ISO27001 / ISO27002 A Pocket Guide€¦ · ISO/IEC 17799. ISO/IEC 27003 ISO/IEC 27003 has the...

ISO27001 / ISO27002A Pocket Guide

ISO27001 / ISO27002

A Pocket Guide

ALAN CALDER

Every possible effort has been made to ensure that theinformation contained in this book is accurate at the timeof going to press, and the publishers and the authorcannot accept responsibility for any errors or omissions,however caused. No responsibility for loss or damageoccasioned to any person acting, or refraining fromaction, as a result of the material in this publication canbe accepted by the publisher or the author.

Apart from any fair dealing for the purposes of researchor private study, or criticism or review, as permittedunder the Copyright, Designs and Patents Act 1988, thispublication may only be reproduced, stored ortransmitted, in any form, or by any means, with the priorpermission in writing of the publisher or, in the case ofreprographic reproduction, in accordance with the termsof licences issued by the Copyright Licensing Agency.Enquiries concerning reproduction outside those termsshould be sent to the publishers at the following address:

IT Governance PublishingIT Governance LimitedUnit 3, Clive CourtBartholomew’s WalkCambridgeshire Business ParkElyCambridgeshireCB7 4EHUnited Kingdom

www.itgovernance.co.uk

© Alan Calder 2008The author has asserted the rights of the author under theCopyright, Designs and Patents Act 1988, to beidentified as the author of this work.

First published in the United Kingdom in 2008by IT Governance Publishing

ISBN 978-1-905356-71-3

http://www.itgovernance.co.uk/

5

FOREWORD

ISO/IEC 27001:2005 is an international standardfor information security management systems(ISMSs). Closely allied to ISO/IEC 27002:2005(which used to be known as ISO17799), thisstandard (sometimes called the ISMS standard)can help organisations meet all their information-related regulatory compliance objectives and canhelp them prepare and position themselves for newand emerging regulations.

Information is the lifeblood of today’s organis-ation and, therefore, ensuring that information issimultaneously protected and available to thosewho need it is essential to modern businessoperations. Information systems are not usuallydesigned from the outset to be secure. Technicalsecurity measures and checklists are limited intheir ability to protect a complete informationsystem. Management systems and proceduralcontrols are essential components of any reallysecure information system and, to be effective,need careful planning and attention to detail.

ISO/IEC 27001 provides the specification for aninformation security management system and, inthe related Code of Practice, ISO/IEC 27002, itdraws on the knowledge of a group of experiencedinformation security practitioners in a wide rangeof significant organisations across more than 40countries to set out best practice in informationsecurity. An ISO27001-compliant system willprovide a systematic approach to ensuring theavailability, confidentiality and integrity ofcorporate information. The controls of ISO27001are based on identifying and combating the entire

6

range of potential risks to the organisation’sinformation assets. This helpful, handy ISO27001/ ISO27002 pocket guide gives a useful overviewof these two important information securitystandards.

7

ABOUT THE AUTHOR

Alan Calder is a leading author on IT governanceand information security issues. He is chiefexecutive of IT Governance Limited, theone-stop-shop for books, tools, training andconsultancy on governance, risk management andcompliance.

Alan is an international authority on informationsecurity management and on ISO27001 (formerlyBS7799), the international security standard, aboutwhich he wrote with colleague Steve Watkins thedefinitive compliance guide, IT Governance: AManager’s Guide to Data Security and ISO27001 /ISO27002, the 4th edition of which was publishedin May 2008. This work is based on his experienceof leading the world’s first successfulimplementation of BS7799 (the forerunner ofISO27001) and is the basis for the UK OpenUniversity’s postgraduate course on informationsecurity.

Other books written by Alan include The Case forISO27001 and ISO27001 – Nine Steps to Success,as well as books on corporate governance and ITgovernance, and several pocket guides in thisseries.

Alan is a frequent media commentator oninformation security and IT governance issues, andhas contributed articles and expert comment to awide range of trade, national and online newsoutlets.

http://www.itgovernance.co.uk/products/4






8

ACKNOWLEDGEMENTS

Copyright in these two information securitystandards, copies of which can – and should – bepurchased from national standards bodies or fromhttp://www.itgovernance.co.uk/standards.aspx, isowned by their publishers. This pocket guide is nota substitute for acquiring and reading the standardsthemselves and every reader of this pocket guideshould obtain copies for themselves.

