. The Do
minutes in, at least, 95% of the total of the volume received in phase comprises the implementation of the ISMS, making
the period of 24 hours. In the State of Minas Gerais, this effective use of the policy, controls, processes and procedures.
volume may reach over 1.000.000 electronic invoices (NF-e) to The execution of the Check phase
be processed during a regular day and more than 900.000 requires the assessment and measure, if applicable, of the
electronic invoices (NF-e) authorized, since some of them performances of the processes, comparing them against the
arent approved. This poses many demands in processing and policy. Therefore, this phase requires the permanent
storing an enormous amount of data, without sacrificing the monitoring and review of the ISMS. Finally, the Act phase
availability and the response times required. An eventual consists in carrying out corrective and preventive actions
unavailability or poor performance in the authorization of related to ISMS, as result of internal audit and management
electronic invoice (NF-e) can compromise the capacity of review. It intends to provide continuous improving of the
doing business of many companies based in Minas Gerais, ISMS.
particularly of those that rely in production strategies like just So, the certification process requires the definition of an
in time. In other words, any problem with the electronic information security policy; the definition of the scope of the
invoice (NF-e) authorization system of the State of Minas ISMS; performing a risk analysis for the scope of ISMS; the
Gerais can harm beyond the governments revenue, impacting decision about how to manage the risks identified; selecting the
the economy and even leading to reduction of the gross objectives and controls to be implemented, as expressed in a
domestic product (GDP) of this State (about 9% of Brazilian Statement of Applicability. After this, the controls selected
GDP). must be implemented and it is possible to undertake a
According to the NIST [2], information security is the FINANCE OF THE STATE OF MINAS GERAIS
protection of information and information systems from Secretariat of Finance of the State of Minas Gerais
unauthorized access, use, disclosure, disruption, modification, SEF/MG hired a consulting firm in 2005 for the purpose of
or destruction in order to provide confidentiality, integrity, and assessing information security issues. This firm was also
availability. responsible for recommending remedies for the detected flaws
and for supporting the implementation of measures intended to
reduce risks. As a part of this work, a risk analysis of the assets
of SEF namely, people, processes, equipments and software, to be modified. Successive changes in scope more than 30 in
especially for those equipments and for software installed in all - have resulted in rework.
SEF Data Center - was executed. After that, SEF/MG decided
Even the SEFs information security team who participated
how to manage the risks identified (i.e., accept some of them
and mitigate the others) and how to fix them. in the work carried out in 2009 have changed. The new team
members of SEFs information security sector had no contact
As a consequence of this work, SEF/MG officially defined with the consulting team that started the job. Even the
and implemented an Information Security Policy in December consulting team experienced many changes. This problem was
2006. At same time, an information security educational compounded by the fact that not all decisions made in 2009
campaign was carried out among the workforce of SEF/MG. were sufficiently documented.
At this point, however, an information security management
system was not defined. This was done in 2007, but not with In addition, the new members of the information security
team have not been trained in the risk management tool used
the goal of attaining a security certification.
by SEF and learned to use it in practice, which consumed more
In 2009, however, taking account of the importance of the time than would be desirable.
process of authorization of electronic invoices (NF-e) to the
Another problem that plague many processes of
State of Minas Gerais, it was decided to implement the
information security management system within the scope of certification and with SEF/MG was by no means different - is
the difficulty in assigning higher priority to activities related to
the electronic invoices authorization system, in the production
information security, even with the blessing of the board of the
environment. Thereafter, the information security management
system was defined on this scope, but this time with the company. Typically, professionals working in the scope of
purpose of getting the security certification. certification spend too much time ensuring the functioning of
the infrastructure of information systems, leaving little time to
A risk analysis was performed in the scope defined for focus on the process of certification. Thus, changes in the
certification, and decisions were made to address the risks scope of certification processes, which should be reported
identified. Some objectives and controls were selected from the promptly to the security team, take time to be communicated,
ISO 27002 to be implemented. Of course, controls from other which slows the update of the corresponding documents. In
sources beyond the ISO 27002 could have been selected to be most organizations - and SEF/MG is an example - it is
implemented, but SEF/MG considered it more appropriate to understood that information security is a responsibility of a
implement only the controls described in the standard sector and not, as would be correct, of all employees. Change
mentioned above. However, there are controls in ISO 27002 this picture requires relentless work. It is already possible to
that were not applicable to the scope of the certification in SEF. see positive changes in the behavior of the group of employees
A statement of applicability (SoA) was prepared to record the of SEF due to past efforts.
decisions made about what controls should be implemented.
