You are on page 1of 11

ISO/IEC 27000

Information is a vital asset to success and continuity in the market for any org
anisation. The security of that information, and those systems that process it,
are therefore a prime target for all organisations.
For the proper management of information security, there must exist an informati
on security management system that addresses this task in a methodical, document
ed way and is based on clear objectives of security and risk assessment.
ISO/IEC 27000 is a set of standards developed by ISO (International Organization
for Standardization) and IEC (International Electrotechnical Commission), which
provide a framework for the management of information security that can be used
by any organisation, public or private, large or small.
As of the publication date, the current standards include:

ISO/IEC 27000 Information security management systems Overview and vocabulary


ISO/IEC 27001 Information security management systems Requirements
ISO/IEC 27002 Code of practice for information security management
ISO/IEC 27003 Information security management system implementation guidance
ISO/IEC 27004 Information security management Measurement
ISO/IEC 27005 Information security risk management
ISO/IEC 27006 Requirements for bodies providing audit and certification of infor
mation security management systems
ISO/IEC 27007 Guidelines for information security management systems auditing (f
ocused on the management system)
ISO/IEC 27008 Guidance for auditors on ISMS controls (focused on the information
security controls)
ISO/IEC 27010 Information security management for inter-sector and inter-organis
ational communications
ISO/IEC 27011 Information security management guidelines for telecommunications
organisations based on ISO/IEC 27002
ISO/IEC 27031 Guidelines for information and communications technology readiness
for business continuity
ISO/IEC 27032 Guideline for cybersecurity
ISO/IEC 27033-1 Network security Part 1: Overview and concepts
ISO/IEC 27033-2 Network security Part 2: Guidelines for the design and implement
ation of network security
ISO/IEC 27033-3 Network security Part 3: Reference networking scenarios Threats,
design techniques and control issues
ISO/IEC 27034-1 Application security Part 1: Overview and concepts
ISO/IEC 27035 Information security incident management
ISO 27799 Information security management in health using ISO/IEC 27002
There are additional standards under development:

ISO/IEC 27013 Guideline on the integrated implementation of ISO/IEC 20000-1 and


ISO/IEC 27001
ISO/IEC 27014 Governance of information security
ISO/IEC 27015 Information security management guidelines for financial services
ISO/IEC 27016 Organisational economics
ISO/IEC 27017 Guidelines on information security controls for the use of Cloud C
omputing services based on ISO/IEC 27002
ISO/IEC 27018 Code of practice for data protection controls for public Cloud Com
puting services
ISO/IEC 27019 Information security management guidelines based on ISO/IEC 27002
for process control systems specific to the energy industry
ISO/IEC 27034-2 Application security Part 2: Organisation normative framework
ISO/IEC 27034-3 Application security Part 3: Application security management pro
cess
ISO/IEC 27034-4 Application security Part 4: Application security validation
ISO/IEC 27034-5 Application security Part 5: Protocols and application security
controls data structure
ISO/IEC 27034-6 Application security Part 6: Security guidance for specific appl
ications
ISO/IEC 27036-1 Information security for supplier relationships Part 1: Overview
and concepts
ISO/IEC 27036-2 Information security for supplier relationships Part 2: Common r
equirements
ISO/IEC 27036-3 Information security for supplier relationships Part 3: Guidelin
es for ICT supply chain security
ISO/IEC 27037 Guidelines for identification, collection and/or acquisition and p
reservation of digital evidence.
ISO/IEC 27038 Security techniques Specification for Digital Redaction
ISO/IEC 27039 Security techniques Selection, deployment and operations of intrus
ion detection systems
ISO/IEC 27040 Security techniques Storage security
ISO/IEC 27044 Security Information and Event Management (SIEM)
===============================================================

