This action might not be possible to undo. Are you sure you want to continue?
Prepared by the international community of implementers at ISO27001security.com Version 0.7 5th June 2007
This is a collaborative document created by ISO/IEC 27001 and 27002 implementers belonging to the ISO27001security implementers' forum. We wanted to document and share some pragmatic tips for implementing the information security management standards, plus potential metrics for measuring and reporting the status of information security, both referenced against the ISO standards.
This guidance covers all 39 control objectives listed in sections 5 through 15 of ISO/IEC 27002 plus, for completeness, the preceding section 4 on risk assessment and treatment.
This document is meant to help others who are implementing or planning to implement the ISO information security management standards. Like the ISO standards, it is generic and needs to be tailored to your specific requirements.
This work is copyright © 2007, ISO27001security implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27001security forum (www.ISO27001security.com ), and (c) derivative works are shared under the same terms as this.
Copyright © 2007, ISO27001security forum
Page 1 of 13
review. are the policies plus associated standards. written. Review of suitability and adequacy of the organization (measured by Audit. which 4. ISO TR 13335 medium or low significance. but not for this to be the default approach! Trend in numbers of information security-related risks at each significance level. Management (specifically. ISO27001security forum Page 2 of 13 .1 Information security policy Think in terms of an information security policy manual or wiki containing a coherent and internally consistent suite of policies. Risk assessment and treatment Can use any information security risk management method. procedures and guidelines.Ref. approved or issued) across all sections of ISO 27001/2.e. standards. Policy coverage (i. structured and generally Relative proportions of risks identified assessed as high. with a preference for documented. It is acceptable for management to decide explictly to do nothing about certain information security risks deemed to be within the organization's "risk appetite". the information asset owners) need to assess risks and decide what (if anything) to do about them. procedures and guidelines specified. or BS 7799 Part 3 (and in due course ISO/IEC 27005). management or Control information security policy may be included in the management Self Assessment). Information security costs as a proportion of total revenue or IT budget. Identify review frequency of the information security policy and methods on how the policy would be disseminated Extent of policy deployment and adoption across the organization-wide.1 Assessing security risks 4. Copyright © 2007. Proportion of information security risks for satisfactory controls have been fully implemented. accepted methods such as OCTAVE. MEHARI. Security policy 5. Such decisions must be documented as a Risk Treatment Plan (RTP). plus ‘unassessed’.2 Treating security risks 5. Subject Implementation tips Potential metrics 4.
Keep it simple! Aim to distinguish baseline (across-the-board) from enhanced security requirements according to risk. Inventory network connections and significant information flows to third parties.Ref. information security roles and responsibilities. locations. Asset management Build and maintain an information asset registry (similar in nature to that prepared for Y2k). Organizing information security Proportion of organizational functions/business units for which a comprehensive strategy has been implemented to maintain information security risks within thresholds Mirror the structure and size of other specialist corporate explicitly accepted by management. 7. functions such as Legal. Proportion of employees who have (a) been assigned. serial numbers. dev/test/production status etc. Risk and Compliance. showing information asset owners (managers who are accountable for protecting their assets) and relevant asset details (e. Subject Implementation tips Potential metrics 6. perhaps. and availability requirements. Consider requiring ISO 27001 certificates of critical business partners such as IT outsourcers.g.1 Internal organization 6. and (b) formally accepted. Relative proportions of information assets at each stage of the classification process (identified / inventoried / asset owner nominated / risk assessed / classified / secured). Relative proportions of information assets in each Start with confidentiality.1 Responsibility for assets Percentage of key information assets for which a comprehensive strategy has been implemented to mitigate Use bar-codes to facilitate easy stock-takes/inventory checks information security risks as necessary and to maintain and to associate IT equipment moving off. 6.).and on-site with these risks within acceptable thresholds employees.2 External parties 7. but it's 100% necessary! identified. version numbers. then risk assess them and review the information security controls in place against the requirements. 7. risk-assessed and deemed secure. providers of security-related IT services etc. Proportions of 3rd party connections that have been This is bound to be scary. ISO27001security forum Page 3 of 13 . but don't neglect integrity classification category (including not-yet-classified).2 Information classification Copyright © 2007.