This pocket guide contains many references to,and summaries of, material that is morecomprehensively available in the publishedstandards; it is intended to be a handy referencetool that contains in one place some of the keyinformation that those dealing with the standardsand related issues might need. It does not containenough information for anyone to implement, oraudit implementation of, a management systembased on either of these standards. It is also apocket guide to, not a comprehensive manual1 on,implementing ISO27001.

1 If you are looking for a comprehensive ISO27001implementation manual, one is available atwww.itgovernance.co.uk/products/4.

http://www.itgovernance.co.uk/standards.aspx


9

CONTENTS

Introduction ................................................... 10Chapter 1: The ISO/IEC 27000 Family ofInformation Security Standards..................... 12Chapter 2: Background to the Standards ...... 15Chapter 3: Specification vs Code of Practice . 19Chapter 4: Certification Process .................... 21Chapter 5: The ISMS and ISO27001 ............. 23Chapter 6: Overview of ISO/IEC 27001:2005 25Chapter 7: Overview of ISO/IEC 27002:2005 27Chapter 8: Documentation and Records........ 30Chapter 9: Management Responsibility......... 34Chapter 10: Process Approach and the PDCACycle............................................................... 37Chapter 11: Policy and Scope......................... 40Chapter 12: Risk Assessment ......................... 43Chapter 13: The Statement of Applicability(SoA)............................................................... 49Chapter 14: Implementation.......................... 53Chapter 15: Check and Act............................ 54Chapter 16: Management Review.................. 58Chapter 17: ISO27001 Annex A..................... 59ITG Resources................................................ 73

10

INTRODUCTION

It is a truism to say that information is thecurrency of the information age. Information is, inmany cases, the most valuable asset possessed byan organisation, even if that information has notbeen subject to a formal and comprehensivevaluation.

IT governance is the discipline that deals with thestructures, standards and processes that boards andmanagement teams apply in order to effectivelymanage, protect and exploit their organisation’sinformation assets.

Information security management is that subset ofIT governance that focuses on protecting andsecuring an organisation’s information assets.

Risks to information assets

An asset can be defined as ‘anything that has valueto an organisation’. Information assets are subjectto a wide range of threats, both external andinternal, ranging from the random to the highlyspecific. Risks include acts of nature, fraud andother criminal activity, user error and systemfailure.

Information Security Management System

An information security management system(ISMS) is defined (in ISO/IEC 27001) as ‘that partof the overall management system, based on abusiness risk approach, to establish, implement,operate, monitor, review, maintain and improveinformation security. The management system

Introduction

11

includes organisational structure, policies,planning activities, responsibilities, practices,procedures, processes and resources’.

12

CHAPTER 1: THE ISO/IEC 27000 FAMILY OF INFORMATION SECURITY

STANDARDS

ISO27001, the international Information Security Management Standard, was published in 2005, and is becoming widely known and followed.

It is now part of a much larger family, of which ISO/IEC 27000 is the root for a whole numbered series of international standards for the management of information security.

Developed by a subcommittee of a joint technical committee (ISO/IEC JTC SC27) of the Inter-national Standards Organisation (ISO) in Geneva and the International Electrotechnical Commission (IEC), these standards now provide a globally recognised framework for good information security management.

The correct designation for most of these standards includes the ISO/IEC prefix and all of them should include a suffix which is their date of publication. Most of these standards, however, tend to be spoken of in shorthand. ISO/IEC 27001:2005, for instance, is often referred to simply as ISO27001.

The first of the ISO27000 series of information security standards have already been published.

1: The ISO/IEC 27000 Family

13

ISO/IEC 27001:2005 (ISO27001)

This is the current version of the internationalstandard specification for an Information SecurityManagement System. It is vendor-neutral andtechnology-independent. It is ‘intended to beapplicable to all organisations, regardless of type,size and nature’2 and in every sector (e.g.‘commercial enterprises, government agencies,not-for-profit organisations’3), anywhere in theworld. It is a management system, not atechnology specification, with the formal title‘Information Technology – Security Techniques –Information Security Management Systems –Requirements’.

ISO/IEC 27002:2005 (ISO27002)

This standard is titled ‘Information Technology –Security Techniques – Code of Practice forinformation security management’. Published inJuly 2005, it was initially and originally numberedISO/IEC 17799.

ISO/IEC 27003

ISO/IEC 27003 has the provisional title ‘ISMSimplementation guidance’ and is currently underdevelopment.

ISO/IEC 27004

ISO/IEC 27004, with the provisional title ‘Infor-mation security metrics and measurement’, is

2 ISO/IEC 27001:2005, Application 1.2.3 ISO/IEC 27001:2005, Scope 1.1.

1: The ISO/IEC 27000 Family

14

under development. This standard will helporganisations more effectively address therequirement, contained in Clauses 7.2 and 7.3of ISO27001, to measure the effectiveness ofcontrols.

