Information Security Standards:

ISO standards

Mari Seeba
 ISO.org standards:

ISO 31000:2018 Risk Management Guidelines

ISO/IEC 27000:2013 ISMS Overview and

vocabulary ISO/IEC 27001:2013 ISMS

Requirements

ISO/IEC 27005:2018 Information Security

2
Risk Management
 ISO Management
Systems
Framework of ISO Annex
SL
• Policies
• Processes
• To ensure to fulfill tasks required to archive its
goals

• ISO Annex SL – on that format are built up ISO

management standards (ISO9001, ISO14001, ISO27001,
ISO45001)

• ISO31000 isn’t in Annex SL formats

3
 ISO Management System
Approaches
Control and develop components of Scope and design components of
management system (ISO27001) management system (ISO31000)

Management Operational
system planning,
objectives and implementa Context
planning to tion and • Organization,
achieve them control Stakeholders,
Plan Do expectations and scope
of management system
Support
• Resources,
competence,
awareness,
Act Check communication and
documentation Leadership
Non-conformity, Monitoring,
corrective analysis, • Commitment, policy
actions and evaluation, and organizational roles
continual audit and and responsibilities
improvement review

4
 ISO 31000:2018
Risk management –
Guidelines
 ISO 31000:2018
Risk management – Guidelines

• Scope:
– guidelines on managing risk faced by organizations
– Common approach to managing and type of risk
– Is not industry or sector specific
– Usable Throughout of life of the organization
– Can be applied to any activity, including decision-making at all levels

• Overall purpose: integrating the management of risk into a strategic and operational
management system
• Key terms:
– risk, risk management, stakeholder, risk source, event, consequences, likelihood, control
• Principles, framework and process

6
 ISO 31000:
Principles

7 Source:
ISO31000:2018(en)
 ISO 31000:
Framework

8 Source:
ISO31000:2018(en)
 ISO 31000:
Process

9 Source:
ISO31000:2018(en)
 ISO 31000:
Principles,
framework and
process

10 Source:
ISO31000:2018(en)
 ISO/IEC 27000:2018 (en)
Information technology — Security
techniques — Information security
management systems — Overview
and vocabulary
 ISO/IEC 27000:2018 (en) Information technology — Security
techniques — Information security management systems —
Overview and vocabulary
• Scope:
– terms and definitions
commonly used in the ISMS
family of standards (89)
– overview of information
security management
systems (ISMS)
– is applicable to all types and
sizes of organization (e.g.
commercial enterprises,
government agencies, not-
for-profit organizations)
12
Content
1 Scope
2 Normative references
3 Terms and definitions
4 Information security management systems
1. General
2. What is an ISMS?
3. Process approach
4. Why an ISMS is important
5. Establishing, monitoring, maintaining and
improving an ISMS
6. ISMS critical success factors
7.Benefits of the ISMS family of
standards 5 ISMS family of standards
8. General information
9.Standard describing an overview and
terminology: ISO/IEC 27000
10. Standards specifying requirements
11. Standards describing general guidelines
12. Standards describing sector-specific guidelines
 ISO27000 - ISMS family of
standards relationships

13 Source: ISO/IEC
27000:2018(E)
 ISO 27001:2013 Information
technology — Security techniques
— Information security management
systems — Requirements
 ISO 27001:2013 Information technology —

Security techniques — Information security

•management
Scope: systems — Requirements
– Requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and
improving formalized information security management systems (ISMS) within the context of the
organization’s overall business risks
– specifies requirements for the implementation of information security controls customized to the
needs of individual organizations or parts thereof
– for all organizations, regardless of type, size and nature

• Purpose:
– The information security management system preserves the confidentiality, integrity and availability
of information by applying a risk management process and gives confidence to interested parties
that risks are adequately managed.
– Certification base standard

• Format:
– ISO Annex SL
15
 ISO27001
Content

Plan Do

Act Check

16
 ISO27001:
Annex A

17
 ISO 27001

• To be fully compliant you need to implement:

– All requirements from Clauses 4 -10
– Based on Annex A check your security controls and keep updated Statement of
Applicability
– Ready to prove the documented journey from business objective – risk – asset –
control – measurement – improvement

• ISO 27001 is a framework in high general level

• Several other security standards and frameworks confirm their compliance to

ISO27001 and provide mapping tables
– NIST CSF, CIS, national standards (several EU member states)

18
 ISO/IEC 27005:2018 Information
technology — Security techniques —
Information security risk
management
 ISO/IEC 27005:2018 Information technology — Security

techniques — Information security risk management

• Scope:
– provide guidelines for
information security risk
management
– supports the general concepts
specified in ISO/IEC 27001
– designed to assist the
satisfactory implementation of
information security based on
a risk management approach
Risk management process as
20 defined in ISO31000
 ISO27005
information security
risk management
process

21
• Risk management process Source:
as defined in ISO31000 ISO/IEC 27005:2018
 ISO 27005: Risk
Treatment activity Risk
assessment
results

R
is
k
RISK
Risk Treatment Options
d
TREATMENT
e
ci
si
Risk Risk
Risk Retention o Risk Sharing
Modification Avoidance
n
p
o
i
Residual Risk
n
t
1
Risk decision point 2: Satisfactory Treatment
:
S
22 a
ti
 ISO 27005

• Standard does not provide risk management method

– Each organization should define its own risk management method

• Annexes contain additional information, primary examples of approach

• Usage of the standard is optional in the context ISO27001 certification

23
 How these
ISO standards
interact?

24
 Estonian approach –
Why we do not use
ISO27001?

25
 Estonian
approach

• Granularity

• Full risk management vs baseline security

• Estonian X-tee distributed data exchange platform – expectations to data

exchange partners

• Similarly understandable requirements and measures, also risk appetite

• Possibility to influence the content of the standard, lifecycle of the standard

26
 Why we kept the compliance to
ISO27001?

• Possibility to get internationally

recognized certificate

• International communication

• Relation with private sector

organizations

• Alternative solution to E-
ITS

• Long term perspective

27
 Steps of Estonian ISMS

Baseline security main steps:

• Specification of the scope and protection requirements:

– Organization and Business processes
– Infrastructure
– IT systems
– Applications
– Employees
• Selection and Prioritization of relevant Modules
• Conduct risk analysis if needed (high security needs, no relevant
module, etc.)
• Implement security measures from modules
• Monitor and improve your security management
https://eits.ria.ee

28
www.cyber4dev
.eu