40 IT GOVERNANCE words, the specific document against which an ISMS will be assessed. It is the most important standard in the emerging ISO27000 family; it provides a specification, against which an ISMS may be assessed. Apart from ISO/IEC 27000, which is nominatively referenced from 1S027001, the other stand- ards provide useful guidance and advice, and have no mandatory effect. The ISO/IEC 27000 series of standards 15027001 is part of a much larger family, of which ISO/IEC 27000 is the root for a whole numbered series of international standards for the manage- ment of information security. Developed by a joint committee of the International Organization for Standardization (ISO) in Geneva and the International Electrotechnical Commission, these standards now provide a globally recognized framework for good information security management. The correct designations for most of these standards include the ISO/IE( prefix, and all of them should include a suffix, which is their date of publica- tion. Most of these standards, however, tend to be spoken of in shorthand. ISOMEC 27001:2013, for instance, is often referred to simply as IS027001. Many of the standards have been previously published and are undergo- ing periodic revision; others are still under development. This book deals specifically with IS027001 and ISO27002, but it will refer, where appropri- ate, to guidance contained in the supporting standards listed here. Organizations interested in using or applying these standards should acquire copies, which are available through www.itgovernance.co.uk/standards (archived at https:/perma.cc/LHC2-ZRBS) in both hard copy and down- loadable formats: + ISOMEC 27000 - ISMS Overview and Vocabulary; + ISOMEC 27001 - ISMS Requirements; + ISOMEC 27002 ~ Code of Practice for Information Security Controls; + ISO/IEC 27003 - ISMS Guidance; + ISOMEC 27004 - Information Security Management — Monitoring, Measurement, Analysis and Evaluations + ISOMEC 27005 — Information Security Risk Management; + ISOMEC 27007 - Information Security Management System Auditing; + ISOMEC TR 27008 - Guidelines for Auditors on Information Security Controls,18027001 “There are then standards that provide guidance on specific topics such as the integrated implementation of ISO 27001 and ISO 2000-1 (the service management system management standard), information security govern ance (ISO 27014) and organizational economics (ISO TR 27016). The following are standards detailing requirements for certification bodies seeking accreditation for their ISMS certification scheme: + ISOMEC 17021-1 — Conformity Assessment: Requirements for bodies providing audit and certification of management systems — Part 1 Requirements; + ISOMEC 27006 - Requirements for bodies providing audit and certification of Information Security Management Systems. Finally there are standards that provide sector-specific guidelines on the implementation of an ISMS. They include: inter-sector and inter-organiza- tional communications (ISO 27010); telecommunications (ISO 27011); cloud services (ISO 27017}; processors of personally identifiable informa- tion in public clouds (ISO 27018); energy utility (ISO 27019); and the health sector (ISO 27799). A full list of current and emerging 18027000 standards is maintained at www.itgovernance.co.uk/iso27000-family (archived at https://perma.cc/ X9EL-UMEX) and you should ensure that the version you are using has been updated to reflect the 2013 standard. Use of the standard Asa general rule, organizations implementing IS027001 will do well to pay close attention to the wording of that specific standard itself, and to be aware of any revisions to it. Nonconformity with revisions or corrigendums will jeopardize an existing certification. ISOMEC 27001 itself is what any ISMS will be assessed against; where there is any conflict between advice provided in this, in a supporting standard or any other guide to implementa- tion of IS027001 and IS©27001 itself, it is the wording in IS027001 that should be heeded. An external auditor will be assessing the ISMS against the published standard, not against the advice provided by this book or any third party. It is critical, therefore, that those responsible for the ISMS should be able to refer explicitly to the clauses and intent of 18027001 and should on that basis be able to defend any implementation steps they have taken. aa2 IT GOVERNANCE An appropriate first step is therefore to obtain and read ISOMEC 27001 itself. Note that ISO27001 uses the word ‘shall’ to indicate a requirement, whereas the other standards in the family use ‘should! to indicate good prac tice which is not a requirement. The UK Accredited Certification Scheme was launched in April 1998, and there is an ISMS users’ group that enables users to exchange information on best practice and enables members to provide feedback on a regular basis to national standards bodies, and through them to the International Organization for Standardization. ISO/IEC 27002 In 1998, when the original BS7799 was revised for the first time, prior to becoming BS7799 Part 1, references to UK legislation were removed and the text was made more general. It was also made consistent with OECD guide- lines on privacy, information security and cryptography. Its best-practice controls were made capable of implementation in a variety of legal and cultural environments. In other words, the ISO/MEC 27002 Code of Practice is intended to provide a framework for international best practice in information security controls and systems interoperability. It also provides guidance, to which an external auditor will look, on how to implement controls within a certifiable ISMS. It does not, as the standard is currently written, provide the basis for an international certification scheme. The guidance that this book provides in implementing an ISMS will therefore start with the requirements of 1S027001, will then look to 18027002 for guidance as to the range of actions that could be considered in implementing selected controls, and will look to other best practice sources for more detailed input where relevant. It is particularly important to note that, while 18027002 provides inter- national best practice in information security controls, it is not necessarily up to date for more recent changes in the information security environment. It has been written, and rewritten, over a number of years. The speed with which information technology has evolved, and goes on evolving, already means that some of the specific guidance in IS027002 may be inadequate to deal with newly identified threats and vulnerabilities and the most current responses to them. That does not invalidate IS027002; it simply creates an opportunity for the practitioner to go beyond 1527002 when necessary.18027001 This book has a bias towards implementing an ISMS within the United Kingdom, as this is where the authors’ direct experience was gained. It does also draw on our combined experience, over a number of years, working with organizations around the world on their information security manage ment strategies. Its lessons are directly applicable for all ISMSs that are to be certified by an accredited certification body anywhere in the world. “This book sets out how to implement an ISMS that is capable of certific tion to ISOMEC 27001:2013. It will do so broadly within the context of the Microsoft suite of products, as these are the products most widely used in those parts of the world likely to be interested in certification. The imple- mentation steps set out in this book, however, apply in all software and hardware environments. The standard itself was specifically written to be technology independent. This book will refer very explicitly to 18027001 and to 18027002 in order to comment on the implementation steps necessary to reflect the recommendations of IS027002 and to comply with the standard. However, the reader must obtain current copies of both documents (as well as any others that may appear to be necessary) and use them alongside this book in order to optimize an information security project and gain the full value of this book. Continual improvement, Plan-Do-Check-Act, and process approach The 2002 version of the standard for the first time promoted the adoption of a ‘process approach’ for the design and deployment of an ISMS. This approach, widely known as the ‘Plan-Do-Check-Act’ (PDCA) model, is familiar to quality and business managers everywhere. While ISO27001:2005 mandated the adoption of PDCA, it is no longer specifically required; what is a specific requirement is the adoption of a suitable and appropriate continual improvement process. For many organizations, this will continue to be the PDCA model but the way is open for organizations that, for instance, already use ITIL or COBIT to adopt instead the continual improve- ment models from those frameworks. The vast majority of organizations are likely to adopt PDCA, not least because it is an easily understood model which also lends itself to application in integrated management systems which cover (for example) quality, environment, IT service management and 43