1 Prior to employment Proportion of new employees plus pseudo-employees (contractors. Refer to Section 7. ensure a screening process is in-place that is commensurate with the security classification of the information to be accessed by the incoming employee. separated into active (pending employee files his/her resignation letter: which are the most deactivation) and inactive (pending archival and deletion) categories.3 Termination or change of employment Proportion of userIDs belonging to people who have left Look at which accesses you need to revoke first when an the organization. Consider an annual employment contract review by HR say. anniversary to refresh expectations stated in the terms and conditions of employment including their commitment to information security. 8.Ref. Simply put. 8. verification of claimed educational attainment and skill sets etc. employment contracts etc. critical or vulnerable systems? Track use of email by resignees prior to leaving in case they start sending confidential information out. ISO27001security forum Page 4 of 13 . Return of organization's assets when an employee leaves would be much easier if your asset inventory was regularly updated and verified.) that have been full screened and approved in accordance with company policies prior to starting work.1. 8. the process of hiring should be a lot different for a clerk or an IT system administrator.2 During employment Responsibility towards protection of information does not end when an employee leaves for home or leaves the organization. Copyright © 2007. consultants. Ensure that this is clearly documented in awareness materials. the number of emails and calls relating to individual department with the employee during the latter's employment awareness initiatives. temps etc. Response to security awareness activities measured by. Human resources security In conjunction with HR. Look into background checks. Subject Implementation tips Potential metrics 8.
"departmental servers". Blue for 1st floor. Green for 3rd floor etc..). wiring closets.g.2 Equipment security Have site security stop anyone (employees. couriers and office removals people etc. Number of stop. media etc. authenticated and Reports from periodic physical security site surveys. Look into the ingress and egress of people into and from your organization.Ref.. Make this a visible deterrent with random stop-checks (if not airport-style metal detectors!). loading ramps.g. (e.1 Secure areas 9. frag 'em! Be sure to retrieve staff and visitor passes when they leave. IT support people. visitors. and filing cabinets everywhere (remember: the standards are about securing information not just IT). Subject Implementation tips Potential metrics 9. or other security issues. Physical and environmental security The standard seems to focus on the computer suite but there are many other vulnerable areas to consider e. identification tags to signify accessible areas by visitors. Now if you see a green ID on the 4th level. How far could the pizza or FedEx delivery person go without being challenged. accompanied? What could they see or pick-up or hear while including regular status updates on corrective items they are inside? Some organizations use color-coded identified in previous surveys and still outstanding. and proportion of checks that revealed unauthorized movement of IT equipment. Have visitor passes turn opaque or otherwise appear invalid after so many hours from issue. Be especially vigilant at back doors. Have card-access systems disallow and alarm on attempted access. ISO27001security forum Page 5 of 13 .or stock-checks performed in the previous month.) from removing IT equipment from site without written authority. 9. smoking exits etc. Consider bar-coding equipment to make stop-checks and stock-checks more efficient. Copyright © 2007.
1 Operational procedures and responsibilities 10. Communications and operations management Security-related IT process maturity metrics such as the “half-life” for applying security patches (the time taken to Document information security procedures.4 Protection against malicious and mobile code Combine technological controls (e. cost etc. identified in the this measure helps avoid the variable tail caused by the inevitable few systems that remain unpatched because organization's information security policy manual. Trends in the number of viruses. Relative proportions of emergency. worms.g. A reward and penalty system may work in some cases. plus roles and responsibilities.3 System planning and acceptance 10. delivery. rejected changes vs. Subject Implementation tips Potential metrics 10. employees keep on opening emails from unknown senders or Number and cumulative costs of malware incidents. anti-virus software) with non-technical measures (education.2 Third party service delivery management 10. Look at periodic of review of service-level agreements (SLA) and compare it with monitoring records. Numbers and trends of rolled-back/reversed-out changes. standards and update at least half the population of vulnerable systems guidelines. downloading files from untrusted sites! Copyright © 2007. Cost of downtime due to non-fulfillment of service level agreements Performance evaluation of 3rd-party providers to include quality of service. Are you getting your money's worth? Answer this question and support it with facts by establishing a monitoring system for 3rd-party service providers and their respective service deliveries. 10. Trojans or spams It is not much help having top of the line anti-virus software if detected and stopped. are normally out of the office or whatever). awareness and training).Ref. they are not in daily use. ISO27001security forum Page 6 of 13 . successful changes. medium and low risk changes. high.