A quick look at relevant standards


The premise behind the use of standards to establish functional cybersecurity is
complex. Often organizations respond to their compliance and cybersecurity need
s by frantically deploying a fragmented patchwork of policies and technologies.
Just as often, these do not work together, nor do they provide a clear picture o
f the true state of assurance or compliance across the organization. Consequentl
y, these organizations may have a false sense of cybersecurity. Since there is n
o comprehensive framework of cybersecurity management and process, there is also
no ability to co-ordinate an organizational response to emerging threats, chang
ing conditions, and new technologies.
To appropriately address this tendency, organizations are clearly in need of bet
ter alternatives to address their security challenges. Many seek exactly those s
olutions that can take them from a reactive stance to a proactive one; solutions
that assist in the achievement of good cybersecurity governance by integrating
a standards-driven, best practices framework tailored to their enterprise.
Considering the great variety and broad nature of cybersecurity standards, organ
izations should identify and categorize those standards that are most appropriat
e for their cybersecurity needs. The set of functions from creating the strategy
for a component of the cybersecurity program, to developing a programs procedure
s and scope, to performing hands-on implementation work, to evaluating the works
effectiveness must be resolved through the application of a standardized perspec
tive across a series of technical competency areas.
The standards being introduced in this section are not intended to be all-inclus
ive, but rather to provide an introduction to some of the most accepted and usef
ul cybersecurity standards.
The primary international standard in the field of cybersecurity is derived from
ISO/IEC4 17799, which evolved from a set of best security practices originally
published by the UK Department of Trade and Industry (DTI) in the 1990s as a thr
ee-part British Standard (BS) 7799. Part one focused on a security code of pract
ice; part two introduced the Information Security Management System (ISMS); and
part three described a set of risk analysis and risk management practices.
It was fast-tracked to international acceptance as ISO/IEC 17799 in the year 200
0 and was revised to address new and emerging cyber capabilities. In 2005, ISO/I
EC 27001 was published, replacing BS7799-2, which was withdrawn.
ISO/IEC provided a specification for an ISMS (information security management sy
stem), which aligned with ISO/IEC 17799.
Since 2005, ISO/IEC has evolved into the ISO/IEC 27000-series (also known as the
ISMS Family of Standards or ISO27k for short. As of 2013, a comprehensive catalogue
of standards in the series has been published, while several more are still und
er development.5 The published standards include:6
ISO/IEC 27000:2012: Information technology Security techniques Information s
ecurity management systems - Overview and vocabulary (second edition). ISO/IEC p
rovides an overview of the ISO27k standards showing how they are used collective
ly to plan, implement, certify and operate an ISMS, with a basic introduction to
information security, risk management and management systems. It also provides
a glossary of information security-related terms used in the ISO27k standards.
ISO/IEC 27001:2013: Information technology Security techniques Information s
ecurity management systems Requirements. ISO/IEC 27001 specifies an Information
Security Management System (ISMS), an overarching management framework through w
hich the organization identifies, analyses and addresses its information securit
y risks.
ISO/IEC 27002:2013: Information technology Security techniques Code of pract
ice for information security controls. ISO/IEC 27002 recommends information secu
rity controls addressing information security control objectives arising from ri
sks to the confidentiality, integrity and availability of information.
ISO/IEC 27003:2010: Information technology Security techniques Information s
ecurity management system implementation guidance. ISO/IEC 27003 guides the desi
gn of an ISO/IEC 27001-compliant ISMS, leading up to the initiation of an ISMS [
implementation] project.
ISO/IEC 27004:2009: Information technology Security techniques Information s
ecurity management Measurement. ISO/IEC 27004 concerns measurements or metrics r
elating to information security management.
ISO/IEC 27005:2011: Information technology Security techniques Information s
ecurity risk management (second edition). ISO/IEC 27005 provides guidelines for
information security risk management without defining any specific method. It su
pports the general concepts specified in ISO/IEC 27001 and is designed to suppor
