Professional Documents
Culture Documents
Iso 27002
Iso 27002
The Information Security Standard ISO/IEC 27002 is divided into eleven main
sections. Section 2 is Organising Information Security.
At the top of the structure should be the Board (or equivalent), which has overall
responsibility for the organisation. Those responsible for following the policies
and procedures should be arranged in a hierarchy below this level.
Organisational security must include temporary staff, contractors and third
parties with access to sites, equipment, people or information.
The Information Security Standard ISO/IEC 27002 is divided into eleven main
sections. Section 3 is Asset Management.
Asset Management
Organisations are used to completing inventories of physical assets - for
example, computers, printers, machinery, vehicles etc. But information is also
recognised as a vital asset for every organisation. The value of specific
information will depend on factors such as:
Databases
Personnel records
Scale models
Prototypes
Test samples
Contracts
Software licences
Publicity material
The value of each asset can then be determined to ensure appropriate security
is in place.
The Information Security Standard ISO/IEC 27002 is divided into eleven main
sections. Section 4 is Human Resources.
Human Resources
This covers aspects of job definitions and resourcing, to reduce the risk of
human error and ensure that staff understand what their rights and
responsibilities are concerning information security.
Most organisations require staff to keep client information confidential. They
also ask staff to report security incidents and perceived weaknesses.
Appropriate personnel security ensures:
That employment contracts and staff handbooks have agreed, clear wording
Ancillary workers, temporary staff, contractors and third parties are covered
Anyone else with legitimate access to business information or systems is
covered
The Information Security Standard ISO/IEC 27002 is divided into eleven main
sections. Section 5 is Physical and Environmental Security.
Physical and Environmental Security
This section details any physical aspects of access control to information and
information systems. Ensuring that there is a proper environment for systems,
records and staff is essential for maintaining confidentiality, integrity and
availability of information.
The following aspects should be considered:
Protection
o of information and information systems from the elements is as important
as protecting them from unauthorised people
o of physical access, which should be restricted to authorised personnel. IT
equipment is tempting to thieves, and can be damaged by accidents or
sabotage
Maintenance
o of the physical operating environment in a computer server room is as
important as ensuring that paper records are not subject to damage by
mould, fire or fading.
o of supporting equipment such as air conditioning plant or mains services
Networks
Handling computer media
Electronic commerce
E-mail
Publicly available systems (such as websites)
The Information Security Standard ISO/IEC 27002 is divided into eleven main
sections. Section 7 is Access Control.
Access Control
Access control is about managing direct access to:
Information
Computer applications
Operating system facilities
Effective control ensures that staff have appropriate access to information and
applications, and do not abuse it.
Management issues, such as periodic reviews of user accounts, can apply as
much to IT systems as to physical access control systems. Confidentiality of
information is best achieved by ensuring that people only have access to the
information they actually need.
If access rules are too detailed, managing them will be very difficult. If they are
too general, people will have access to information or applications that they will
never need. A balance must be struck depending on:
The Information Security Standard ISO/IEC 27002 is divided into eleven main
sections. Section 8 is Information Systems Acquisition, Development and
Maintenance.
Information Systems Acquisition, Development and Maintenance
Designing a new system with security in mind is more likely to result in effective
and workable security features, than if you attempt to impose security on an
existing (but insecure) system.
This area includes:
If you develop your own systems, or have them developed for you, good
practice in this area is essential to ensure that they work and information
remains secure.
The Information Security Standard ISO/IEC 27002 is divided into eleven main
sections. Section 9 is Information Security Incident Management.
Information Security Incident Management
This section deals with putting procedures in place to ensure information
security events and weaknesses are reported through appropriate channels in
order to allow corrective action to be taken.
All employees, contractors and third party users need to be aware of their
responsibilities to report any information security incidents as quickly as
possible; as well as being aware of what procedures to follow.
It is also important to have mechanisms in place to quantify and monitor
incidents as well as collective evidence as required.
To read more about this subject, go to Incident Management, which includes
sections on reporting as well as forensics.
The Information Security Standard ISO/IEC 27002 is divided into eleven main
sections. Section 10 is Business Continuity Management.
Business Continuity Management
Each organisation's business relies on its own staff, systems and, to some
extent, other organisations.
Anything from a burst water main to a terrorist attack on a foreign country can
have a major effect on an organisation.
As such, there must be a process for:
These are used to identify and respond to a service disruption, to ensure the
safety of all affected staff members and visitors and to determine whether to
implement the business recovery process.
Level 2
This should include key support functions, for example:
Level 3
Each critical business area is responsible for the developing a plan to show
individuals in recovery teams and a detailed task list for the recovery process.
The owners of each plan must ensure that they have identified and agreed
support and services required from other parties.
There are many options for developing plans including traditional word
processing documents, database packages or specialist planning and plan
development tools. Plans must be easily accessible and distributed to all
personnel who have a part to play in a recovery.
A useful tip is to create single crib sheets for each team. These might include:
The IT recovery plan must contain all information needed to recover the
computer systems, network and telecommunications in a disaster situation.
It must also contain details of how lost data can be recovered and reconciled
and how systems can be realigned.
The plan should include:
Impact Analysis
How much does your organisation stand to lose in the event of a disaster or
other disruption?
The purpose of a Business Impact Analysis (Stage 2 of the business continuity
management process) is to assess the risk by identifying:
This analysis determines what recovery facilities are provided and ensures that
the organisation can allocate business continuity management resources in the
most appropriate way.
If a Business Impact Analysis is not undertaken, or is not done correctly,
resources may be wasted on unnecessary services that do not fully support a
recovery.
What should be included?
Specifically the Business Impact Analysis will identify impacts resulting from an
inability to undertake normal business processes. Impacts are measured
against particular scenarios - for example, the inability to provide call centre
services for a period of time.
The impact analysis should concentrate on those scenarios where the impact
on critical business processes is likely to be greatest. It will include:
Consideration will also be given to how the degree of damage or loss is likely to
escalate after a service disruption. This will enable identification of the minimum
critical requirements for the continued operation of the business process, and
the timescale within which such requirements should be provided. These
requirements include:
The staffing, skills, facilities and services (including the IT applications and data
recovery requirements) necessary to enable critical and essential business
processes to continue operating at a minimum acceptable level
The time within which minimum levels of staffing, facilities and services should be
recovered
The time within which all required business processes and supporting staff, facilities
and services should be fully recovered
Testing
The purpose of testing (Stage 3 of the business continuity management
process) is to:
Raise the level of confidence in the ability to recover from a systems failure
Raise awareness and implement training processes within the organisation as early
as possible
An initial technical test can usually be completed without the need to involve the
business.
However, for subsequent tests it is prudent to involve the business as a whole.
This will help to improve capability, and aid mutual understanding of the
activities and resources needed to achieve the common goal of business
recovery.
A full technical test will replicate as far as possible the stand-by arrangements,
including the recovery of business processes and the involvement of external
parties. This should test completeness of the plans and confirm:
Time objectives. For example, time taken to recover key server applications
Staff preparation and awareness
Staff duplication and potential over commitment of key resources. For example, a
systems administrator being required to support a number of modular plans (help
desk, operations, networks and communications)
Responsiveness, effectiveness and awareness of third parties and service provider
It is also necessary to ensure that the business recovery teams are tested. This
can include familiarisation with the recovery site, and the provision of examples
that will test the team response to a relevant scenario.
All tests, whether technical or non- technical must have clearly defined
objectives and critical success factors which will be used to determine the
success or otherwise of each exercise.