Look into alternate and “pre-approved” communications channels particularly secondary email addresses should the Proportion of third-party links for which information security primary email address fails. 10. data (in practice. Number of network security incidents identified in the Prepare and implement technical security standards. vulnerability management etc.6 Network security management 10. Subject Implementation tips Implement back-up and restore procedures that satisfy not only contractual requirements but also the "internal" business requirements of the organization. of all serious incidents and adverse trends. Secure media and information in transit not only physically but Proportion of physical backup/archive media that are fully also electronically (via the networks). Choice of storage.8 Exchange of information 10. Take inputs from the Risk Assessment exercise on what information assets are more significant and use this information in creating your Back-up and restore strategy.5 Back-up Proportion of backups and archives containing sensitive or Encrypt backups and archives containing sensitive or valuable valuable data that are encrypted. 10. media to be used.7 Media handling 10. Mean travel time to retrieve back-up media from off-site storage to a successful restored state at all primary locations. Verifying alternate comms requirements have been satisfactorily (a) defined and (b) channels would help save a lot of time and headaches in the implemented. divided into minor/significant/serious guidelines and procedures for network platforms and network categories. back-up appliance. encrypted. Encrypt all sensitive/valuable data prior to being moved. with trends analysis and narrative descriptions security tools such as IDS/IPS.Ref. Potential metrics Proportion of back-up operations that are successful. frequency of back-up and testing of backup media needs to be decided upon and established. ISO27001security forum Page 7 of 13 . otherwise why take backups?). previous month.9 Electronic commerce services Copyright © 2007. long run. that's virtually all of them. Proportion of test backup restores that are successful.
Make sure they are held to account for breaches. The necessity of implementing monitoring processes is now more evident as measurement of the effectiveness of controls is made an explicit requirement.. Disseminate job profiles periodically to security responsibilities. Subject Implementation tips The old quality assurance axiom "you cant' control what you can't measure or monitor". 11. information keep track of changes. and number of access change application owners and Information Security Management. (b) formally accepted their ownership responsibilities.3 User responsibilities Ensure security responsibilities are established and understood by the incumbent personnel. requests actioned in the previous month (with trends Invest in providing security admin with the tools to do their jobs analysis and commentary on any peaks/troughs e. non-compliances and other incidents. "New Finance application implemented this month". Proportion of corporate application systems for which suitable "owners" have (a) been identified.Ref.. at annual performance appraisal time) to remind them of their responsibilities and gather any updates. 11. and (d) defined role-based access control rules.g. Potential metrics 10. holds true for information security. Look at the criticality and significance of data that you are going to monitor and how this affects the overall business objectives of the organization in relation to information security. A good strategy is to clearly define and document responsibilities for information security in Proportion of job descriptions that include (a) fully job descriptions or job profiles.10 Monitoring 11. Periodic review is a must to documented and (b) formally accepted.1 Business requirement for access control 11. as efficiently as possible.).2 User access management Set up a discrete "security admin" function with operational Average delay between access change requests being responsibilities for applying the access control rules defined by raised and actioned. ISO27001security forum Page 8 of 13 . (c) undertaken (or commissioned) risk-based application security and access reviews. Access control Information asset owners who are held accountable by management for protecting “their” assets should have the ability to define and/or approve the access control rules and other information security controls.g. Copyright © 2007. the employees (e.