ISO/IEC 27005:2008

Information security risk management (based onand incorporating ISO/IEC 13335 MICTS Part 2)was published in June 2008.

ISO/IEC 27006:2007

This standard sets out the requirements for bodiesproviding audit and certification of informationsecurity management systems.

Definitions

The definitions used in all these standards areintended to be consistent with one another and alsoto be consistent with those used in ISO/IEC Guide73:2002. ISO/IEC 27000 is also underdevelopment; it is provisionally titled ‘Overviewand vocabulary’.

15

CHAPTER 2: BACKGROUND TO THESTANDARDS

The very first formal information securitystandard, BS7799, was originally issued in the UKin April 1999, as a two-part standard. An earliercode of practice had been substantially revised andbecame Part 1 of the new standard (BS7799-1:1999) and a new Part 2 (BS7799-2:1999) wasdrafted and added.

The link between the two standards was created atthis point:

· Part 1 was a code of practice· Part 2 was a specification for an ISMS that

deployed controls selected from the code ofpractice.

The original Part 2 specified, in the main body ofthe standard, the same set of controls that weredescribed, in far greater detail (particularly withregard to implementation) in Part 1. These controlswere later removed from the main body of Part 2and listed in an annex, Annex A.

This relationship continues today, between thespecification for the ISMS that is contained in onestandard, and the detailed guidance on theinformation security controls that should beconsidered in developing and implementing theISMS which are contained in the other part of thecombined standard.

The International Standards Organisation (ISO)and the International Electrotechnical Commission

2: Background to the Standards

16

(IEC)4 then collaborated to adopt and inter-nationalise BS7799-1 as ISO/IEC 17799:2000 inDecember 2000. ISO17799 was widely usedaround the world to provide guidance on best-practice information security controls.

ISO 17799 was substantially revised, improvedand updated five years later (in 2005) and it wasalso renumbered into the ISO27000 series.

BS7799-2

BS7799-2:1999 was revised and reissued asBS7799-2:2002. Significant changes occurred atthis time, including:

· the alignment of the clause numbering in bothparts of the standard

· the addition of the PDCA model (see Chapter15) to the standard

· the addition of a requirement to continuouslyimprove the ISMS

· the alignment of the standard, and its detailedclauses, with ISO9001:2000 and ISO14001:

4 The IEC is ‘the leading global organisation thatprepares and publishes international standards for allelectrical, electronic and related technologies’. Itswebsite is at www.iec.ch. The ISO and the IEC worktogether, within the World Trade Organisation (WTO)framework, to provide technical support for the growthof global markets and to ensure that technicalregulations, voluntary standards and conformityassessment procedures do not create unnecessaryobstacles to trade. The joint ISO/IEC information centrehas a website at www.standardsinfo.net.

http://www.iec.ch/

http://www.standardsinfo.net/isoiec/index.html

http://www.standardsinfo.net/


17

1996, to facilitate the development ofintegrated management systems.

ISO27001:2005

Although a number of countries adopted BS7799-2, it was still only a British standard in June 2005,when ISO/IEC 17799:2005 was to be issued. Thedecision was taken, at that time, to put BS7799-2on the ‘fast track’ to internationalisation and FDIS(final draft international standard) was issued inJune 2005. BS7799-2:2005 (ISO/IEC 27001:2005)was finally published in October 2005.

Correspondence between ISO27001 andISO27002

Annex A to ISO/IEC 27001:2005 lists the 133controls that are in ISO/IEC 27002:2005, followsthe same numbering system and uses the samewords for the controls and control objectives.

The preface to ISO27001 states: ‘The controlobjectives and controls referred to in this editionare directly derived from and aligned with thoselisted in ISO/IEC 27002:2005.’ ISO/IEC 27001requires that ‘control objectives and controls fromAnnex A shall be selected’ in order to meet the‘requirements identified by the risk assessmentand risk treatment process’.

ISO27002 also provides substantial imple-mentation guidance on how individual controlsshould be approached. Anyone implementing anISO27001 ISMS will need to acquire and studycopies of both ISO27001 and ISO27002.


