A brief introduction to the ISO/IEC 27001 standard By Babby Boss Efficient business management have always treated knowledge

as more valuable than any other business driver and information as its basic element, as their most valuable asset. They have understood that information protection from unintended disclosure, modification, and non-availability, is one of their primary responsibilities for business survival and growth. Information Security Management System (ISMS) Internationally, the business management have realized that without adopting an organized set of processes, the security controls to protect CIA (Confidentiality, Integrity, and Availability) of information would not attain the target level of information assurance. To ensure information assurance, businesses are using ISMS to integrate people, processes, and technologies, and bringing information security efforts, across the enterprise, under explicit management control. Several organizations recommend the businesses to thoroughly examine their information security risks, design, and setup a comprehensive suite of risk treatment measures, and develop procedures for continuous monitoring to ensure that such measures meet their information security requirements. Such a suite of information security controls and processes build foundation of ISMS. For example, in 2005, the Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques of the ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) released following standards. 1. ISO/IEC 27001:2005, Information technology Security techniques Information security management systems Requirements; and 2. ISO/IEC 27002:2005, Information technology Security techniques Code of practice for information security management systems Both standards complement each other; while latter illustrates essential features of information security controls, former directs organizations about the Requirements to establish, implement, operate, monitor, review, maintain, and improve documented ISMS; Managements responsibility to steer information security efforts and provide necessary resources; Internal evaluation of the ISMS; Managements assessment of the ISMS; and ISMS improvement.

ISO/IEC 27001 standard and PDCA Model ISO/IEC 27001 standard suggests adoption of the Demings PDCA (Plan, Do, Check, Act) model to design, and implement effective ISMS.

The PDCA steps for continuous improvement are summarized as follows. Plan Status of existing processes is determined and gap between existing and desired states of the system is analyzed; Objectives, and processes necessary to attain targeted results are established; ISMS scope is defined; Information Security Policy is laid down; controls are identified and selected; and a Statement of Applicability (SoA) is developed. Do While Plan phase is themed with Plan your work, Do phase focuses on Work your plan. Controls selected to fill the gap between existing and desired states are implemented. Check The ISMS performance is continuously monitored and monitoring results are compared with targeted results; Comparative results are reviewed to explore avenues for possible improvement in the processes. Act The feasible improvements are implemented to optimize the processes. Information Security Control Categories Annexure A of the ISO/IEC 27001 standard refers to following broad categories of information security controls detailed in ISO/IEC 27002 standard. 1. Security policy 2. Organization of information security 3. Asset management

4. Human resources security 5. Physical and environmental security 6. Communications and operations management 7. Access control 8. Information systems acquisition, development, and maintenance 9. Incident management 10. Business continuity management 11. Compliance 1. Security policy As a mission statement, the security policy shows managements intent and commitment for protection of information assets, and willingness to prepare a roadmap to comply with relevant laws, and regulations. Like any other business policy, the security policy should be a governing document for persons, processes, and technologies involved in securing information assets. Except few acceptable exceptions, the policy must be uniformly applicable to all employees, business associates, and contractors and should be periodically reviewed for necessary updates to meet changing security requirements. 2. Organization of information security The responsibility to protect information assets must be well defined and assigned to experienced professionals from different parts of the business with relevant roles, and job functions like management, engineering, architecture, auditing, etc. 3. Asset management The complete and accurate inventory of information assets, ownership details, as well as asset classification to reflect sensitivity and criticality levels is required to ascertain the relative importance of the assets. The assessments of threats to these assets and vulnerabilities in protective measures (aka controls) are steps that evaluate risks to assets confidentiality, integrity, and availability. 4. Human resources security The humans are the weakest link of any security chain, as well as the biggest threat. The policies and procedures to protect human element of whole equation plays vital role in information assurance. The recruiters responsibility to check and verify credentials, and background of any potential employee starts well before offering him/her the job, and continues for regular monitoring, awareness training, and performance review till his/her association with the organization. The termination/change in relationship demands appropriate revocation of resource access rights, and return of assets in possession of concerned subject. Unless relationship

termination/change procedures are strictly followed, the subject may access the resources, rendering purpose of access control null and void. 5. Physical and environmental security Measures to protect business premises are as important as logical controls for information security. Although, no information storage and processing facility can be free from every kind of natural and man-made disasters, facilities must have enough physical and environmental controls to combat probable disasters from threats like excessive or low humidity, uncontrolled temperature, improper ventilation, static electric charge, dust, fire, flood, lightning, earthquake, hurricane, rodent, attack, theft, unauthorized physical access, etc. The physical security policy must also have details about acceptable use, maintenance, upgrade, re-use, disposal, removal, change of the equipments. The ideal environmental conditions for proper working of equipments depend heavily on technology in use, and site location. 6. Communications and operations management For effective management of daily operations, the ISO/IEC 27001 standard guides on how to avoid service disruption by setting up and applying procedures for secure operations, asset configuration management, service delivery management, change management, capacity management, malware protection, backup management, network security management, vendor management, etc. 7. Access control Controlled access to business resources is one of the effective measures to keep disaster at bay. Systematic application of user registration, authentication, and authorization procedures helps ensure that only genuine users access the resources. Access control procedures can be applied to business resources at various levels Network level, Operating system level, and Application and information level. Responsibilities accompany rights. The users must understand their responsibilities about password usage, and possible misuse of unattended equipments allocated to them. 8. Information systems acquisition, development, and maintenance The tendency to prefer application performance to application security has led to numerous incidents in the past. While businesses were focusing on perimeter controls to defend their networks, and hardening steps to secure host operating systems, the criminals moved their focus to applications. To avoid any possible incident resulting from application hacks, the information security must be given due attention through each phase of Software Development Life-cycle (SDLC).

Information security requirements must be incorporated into Software Requirements Specification document. Thorough testing of application must be done before its introduction into production environment to ensure that application system under acquisition or development meets information security requirements of the business. The same kind of treatment is applicable for application maintenance tasks. Requirements to upgrade application must be reviewed from information security point of view, and application maintenance should go through the same cycle of secure software development. 9. Information security incident management The properly designed and implemented incident reporting procedures help to collect data about security issues that reveal business risks and should be treated as per the risk management policy. Timely information about security incidents helps Incident Response Management Team to analyze incidents, evaluate the underlying risks, and respond appropriately. 10. Business continuity management It is helpful to embed information security requirements within business continuity management processes, so that Business Continuity Plan may include information security incident management steps. The business continuity management efforts should adopt risk assessment methodology as and when required to ensure that information security risks are properly assessed and get due attention for appropriate treatment. 11. Compliance The managements responsibility is not limited to ensure compliance with laws, regulations, etc.; they also need to ensure that business processes do not violate any business security policy, and standard. Regular review of information systems configuration helps to reveal any non-compliance with security implementation standards. Security auditing of information systems in a production environments may disrupt business processes; specially the penetration testing should be carefully planned and treated as another risk to the business services. Reference 1. ISO/IEC 27001. Information technology Security techniques Information security management systems Requirements, first edition. October 15, 2005. Available from www.iso.org 2. ISO/IEC 27002. Information technology Security techniques Code of practice for information security management, second edition. June 15, 2005. Available from www.iso.org Disclaimer

The ISO/IEC 27000 family of standards can be sourced from the ISO website (www.iso.org), and other authoritative sources. Although utmost care has been taken by the author to express genuine views, human error is still possible. Authors views should not be perceived as endorsed by the standard makers. Readers are advised to refer to the standards. The author, its employer, as well as the publisher should not be held liable for any loss/damage resulting from the interpretation of the views.