t the implementation of information security using a risk management approach.
ISO/IEC 27006:2011: Information technology Security techniques Requirements
for bodies providing audit and certification of information security management
systems. ISO/IEC 27006 specifies requirements and provides guidance for bodies p
roviding audit and certification of an information security management system (I
SMS).
ISO/IEC 27007:2011: Information technology Security techniques Guidelines fo
r information security management systems auditing. ISO/IEC 27007 provides guida
nce for accredited certification bodies, internal auditors, external/third party
auditors and others auditing ISMSs against ISO/IEC 27001.
ISO/IEC TR 27008:2011: Information technology Security techniques Guidelines
for auditors on information security management systems controls. This standard
(more accurately a technical report) on technical auditing complements ISO/IEC 27
007. It concentrates on auditing the information security controls.
ISO/IEC 27010:2012: Information technology Security techniques Information s
ecurity management for inter-sector and inter-organizational communications. ISO
/IEC 27010 provides guidance on information security interworking and communicat
ions between industries in the same sectors, in different industry sectors and w
ith governments, either in times of crisis or to protect critical infrastructure
.
ISO/IEC 27011:2008: Information technology Security techniques Information s
ecurity management guidelines for telecommunications organizations based on ISO/
IEC 27002.
ISO/IEC 27013:2012: Information technology Security techniques Guidance on t
he integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1. ISO/IEC 27013
provides guidance on integrating an information security and IT service managem
ent system.
ISO/IEC 27014:2013: Information technology Security techniques Governance of
information security. ISO/IEC 27014 provides guidance on concepts and principle
s for the governance of information security, by which organizations can evaluat
e, direct, monitor and communicate the information security related activities w
ithin the organization.
ISO/IEC TR 27015:2012: Information technology Security techniques Informatio
n security management guidelines for financial services. ISO/IEC 27015 (again a
Technical Report) provides sector-specific guidelines intended to help financial
services organizations (banks, insurance companies, credit card companies etc.)
implement ISMSs using the ISO27k standards.
ISO/IEC 27017: Information technology Security techniques Code of practice f
or information security controls for cloud computing services based on ISO/IEC 2
7002 (DRAFT). Once published, ISO/IEC 27017 will be a code of practice recommend
ing relevant information security controls for cloud computing, based on and ext
ending those recommended by ISO/IEC 27002.
ISO/IEC 27018: Information technology Security techniques Code of practice f
or PII protection in public clouds acting as PII processors (DRAFT). ISO/IEC 270
18 is not intended to duplicate or modify ISO 27002 in relation to cloud computi
ng, but adds control objectives and controls relevant to the protection of priva
cy and personal data in the cloud.
ISO/IEC 27031:2011: Information technology Security techniques Guidelines fo
r information and communications technology readiness for business continuity. I
SO/IEC 27031 provides guidance on the concepts and principles behind the role of
information and communications technology in ensuring business continuity.
ISO/IEC 27032:2012: Information technology Security techniques Guidelines fo
r cybersecurity. ISO/IEC 27032 addresses cybersecurity, defined as the preservat
ion of confidentiality, integrity and availability of information in the cyber s
pace.
ISO/IEC 27033: Information technology Security techniques Network security.
ISO/IEC 27033 is a multi-part standard derived from the existing five-part netwo
rk security standard ISO/IEC 18028 and provides detailed guidance on the securit
y aspects of the management, operation and use of information system networks, a
nd their inter-connections.
ISO/IEC 27035:2011: Information technology Security techniques Information s
ecurity incident management. ISO/IEC 27035 identifies the processes for managing
information security events, incidents and vulnerabilities.
ISO 27799:2008: Health informatics Information security management in health
using ISO/IEC 27002. ISO/IEC 27799 provides guidance to healthcare organization
s and other custodians of personal health information on how best to protect the
confidentiality, integrity and availability of such information by implementing
ISO/IEC 27002.
Although the27000 series of standards has obtained international acceptance, the
y are not the only standards that are useful in establishing a proactive, consis
