ISO/ IEC 27000 Series

Information Security Management

The BS 7799
• British Standard 7799 developed in 1995 (first CobiT released in 1996).
• The standard outlines how an Information Security Management
System (ISMS)/ aka security program should be built and maintained.
Goal:
• was to provide guidance to organizations on how to design, implement,
and maintain policies, processes, and technologies to manage risks to
its sensitive information assets.
Aim:
• try and centrally manage the various security controls deployed
throughout an organization. Thus reduce adhocism
• BS7799 composed of two parts as follows:

BS7799 Part 1
• Outlined control objectives and a range of controls that can be used to
meet those objectives,

BS7799 Part 2
• Outlined how a security program can be set up and maintained. Also
served as a baseline that organizations could be certified against.

“The British seem to know what they are doing. Let’s follow them.”
Hence BS7799 became the de facto model to follow
Coverage areas
• Information security policy for the organization - Map of business
objectives to security, responsibilities etc
• Creation of information security infrastructure
• Asset classification and control
• Personnel security – Screening procedures, training, roles etc
• Physical and environmental security – implement access control,
security perimeter
• Communications and operations management – Change control,
incident handling, network management
• Access control – Authentication, user management, monitoring
• System development and maintenance - Implement security in all
phases of a system’s lifetime
• Business continuity management – Ensuring continuity of business
processes
• Compliance – industry regulations and standards
Expanding the BS7799
• Other confusing titles began to appear i.e. BS7799, BS7799v1, BS7799
v2, ISO 17799, BS7799-3:2005, etc.

• The industry has moved from the more ambiguous BS7799 standard to
a whole list of ISO/IEC standards that attempt to compartmentalize and
modularize the necessary components

• Led to the creation of the ISO/ IEC 27000 Series

ISO 27000 Series
Brings the modularized approach to the basic BS7799.
ISO 27000 Series
• Brings the modularized approach to the basic BS7799
• Provides best practices for management of security controls

• Originally Followed the PDCA (Plan – Do – Check – Act) Cycle

• Plan - establishing objectives and making plans
• Do - deals with the implementation of the plans
• Check - measuring results to understand if objectives are met
• Act - provides direction on how to correct and improve plans to better
achieve success.
Getting Accredited
• It is common for organizations to seek an ISO certification by an
accredited third party.
• The third party assesses the organization against the ISMS requirements
laid out in ISO and attests to the organization’s compliance level.
• Certificate is issued for 3 years. After 3 years recertification will be
required.
• Once certified regular surveillance audit (6-9 months)
ISO 27001
• ISO 27001 is a management system and not a set of technical controls
that need to be put into place.
• Casually seen as
▫ Defining the challenge
▫ Governance
▫ Continuous Improvement
• 27001 checklist.pdf
▫ Provides a very limited view of whether you can be certified under 27001.
ISO 27001 Costs
• Precertification Phase I: $20,000 (e.g., Scope Definition, Risk
Assessment, Risk Treatment Plan, Gap Assessment, Phase II
Remediation Plan)
• Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively),
registrar selection, ISMS Artifact development, Risk Management
Committee, Incident Response, Internal ISMS Audit, On-site
Certification Audit Support)
• Certification Audit: $10,000
Surveillance Audit
• Typically happens in year 2 and 3
▫ Surveillance Audit: $7,500
• Internal ISMS Audit: $7,000 (Done yearly via 3rd party)

• An ISO 27001 consultant can charge you upwards of $1500 per man
day.
Comparing CobiT and ISO 27000
• None of these frameworks are in competition with each other, in fact, it
is best if they are used together.
• ISO 27000 series outlines security controls, but does not focus on how
to integrate them into business processes
• COBIT focuses on controls and metrics, not as much on security
Further Reading
http://www.iso27001security.com/html/27002.html