Professionals who are part of the scope are more aware of
Unfortunately, it was not possible to finish the process of information security risks and are more concerned about
certification by the end of 2009 or in early 2010, as planned. At adopting and following processes in their activities.
that time, it was not possible to hire a company that would
make the external audit required in the process of certification, As a result of the implementation of a formal process for
because of some difficulties related to the procurement process. changes, modifications in the production environment of
In fact, this company was hired only in 2012. It is worth to electronic invoice authorization system are being carried out in
mention, however, that the members of workforce involved in a more organized and professional manner, which contributes
the scope of certification didnt have enough maturity in 2009 to the stability of that system.
to implement all applicable controls. So, even if the audit firm The involvement of the audit sector of SEF in the
had been hired, the certification would probably not be certification process will bring benefits to other audit
achieved then. procedures related to information technology.
In early 2012, after the procurement of the company
responsible for external auditing in the process of certification, VII. CURRENT STATUS
it was necessary to arrange the hiring of a consulting firm to As a result of an internal audit conducted by the consulting
monitor the certification process, which only occurred in late firm hired, with the participation of the audit sector of the
2012. Because the work started in 2009 had not been SEF/MG, some non-conformities were identified. As a
completed, the same company that had begun the work consequence, the top management became more involved in
(monitoring and supporting the certification process) then was the process of certification, trying to address the problems
hired. identified during the auditing.
As result of this delay, the documentation built in 2009 In July 1st, a new Information Security Policy was
became outdated. In addition, there were major changes to the approved by the Governance Body. The new Policy was a
scope of certification, including the teams that performed result of a six months revision work. It contains many
activities in this scope. The statement of applicability also had necessary changes to the certification process.
Weekly meetings are being held to track the progress of the changes in the team and in the remainder of the scope,
solution of pending issues identified in the internal audit. A resulting in much rework.
new internal audit will be held in late July 2013. The team
Even when and if the SEF get its certification in
involved in this audit will be composed of two auditors from
audit sector of SEF trained in late June 2013 as Lead Auditors information security, this will not be the end of the process, but
just its beginning. In fact, new audits will be performed in the
for ISO 27001.
scope of certification every 6 or 12 months, during the period
The external pre-audit for certification is scheduled for the of the validity of the certification, which is 3 years. In
end of September 2013. The external audit shall be scheduled addition, many changes will occur in scope in the next months,
within 90 days of the pre-audit. such as the moving to a new data center and the deployment of
new ITIL processes using a Service Desk tool.
Getting a security certification in a public organization REFERENCES
involves additional challenges related to the procurement of
services and the need to meet legal regulations. [1] Department for Business, Innovation and Skills, Information Security
Breaches Survey 2013. London. 2013. p. 2.
It is important to review the information security policy [2] R. Kissel (editor), Glossary of Key Information Security Terms, 2nd rev.
periodically. The SEF has not reviewed its information security Gaithersburg:National Institute of Standards and Technology. 2013.
policy for over six years, which was harmful. From now on, it p.94.
will be reviewed every 18 months. [3] W. Stallings, Cryptography and Network Security: Principles and
Practice, 5th ed. Prentice Hall: Boston. 2011. pp. 10-11.
It is important to pursue the certification process, without [4] S.T. Arnason and K.D. Willet, How to Achieve 27001 Certification: An
interrupting it, if possible. During interruptions the Example of Applied Compliance Management. Boca Raton:
documentation can become outdated. Moreover, there may be Auerbach.2007. pp. 9-18.