tent cybersecurity program. Others include:
ISO/IEC TR13335, Management of Information and Communications Technology (IC
T) Security, which consists of five parts which provide guidance for the managem
ent aspects of cybersecurity.
ISO/IEC 21827:2008: Information technology Security techniques Systems Secur
ity Engineering Capability Maturity Model (SSE-CMM). ISO/IEC 21827 describes the e
ssential characteristics of an organizations security engineering process that mu
st exist to ensure good security engineering.
ISO 28001: Security management systems for the supply chain Best practices f
or implementing supply chain security, assessments and plans Requirements and gu
idance. ISO 28001:2007 provides requirements and guidance for organizations in i
nternational supply chains to develop and implement supply chain security proces
ses.
ISO/IEC 12207:2008: Systems and software engineering Software life cycle pro
cesses. ISO/IEC 12207 applies to the acquisition of systems and software product
s and services, to the supply, development, operation, maintenance, and disposal
of software products and the software portion of a system, whether performed in
ternally or externally to an organization.
Other standards of relevance to an effective cybersecurity program include:
UKs Office of Government Commerce (OGC), Information Technology Infrastructur
e Library (ITIL). In a series of five volumes, ITIL presents the structure and s
kill requirements for an IT organization, as well as the standard operating proc
edures and practices to support an IT infrastructure, including cybersecurity.
Information Systems Audit and Control Association, Control Objectives for In
formation and Related Technology (COBIT). COBIT provides guidance designed to as
sist enterprises in implementing effective IT governance practices.
Generally Accepted Information Security Practices (GAISP).7 GAISP collects i
nformation security principles which have been proven in practice and accepted b
y practitioners, and documents those principles in a single repository.
In addition to standards, there are also a series of best practice guidelines. T
wo of the most commonly accepted are:
Information Systems Security Association (ISSA), Generally Accepted Informat
ion Security Principles (GAISP). GAISP provides an authoritative set of guidelin
es and a legal point of reference for information security principles, practices
, and concepts.
IT Governance An international guide to data security and ISO27001/ISO27002
(Alan Calder, Kogan Page, 2012) is the Open Universitys Post-Graduate Information
Security textbook and provides comprehensive practical guidance on designing an
d implementing a cybersecurity program.
ITGIS Information Security Governance: Guidance for Boards of Directors and E
xecutive Management, which promotes best practices for cybersecurity as a respon
sibility of the board of directors and senior leadership.
Finally, the National Institute of Standards and Technology (NIST) has issued th
e 800-series of cybersecurity-related special publications, each of which addres
ses a specific aspect of cybersecurity.8 There are over 100 documents in the NIS
T 800 series. Among these, the most relevant for this text are:
NIST SP 800-137, Information Security Continuous Monitoring for Federal Info
rmation Systems and Organizations
NIST SP 800-124, Revision 1, Guidelines for Managing the Security of Mobile
Devices in the Enterprise
NIST SP 800-100, Information Security Handbook: A Guide for Managers
NIST SP 800-64, Revision 2, Security Considerations in the System Developmen
t Life Cycle
NIST SP 800-61, Revision 2, Computer Security Incident Handling Guide
NIST SP 800-55, Revision 1, Performance Measurement Guide for Information Se
curity
NIST SP 800-53, Revision 4, Recommended Security Controls for Federal Inform
ation Systems
NIST SP 800-39, Managing Information Security Risk: Organization, Mission, a
nd Information System View
NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework
to Federal Information Systems: A Security Life Cycle Approach
NIST SP 800-34, Revision 1, Contingency Planning Guide for Information Techn
ology Systems
NIST SP 800-30, Revision 1, Risk Management Guide for Information Technology
Systems
This list is by no means exhaustive, but it provides some degree of insight into
the range of cybersecurity publications emerging from this US institute.
The lists of standards above are far from comprehensive, but they do provide an
idea of just how many individual standards exist in the cybersecurity environmen
t and the level of complexity associated with choosing the most appropriate for
an organization.
The following sections attempt to provide a high-level roadmap to establishing a
cybersecurity program using some of these standards and guidelines.
================