18

While ISO27001 in effect mandates the use ofISO27002 as a source of guidance on controls,control selection and control implementation, itdoes not limit the organisation’s choice ofcontrols. The preface goes on to state: ‘The list ofcontrol objectives and controls in this ISOstandard is not exhaustive and an organisationmight consider that additional control objectivesand controls are necessary.’5

Use of the standards

Both standards recognise that information securitycannot be achieved through technological meansalone, and should never be implemented in a waythat either is out of line with the organisation’sapproach to risk or undermines or createsdifficulties for its business operations.

Effective information security is defined in bothISO27001 and ISO27002 as the ‘preservation ofconfidentiality, integrity and availability ofinformation’.

5 ISO/IEC 27001:2005, Preface.

19

CHAPTER 3: SPECIFICATION VS CODEOF PRACTICE

ISO/IEC 27001:2005 is a specification for aninformation security management system. It useswords like ‘shall’. It sets out requirements. It is thespecification against which first-, second- andthird-party audits can be carried out.

A first-party audit is an audit of an organisation’sown practices that is carried out by thatorganisation. A second-party audit is carried outby a partner organisation, usually pursuant to acommercial relationship of some description. Athird-party audit is one carried out by anindependent third party, such as a certificationbody or external auditor.

A code of practice or a set of guidelines useswords like ‘should’ and ‘may’, allowing individualorganisations to choose which elements of thestandard to implement, and which not. This inbuiltelement of choice means that ISO27002 is notcapable of providing a firm standard against whichan audit can be conducted. ISO27001 does notprovide any such latitude.

Any organisation that implements an ISMS whichit wishes to have assessed against ISO27001 willhave to follow the specification contained in thatstandard.

As a general rule, organisations implementing anISMS based on ISO/IEC 27001:2005 will do wellto pay close attention to the wording of thestandard itself, and to be aware of any revisions to

3: Specification vs Code of Practice

20

it. Non-compliance with any official revisions, which usually occur on a three-year and a five-year cycle, will jeopardise an existing certification.

An appropriate first step is to obtain and read a copy of ISO/IEC 27001:2005. Copies can be purchased from the ISO website, from national standards bodies and from www.itgovernance.co.uk/standards.aspx. There should be a choice of hard copy and downloadable versions to suit individual needs.

http://www.itgovernance.co.uk/standards/aspx

http://www.itgovernance.co.uk/standards/aspx



21

CHAPTER 4: CERTIFICATION PROCESS

ISO27001 provides a specification against whichan organisation’s ISMS can be independentlyaudited by an accredited certification body. If theISMS is found to conform to the specification, theorganisation can be issued with a formal certificateconfirming this.

Certification bodies

Certification is carried out by independent,accredited certification bodies. These are calleddifferent things in different countries, including‘registration bodies’, ‘assessment and registrationbodies’, ‘certification/registration bodies’ and‘registrars’. Whatever they are called, they all dothe same thing and are subject to the samerequirements.

An accredited certification body is one that hasdemonstrated to a national accreditation body(such as, for example, UKAS – the UKAccreditation Service) that it has fully met theinternational and any national standards set downfor the operation of certification bodies. Thesestandards usually restrict the capacity of anaccredited certification body to provideconsultancy services in relation to a standard forwhich it also provides certification services.

Organisations that are seeking independentcertification of their ISMS should always go to anaccredited certification body. Their certificates areusually valid for three years and are subject toperiodic maintenance visits by the certification

4: Certification Process

22

body; they have international credibility and willbe issued in line with an approved system for theissue and maintenance of such certificates. Anapproved version of the scheme’s certificationsymbol may be used in the organisation’smarketing material.

There is a list of some accredited certification andother bodies in the links pages of www.27001.com.

http://www.27001.com/

23

CHAPTER 5: THE ISMS AND ISO27001

Definition of information security

ISO27001 defines information security (in itsdefinitions section) as the ‘preservation ofconfidentiality, integrity and availability ofinformation; in addition, other properties such asauthenticity, accountability, non-repudiation andreliability can also be involved’.

Information risks can affect one or more of thethree fundamental attributes of an informationasset – its

· availability· confidentiality· integrity.

These three attributes are defined in ISO27001 asfollows:

· Availability: ‘the property of being accessibleand usable upon demand by an authorisedentity’, which allows for the possibility thatinformation has to be accessed by softwareprograms as well as human users.

· Confidentiality: ‘the property that informationis not made available or disclosed tounauthorised individuals, entities, orprocesses’.

· Integrity: ‘the property of safeguarding theaccuracy and completeness of assets’.