number of potential hacking attacks in depth). System and network vulnerability statistics such as the Implement baseline security standards for all the main number of known vulnerabilities closed.5 Operating system access control 11. patches. If they are truly accountable for protecting their assets. software vendors etc. reflecting best practice average speed of patching vulnerabilities (analyzed by advice from CIS.7 Mobile computing and teleworking 12.) but more importantly the information stored on them.2 Correct processing in applications Copyright © 2007. laptops. platform in Q4"). ISO27001security forum Page 9 of 13 . open and new. PDAs etc. with notes on non-compliant systems (e.g. Have clearly defined policies for the protection of not only mobile computing facilities themselves (i. repelled. fixes. Subject Network access control Implementation tips Potential metrics 11.6 Application and information access control 11. As a rule.g. firewall software etc.4 Firewall statistics such as proportion of outbound packets Balance network perimeter (LAN/WAN) and internal (LAN/LAN) or sessions that are blocked (e.Ref.1 Security requirements of information systems 12. NIST. it is in their interest to get it right! 12. reflecting best practice independent testing). Ensure the level of protection of information processing facilities being used inside the organization's premises "matches" the level of protection of your mobile computing facilities such as anti-virus software. vendor or in-house priorities/categories). attempted access to security controls against application security controls (defense blacklisted websites. system vendors etc. the information value far exceeds that of the hardware.1 arising.e. computing and telecoms platforms. NIST. "Finance system due to be upgraded to compliant advice from CIS. Information systems acquisition. development and maintenance Get "information asset owners" involved in high-level risk assessments and get their sign-off on security requirements See 11. 11. Proportion of platforms that are fully compliant with Implement baseline security standards for all the main baseline security standards (as determined by application systems and middleware. categorized into trivial/of some concern/critical).
Patch latency i. are not compliant.6 Technical vulnerability management Track security patches constantly using vulnerability management and/or automated update tools where available (e. by including security "hooks" in development and operations/change management procedures and methods.e. for which no approved baseline exists. CIS. procedural documentation and training).Ref. or take othe remedial actions. deployment half-life (time taken to patch half the vulnerable population of systems . Copyright © 2007. is those that have not been assessed.3 Subject Cryptographic controls Implementation tips Potential metrics Use current formal standards such as AES rather than home. Microsoft Update or Secunia Software Inspector). for which suitable cryptographic controls have been fully implemented (3.avoids seemingly random changes due to a few very late systems such as portables out in the field or in store). Integrate security improvements into change management activities (e. ISO27001security forum Page 10 of 13 . 12. or followed. Assess the relevance and criticality/urgency of patches in YOUR technical environment.Proportion of systems containing valuable/sensitive data grown algorithms. Treat software development and implementation as a change process. as quickly and as widely as possible for security vulnerabilities that affect your systems and are being actively exploited in the wild. 12.g.to 12-monthly reporting period). Test and apply critical patches.4 Security of system files 12. NIST etc. best practice advice from equipment vendors. Implementation is crucial! Proportion of systems independently assessed as fully Apply baseline security standards consistently. ensuring that compliant with approved baseline security standards vs. Embed information security into the system development lifecycle at all stages from conception to death of a system. Avoid falling so far behind on the version update treadmill that your systems fall out of support.g.5 Security in development and support processes 12.
if not some assessment Post-incident reviews and case studies on serious incidents of their costs to analyze. IT.1 Information security aspects of business continuity management Treat business continuity management as a "management" process with inputs coming from various functions (top management. Copyright © 2007. (b) to improve management confidence in the plans. Business continuity management 14. improvement opportunities and also form an effective security Proportion of security incidents that caused costs above awareness-raising mechanism in themselves. stage of the lifecycle (needed / specified / documented / Ensure consistency and awareness by relevant people and proven). Help/Service Desk) for people to report security-related From the stats. create and publish a league table of incidents. HR etc. Number and gravity of breaches.2 Management of information security incidents and improvements 14. Proportion of organizational units with business continuity Relevant exercises (such as desktop testing. queries about information Set up and publicise a hotline (generally the standard IT security risks and controls as a proportion of all queries). organizational units in the business continuity plans. identify any tangible and intangible losses incurred.). ISO27001security forum Page 11 of 13 . Subject Implementation tips Potential metrics 13.1 Reporting information security events and weaknesses 13. simulation. departments (adjusted for number of employees per dept). operations. near misses and concerns. 13.Ref. and (c) to make relevant employees familiar with their roles and responsibilities under disaster conditions.) should be conducted (a) to keep the plans (b) proven by suitable testing within the past 12 months. acceptable thresholds defined by management. full plans that have been adequately (a) documented and failover testing etc. updated. Information security incident management IT Help/Service Desk statistics with some analysis of the number and types of calls relating to information security (e.g.) and activities (risk Relative proportion of business continuity plans at each assessment etc. showing those that are clearly security-conscious vs those that are evidently asleep at the wheel. password changes. stop and repair the breaches and such as frauds illustrate control weaknesses.