Policy Development and Updates in Light of New Business, Technology, Risks, and
Environment Changes
Image
Business changes are changes dictated by the nature of an organizations business
and are often driven by consumer demands. Technology changes are driven by new t
echnological developments that force organizations to adopt new technologies. Ri
sk changes occur because attackers are constantly upgrading their skills and fin
ding new ways to attack organizations. Environment changes are divided into two
categories: those motivated by the culture that resides within an organization a
nd those motivated by the environment of the industry. As these changes occur, o
rganizations must ensure that they understand the changes and their implications
to the security posture of the organization. Organizations should take a proact
ive stance when it comes to these changes. Dont wait for a problem. Anticipate th
e changes and deploy mitigation techniques to help prevent them!
In a top-down approach, management initiates, supports, and directs the security
program. In a bottom-up approach, staff members develop a security program prio
r to receiving direction and support from management. A top-down approach is muc
h more efficient than a bottom-up approach because managements support is one of
the most important components of a security program. Using the top-down approach
can help ensure that the organizations policies align with its strategic goals.
Policies should be reviewed often and on a regular schedule. Certain business, t
echnology, risk, and environment changes should always trigger a review of polic
ies, including adoption of a new technology, merger with another organization, a
nd identification of a new attack method.
As an example, suppose that employees request remote access to corporate email a
nd shared drives. If remote access has never been offered but the need to improv
e productivity and rapidly responding to customer demands means staff now requir
e remote access, the organization should analyze the need to determine whether i
t is valid. Then, if the organization decides to allow remote access, the organi
zations security professionals should plan and develop security policies based on
the assumption that external environments have active hostile threats.
Policies that should be considered include password policies, data classificatio
n policies, wireless and VPN policies, remote access policies, and device access
policies. Most organizations develop password and data classification policies
first.
The International Organization for Standardization (ISO) has developed a series
of standards that are meant to aid organizations in the development of security
policies.
ISO/IEC 27000 Series
The International Organization for Standardization (ISO), often incorrectly refe
rred to as the International Standards Organization, joined with the Internation
al Electrotechnical Commission (IEC) to standardize the British Standard 7799 (B
S7799) to a new global standard that is now referred to as ISO/IEC 27000 series.
ISO 27000 is a security program development standard on how to develop and main
tain an information security management system (ISMS).
The 27000 series includes a list of standards, each of which addresses a particu
lar aspect of ISMS. These standards are either published or in development. The
following standards are included as part of the ISO/IEC 27000 series at the time
of this writing:
Image 27000: Published overview of ISMS and vocabulary
Image 27001: Published ISMS requirements
Image 27002: Published code of practice for information security management
Image 27003: Published ISMS implementation guidelines
Image 27004: Published ISMS measurement guidelines
Image 27005: Published information security risk management guidelines
Image 27006: Published requirements for bodies providing audit and certification
of ISMS
Image 27007: Published ISMS auditing guidelines
Image 27008: Guidance for auditors on ISMS controls
Image 27010: Published information security management for inter-sector and inte
rorganizational communications guidelines
Image 27011: Published telecommunications organizations information security man
agement guidelines
Image 27013: Published integrated implementation of ISO/IEC 27001 and ISO/IEC 20
000-1 guidance
Image 27014: Published information security governance guidelines
Image 27015: Published financial services information security management guidel
ines
Image 27016: Published ISMS organizational economics guidelines
Image 27017: In-development cloud computing services information security contro
l guidelines based on ISO/IEC 27002
Image 27018: In-development code of practice for public cloud computing services
data protection controls
Image 27019: Published energy industry process control system ISMS guidelines ba
sed on ISO/IEC 27002
Image 27031: Published information and communication technology readiness for bu
siness continuity guidelines
Image 27032: Published cyber security guidelines
Image 27033-1: Published network security overview and concepts
Image 27033-2: Published network security design and implementation guidelines
Image 27033-3: Published network security threats, design techniques, and contro
l issues guidelines
Image 27034-1: Published application security overview and concepts
Image 27034-2: In-development application security organization normative framew
ork guidelines
Image 27034-3: In-development application security management process guidelines
Image 27034-4: In-development application security validation guidelines
Image 27034-5: In-development application security protocols and controls data s
tructure guidelines
Image 27034-6: In-development security guidance for specific applications
Image 27035: Published information security incident management guidelines
Image 27035-1: In-development information security incident management principle
s
Image 27035-2: In-development information security incident response readiness g
uidelines
Image 27035-3: In-development computer security incident response team (CSIRT) o
perations guidelines
Image 27036-1: Published information security for supplier relationships overvie
w and concepts
Image 27036-2: In-development information security for supplier relationships co
mmon requirements guidelines
Image 27036-3: Published information and communication technology (ICT) supply c
hain security guidelines
Image 27036-4: In-development information security for supplier relationships ou
tsourcing security guidelines
Image 27037: Published digital evidence identification, collection, acquisition,
and preservation guidelines
Image 27038: Published information security digital redaction specification
Image 27039: In-development intrusion detection systems (IDS) selection, deploym
ent, and operations guidelines
Image 27040: In-development storage security guidelines
Image 27041: In-development standard on assuring suitability and adequacy of inc
ident investigative methods
Image 27042: In-development digital evidence analysis and interpretation guideli
nes
Image 27043: In-development incident investigation principles and processes
Image 27044: In-development security information and event management (SIEM) gui
delines
Image 27799: Published information security in health organizations guidelines
These standards are developed by the ISO/IEC bodies, but certification or confor
mity assessment is provided by third parties.
Note
For testing purposes, it is not necessary to memorize all of these standards and
where they apply. Instead, you need to have a general understanding of the area
s of security that are addressed.
Lets look at an example. Suppose an organization is rewriting its security polici
es and has halted the rewriting progress because the organizations executives bel
ieve that its major vendors have a good handle on compliance and regulatory stan
dards. The executive-level managers are allowing vendors to play a large role in
writing the organizations policy. However, the IT director decides that while ve
ndor support is important, it is critical that the company write the policy obje
ctively because vendors may not always put the organizations interests first. The
IT director should make the following recommendations to senior staff:
Image Consult legal and regulatory requirements.
Image Draft a general organizational policy.
Image Specify functional implementing policies.
Image Establish necessary standards, procedures, baselines, and guidelines.
As you can see from this example, you dont have to memorize the specific standard
s. However, you need to understand how organizations apply them, how they are re
vised, and how they can be customized to fit organizational needs.