5: The ISMS and ISO27001

24

The ISMS

An ISMS – which the standard is clear includes‘organisational structure, policies, planning act-ivities, responsibilities, practices, procedures,processes and resources,’6 – is a structured,coherent management approach to informationsecurity which is designed to ensure the effectiveinteraction of the three key components ofimplementing an information security policy:

· process (or procedure)· technology· user behaviour.

The standard’s requirement is that the design andimplementation of an ISMS should be directlyinfluenced by each organisation’s ‘needs andobjectives, security requirements, the processesemployed and the size and structure of theorganisation’.7

ISO27001 is not a one size-fits-all solution, norwas it ever seen as a static, fixed entity thatinterferes with the growth and development of abusiness. The standard explicitly recognises that:

· the ISMS ‘will be scaled in accordance withthe needs of the organisation’,

· a ‘simple situation requires a simple ISMSsolution’ and

· the ISMS is ‘expected to change over time’.

6 ISO/IEC 27001:2005, Terms and definitions, 3.7, note.7 ISO/IEC 27001:2005, Introduction General, 0.1.

25

CHAPTER 6: OVERVIEW OF ISO/IEC27001:2005

The formal title of this standard is ‘InformationTechnology – Security Techniques – InformationSecurity Management Systems – Requirements’.From October 2005, it replaced BS7799-2:2002,which was withdrawn. In the United Kingdom it isdual-numbered, as BS7799-2:2005.

Including end pieces, this standard is only 44pages long. The core of the standard is containedin the nine pages that set out the specifications forthe design and implementation of an informationsecurity management system, and in the 17 pagesof Annex A, which contain the 133 individualcontrols which must, under the Standard, beconsidered for applicability.

The ISMS specification is contained in Clauses 4to 8 of ISO27001.

The standard’s contents (main clauses andannexes) are:

0. Introduction1. Scope2. Normative References3. Terms and Definitions4. Information Security Management System5. Management Responsibility6. Internal ISMS Audits7. Management Review of the ISMS8. ISMS Improvement

6: Overview of ISO/IEC 27001:2005

26

· Annex A: Control Objectives and Controls· Annex B: OECD Principals and ISO/IEC

27001· Annex C: Correspondence between

ISO9001:2000, ISO14001:2004 and ISO/IEC27001

· Bibliography

27

CHAPTER 7: OVERVIEW OF ISO/IEC27002:2005

This standard’s title is ‘Information Technology –Security Techniques – Code of Practice forinformation security management’. Published inJuly 2005, it replaced ISO/IEC 17799:2000. In theUnited Kingdom it is dual-numbered BS7799-1:2005.

It is a code of practice, not a specification. It useswords like ‘should’ and ‘may’: It ‘may serve as apractical guideline for developing organisationalsecurity standards and effective securitymanagement practices and help build confidencein inter-organisational activities’.8

ISO27002 is nearly three times longer thanISO27001, with 126 pages, 11 of which areintroductory material. Some 96 pages deal, indetail, with information security controls. Thisstandard has 15 clauses, as shown below:

· Foreword0. Introduction1. Scope2. Terms and Definitions3. Structure of the Standard4. Risk Assessment and Treatment5. Security Policy6. Organisation of Information Security7. Asset Management

8 ISO/IEC 27002:2005, 1: Scope; added emphasis.


28

8. Human Resources Security9. Physical and Environmental Security10. Communications and Operations Management11. Access Control12. Information Systems Acquisition,

Development and Maintenance13. Information Security Incident Management14. Business Continuity Management15. Compliance· Bibliography· Index

The eleven clauses numbered from five to fifteencontain the controls that are specified in Annex Aof ISO27001. These clauses collectively contain39 security categories. The numbering of thecontrols is exactly the same in both standards.There is no significance to the order of the clauses;‘depending on the circumstances, all clauses couldbe important’.9

The security categories

Each security category contains:

· a control objective, stating what has to beachieved

· one or more controls that can be deployed toachieve that stated objective.

Each control within each security category is laidout in exactly the same way. There is:

9 ISO/IEC 27002:2005, note to Clause 3.1.


29

· a control statement, which describes (in thecontext of the control objective) what thecontrol is for;

· implementation guidance, which is detailedguidance which may (or may not) helpindividual organisations implement thecontrol;

· other information that needs to be considered,including reference to other standards.