ITIL. new. medium or low). programme and also contains qualifications of the internal audit team. environmental management systems auditing as a valuable Proportion of information security-related audit findings source for the conduct of internal ISMS audits. Invest in a qualified IT audit function that uses the ISO 27k. operates or has customers in multiple jurisdictions. ISO 19011 that have been resolved and closed vs.2 Compliance with security policies and standards and technical compliance 15. open. COBIT. especially if the organization low). Number of internal policy and other compliance issues or Align security controls self assessment processes with self recommendations grouped and analyzed by status assessments for corporate governance. overdue) and significance or risk level compliance etc.1 Compliance with legal requirements Number of legal compliance issues or recommendations grouped and analyzed by status (closed. new. ISO27001security forum Page 12 of 13 . Percentage of key external requirements with which the organization has been deemed by objective audit or other acceptable means to be in compliance. CMM and similar best practice standards/methods Number of audit issues or recommendations grouped and as benchmarks for comparison. overdue) and Look into ISO 19011 Guidelines for quality and/or significance or risk level (high.3 Information systems audit considerations Copyright © 2007. new. analyzed by status (closed. open. legal/regulatory (closed. 15. open. medium or Get qualified legal advice. medium or low).Ref. Compliance Subject Implementation tips Potential metrics 15. overdue) and significance or risk level (high. independent sanity checks. supplemented by management reviews and (high. those opened in provides an excellent framework for creating an internal audit the same period.. Proportion of information security compliance reviews with no substantial violations noted. *** End of table *** 15.
S. Discusses design considerations for a security metrics system. Mena. Advice on the selection of S. (2006). Creative presentation ideas for management reports. "Influencing Senior Management . Includes an extraordinarily comprehensive list of possible metrics (but unfortunately not much help on how to select useful metrics!). and Katz. Berinato. and (above all) useful. S. validated and approved by stakeholders. MIT. "Metrics: You Are What You Measure".Information security management systems . "7 Myths About Security Metrics".com Copyright © 2007. (2005).M. ISSA Journal. queries and improvement suggestions (especially improvement suggestions!) are welcome either via the ISO27001security implementers' forum or direct to the forum administrator Gary@isect.0 (May-June 2007) Document outline drafted and published using Google Docs & Spreadsheets for input by the ISO27001security implementers' forum. Hauser.A. Change record Versions prior to 1. G.R.T.. G. Feedback Comments. A thought -provoking paper that warns about the dangers of driving a process in an unintended direction through the use of inappropriate metrics.R. Marappan Ramiah and Richard Regalado. Initial input from Gary Hinson. Presentation to CSO Executive Council. July. C.Requirements.Code of practice for information security management. Special Publication 800-55. (1998)." [formerly known as ISO/IEC 17799:2005] NIST (National Institute of Science and Technology) (2003). “Security Metrics Guide for Information Technology Systems”.References to additional sources of information Berinato. and Lefler.Security Metrics". up-to-date and accurate.Security techniques .Security techniques . CIO-Asia. security metrics that are few in number. D. ISO27001security forum Page 13 of 13 . (2005). G. J.M. with a few examples. "A Few Good Metrics". K. September. Campbell. H Deura. ISO/IEC 27001:2005." ISO/IEC 27002:2007. "International standard . "International standard ..Information technology . Hinson. Focuses on selecting and measuring a few useful metrics rather than a large number of useless ones..Information technology .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.