ISO/IEC 27018 provides an additional set of controls, complementary to those in


ISO27002, which are specifically intended for use in Cloud environments, where a
data controller contracts with a cloud processor in relation to personally iden
tifiable information (PII). This control set is more broadly useful in helping o
rganizations address security issues in a distributed cloud environment. ISO/IEC
27017 will provide an additional generic set of controls for cloud computing se
rvices.

Security Architecture Document Review Checklist


In Chapter 3 we introduced the security architecture document, which may exist a
s a stand-alone document or as part of broader IT or enterprise architecture doc
umentation. The document cannot be exhaustive. However, when reviewing the finis
hed document, reviewers should be able to answer the following questions:
Is the scope correct and complete, with all relevant systems, services and i
nformation assets identified?
Are out-of-scope systems, services and information assets clearly stated?
Are all information types classified according to the needs of the organisat
ion?
Are all potential locations identified and mapped to access devices in use a
t each location desktops, laptops, tablets, smartphones and so on?
Is a mapping provided between existing information types, the physical envir
onment and both physical and logical elements of the IT architecture?
Are existing threats, vulnerabilities and existing weaknesses clearly, compr
ehensively yet succinctly expressed? Note that the document should not become a
long-winded treatise on risk!
Are proposed security domains, access controls and authentication mechanisms
clearly defined in a way that addresses the threats and vulnerabilities?
Are all communications paths treated (e.g. with encryption) to ensure confid
entiality?
Are costs realistic, reflecting not just up-front expense but training, ongo
ing operational management and so on?
Are roles and responsibilities clearly defined, both internally and external
ly?
Is the result auditable to ensure the overall IT systems architecture can be
verified as compliant?
Are the applicable regulatory and standards compliance criteria being met?
Is the proposed solution fit for purpose and future safe, and can it be oper
ated to the required level of security as a function of business as usual?