30

CHAPTER 8: DOCUMENTATION ANDRECORDS

One of the key reasons for designing andimplementing a management system is to enablethe organisation to move beyond what is known, inthe terms of the capability maturity model, as an‘ad hoc’ organisation. An ad hoc organisation isone that has ‘no fixed processes, or procedures,results depend very much on individualperformance, and a lot of people’s time is spent on“firefighting”, fixing bugs in software, andresolving incidents’.10

ISO9001:2000 is a well-known and widely imple-mented quality assurance or business processmanagement system. If the organisation does notalready have an existing ISO9001 certifiedmanagement system and needs guidance on thedocumentation, document control and recordsissues covered by Clause 4.3 of ISO27001, then itshould obtain and use the guidance in any currentmanual on the implementation of ISO9001.

Note that the ISO27001 specifications fordocument control (4.3.2) and record control (4.3.3)mirror those contained in ISO9001:2000, wherethey are numbered 4.2.3 and 4.2.4 respectively.

Document control requirements

ISO27001 explicitly requires the managementsystem to be documented. Control A.10.1.1

10 IT Service CMM: A Pocket Guide, van Haren, 2004,page 24.

8: Documentation and Records

31

explicitly requires security procedures to bedocumented, maintained and made available to allusers who need them. Other explicit docu-mentation requirements in Annex A include:

· A.7.1.3: acceptable use of assets;· A.8.1.1: documented roles and responsibilities

for human resources security;· A.11.1.1: access control policy;· A.15.1.1: identification of applicable

legislation.

Many of the other controls require ‘formal’procedures or ‘clear’ communication; while thesecould technically be achieved without beingdocumented, the expectation is that all processesand procedures will be.

Contents of the ISMS documentation

Documentation has to be complete, compre-hensive, in line with the requirements of thestandard and tailored to suit the needs ofindividual organisations. The ISMS must be fullydocumented. ISO27001 describes the minimumdocumentation that should be included in theISMS.

Not every organisation has to implement anequally complex documentation structure. Thestandard notes that ‘the extent of the ISMSdocumentation can differ from one organisation toanother owing to the size of the organisation andthe type of its activities and the scope and


32

complexity of the security requirements and thesystem being managed.’11

Record control

The standard’s requirements around record-keeping and control will be familiar to anyonewho already works with ISO9001. Records have tobe kept, as required by Clause 4.3.3, to provideevidence that the ISMS conforms to therequirements of the standard. There are otherrecords that the organisation has to keep in theordinary course of its business and these will besubject a variety of legislative and regulatoryretention periods. Records that provide evidence ofthe effectiveness of the ISMS are of a differentnature from those records that the ISMS exists toprotect, but, nevertheless, these records mustthemselves be controlled and must remain legible,readily identifiable and retrievable. This meansthat, particularly for electronic records, a means ofaccessing them must be retained even afterhardware and software has been upgraded.

Annex A document controls

There are further document-related controls inAnnex A that should be included in the documentcontrol aspects of the ISMS. They are allimportant controls in their own right. Thesecontrols are:

· A.7.2.1: classification guidelines, which dealwith confidentiality levels

11 ISO/IEC 27001:2005, 4.3.1, note 2.


33

· A.7.2.2: information labelling and handling,which deals with how confidentiality levels aremarked on information and information media

· A.15.1.3: protection of organisational records,which deals with document retention

· A.15.1.4: data protection and privacy ofpersonal information.

34

CHAPTER 9: MANAGEMENTRESPONSIBILITY

Implementation of an ISMS is something thatISO27001 recognises will affect the wholeorganisation. The requirements around scopingand the policy statement are explicit that thereneeds to be a documented justification for anyexclusion from the scope, and that the policyshould apply across the organisation.

ISO27001 is also clear that the ISMS should bedesigned to meet the needs of the organisation, andshould be implemented and managed in a way thatmeets – and continues to meet – those needs.

Management direction

ISO27001 contains a requirement that manage-ment ‘should communicate to the organisation theimportance of meeting information securityobjectives and conforming to the informationsecurity policy’.12 These requirements have grownstronger in successive versions of the ISMSstandard as it has become ever clearer thatdesigning and establishing an ISMS is difficultwithout such management support and direction.

The strategic nature of an ISMS is explicitlyrecognised in Clause 4.1 of the standard, whichstates the requirement that the organisation ‘shallestablish, implement, operate, monitor, review,maintain, and improve a documented ISMS within

12 ISO/IEC 27001:2005, 5.1.d.

9: Management Responsibility

35

the context of the organisation’s overall businessactivities and the risks they face’.

Management’s responsibility is so important thatthe whole of Clause 5 is devoted to setting out indetail the requirement that management ‘shallprovide evidence of its commitment to theestablishment, implementation, operation, moni-toring, review, maintenance and improvement ofthe ISMS’.

Management-related controls

There are a number of controls in Annex A thatspecify management involvement and are linked toSection 5 of ISO27001. These, numbered as theyappear in Annex A, are as follows:

· A.5.1.1: information security policy document· A.6.1.1: management commitment to

information security· A.6.1.4: authorisation process for information

processing facilities· A.10.1.3: segregation of duties· A.11.2.4: review of user access rights· A.15.1.2: compliance with security policies

and standards.

Requirement for management review

In addition to the control requirements, thestandard mandates, at Section 7 (managementreview of the ISMS), that management, at plannedintervals, must ‘review the organisation’s ISMS …to ensure its continuing suitability, adequacy and

9: Management Responsibility

36

effectiveness’.13 This section defines clearly therequired input to the (at least annual) reviewprocess; it includes the output from theorganisation’s monitoring and review activity.

The output from the management review should bedocumented, and should also be implemented; itshould lead to steady, ongoing and continuousimprovement of the ISMS. An ISO27001-certificated ISMS will be subject to regularcertification reviews during the currency of thecertificate; these reviews will focus on how theorganisation and its management have driven thecontinuous improvement process.

13 ISO/IEC 27001:2005.

37

CHAPTER 10: PROCESS APPROACH ANDTHE PDCA CYCLE

The PDCA model or cycle is the Plan–Do–Check–Act cycle that was originated in the 1950s byW. Edwards Deming. It states that that businessprocesses should be treated as though they are in acontinuous feedback loop so that managers canidentify and change those parts of the process thatneed improvement. The process, or animprovement to the process, should first beplanned, then implemented and its performancemeasured, then the measurements should bechecked against the planned specification, and anydeviations or potential improvements identifiedand reported to management for a decision aboutwhat action to take.

PDCA and ISO27001

ISO27001 identifies this model in Clause 0.2 anddescribes how to apply it in an informationsecurity environment. ISO27001 ‘adopts thePDCA process model, which is applied tostructure all ISMS processes’.14

Application of the PDCA cycle to a processapproach means that, following the basicprinciples of process design, there need to be bothinputs to and outputs from the process. An ISMStakes as its input ‘the information securityrequirements and expectations of the interestedparties and through the necessary actions and

14 ISO/IEC 27001:2005, 0.2 Process approach.

10: Process Approach and the PDCA Cycle

38

processes produces information security outcomesthat meet those requirements and expectations’.15

The PDCA cycle and the clauses of ISO27001

The correspondence between the PDCA cycle andthe stages identified in the standard for thedevelopment of the ISMS are as set out below.

Plan (establish the ISMS, Clause 4.2.1):

· define the scope of the ISMS· define the information security policy· define a systematic approach to risk

assessment· carry out a risk assessment to identify, within

the context of the policy and ISMS scope, theimportant information assets of theorganisation and the risks to them

· assess the risks· identify and evaluate options for the treatment

of these risks· select, for each risk treatment decision, the

control objectives and controls to beimplemented

· prepare a statement of applicability (SoA).

Do (implement and operate the ISMS, Clause4.2.2):

· formulate the risk treatment plan and itsdocumentation, including planned processesand detailed procedures

15 Ibid.

10: Process Approach and the PDCA Cycle

39

· implement the risk treatment plan and plannedcontrols

· provide appropriate training for affected staff,as well as awareness programmes

· manage operations and resources in line withthe ISMS

· implement procedures that enable promptdetection of, and response to, securityincidents.

Check (monitor and review the ISMS, Clause4.2.3):

· the ‘check’ stage has, essentially, only onestep (or set of steps): monitoring, reviewing,testing and audit

· monitoring, reviewing, testing and audit is anongoing process that has to cover the wholesystem.

Act (maintain and improve the ISMS, Clause4.2.4):

· testing and audit outcomes should be reviewedby management, as should the ISMS in thelight of the changing risk environment,technology or other circumstances;improvements to the ISMS should beidentified, documented and implemented

· thereafter, it will be subject to ongoing review,further testing and improvementimplementation, a process known as‘continuous improvement’.

40

CHAPTER 11: POLICY AND SCOPE

The first planning step is the scoping exercise.

The scoping requirement is contained in Clause4.2.1.a) of ISO27001. The requirement is that theorganisation will ‘define the scope and boundariesof the ISMS in terms of the characteristics of thebusiness, the organisation, its location, assets,technology, and including details of andjustification for any exclusions from the scope’.

References to ‘business’ anywhere in the standard‘should be interpreted broadly to mean thoseactivities that are core to the purposes of theorganisation’s existence’.

The scoping exercise

A scoping exercise should determine what iswithin, and what is outside, the ISMS. The ISMSwill, in effect, erect a barrier between everythingthat is inside its perimeter and everything that isoutside it. The development of the ISMS willrequire every point at which there is contactbetween the outside and the inside to be treated asa potential risk point, requiring specific andappropriate treatment.

Assets, like processes, cannot be half-in and half-out of the ISMS; they are either wholly in orwholly out.

11: Policy and Scope

41

Legal and regulatory framework

The legal and regulatory framework (4.2.1.b.2)also creates a specific perspective on the scopingof the ISMS. Clearly, information and informationmanagement processes that are all within the scopeof any one single regulation, or other legalrequirement, must all be within the scope of theISMS.

Policy definition

The second planning step required by ISO27001 ispolicy definition.

Clause 4.2.1.b requires the organisation to definean information security policy. This requirement isalso contained in the first control in Annex A,control number 5.1.1. This is the first of manyclauses in ISO27001 that are supported by theguidance and best practice of ISO27002. Clause5.1.1 of ISO27002 expands on the similarlynumbered Annex A requirement and matches thespecification contained in Clause 4.2.1.b ofISO27001. The control objective served by theissue of a policy document is that it provides‘management direction and support forinformation security in accordance with businessrequirements and relevant laws and regulation.’16

Policy and business objectives

Clause 5.1.1 goes on to state that the policydocument should set a ‘clear policy direction inline with business objectives’. The standard’s

16 ISO/IEC 27002:2005.

11: Policy and Scope

42

perspective is that a successful and useful ISMSwill be one that does not undermine or blockbusiness activity. The significant risk inimplementing systems that block business activity,that are not (in the language of the standard) inline with business objectives, is that people insidethe business will ignore or bypass the ISMScontrols.

The information security policy must be signed offby senior management and made available asappropriate to anyone who needs it.

43

CHAPTER 12: RISK ASSESSMENT

The next planning step is the information securityrisk assessment. Risk assessment is dealt with inclauses 4.2.1.c, d, f and g of ISO27001, supportedby the guidance of ISO27002 Clause 4.

This is the second area in which the two standardsare directly complementary. While ISO27001specifies the risk assessment steps that must befollowed, ISO27002 provides further guidance, inits Clause 4, on the risk assessment process, butdeliberately does not provide detailed guidance onhow the individual assessment itself is to beconducted. This is because every organisation isencouraged to choose the approach which is mostapplicable to its industry, complexity and riskenvironment.

Link to ISO/IEC 27005

ISO27005 has been published more recently thanISO27002. The former is a code of practice andprovides detailed and extensive guidance on howto carry out the risk assessment that is mandatedby ISO27001. While the risk assessment must becarried out in line with the requirements ofISO27001, the guidance of ISO27005 can bedrawn on in developing the detailed riskassessment methodology.

Objectives of risk treatment plans

ISO27002 states that risk treatment plans havefour linked objectives. These are to

12: Risk Assessment

44

· eliminate risks (terminate them),· reduce those that cannot be eliminated to

‘acceptable’ levels (treat them),· tolerate them, exercising carefully the controls

that keep them ‘acceptable’, or· transfer them, by means of contract or

insurance, to some other organisation.

ISO27001 requires management (in Clause 5.1.f)to ‘decide the criteria for accepting risks and foracceptable risk levels’. The process adopted bymanagement to make these decisions must fit‘within the context of the organisation’s overallbusiness activities and the risks they face’.17

A risk treatment plan can only be drawn up oncethe risks have been identified, analysed andassessed. The risk assessment process should bedesigned to operate within the organisation’soverall risk treatment framework (if there is one)and should follow the specific requirements ofISO27001.

Risk assessment process

ISO27001 sets out six steps that must be followedin carrying out a risk assessment:

· identify the assets within the scope of theISMS

· identify threats to the confidentiality,availability and integrity of those assets

· identify the vulnerabilities those threats couldexploit

17 ISO/IEC 27001:2005, 4.1: General requirements.

12: Risk Assessment

45

· assess the possible impacts of those threats· assess the likelihood of those events occurring· evaluate the risk.

Assets within the scope (4.2.1.d.1)

Identify all the information assets (includinginformation systems) within the scope (4.2.1.a) ofthe ISMS and, at the same time, document whichindividual and/or department ‘owns’ the asset. Thekey components of this exercise are:

· identifying the boundaries (physical andlogical) of what is to be protected

· identifying all the systems necessary for thereception, storage, manipulation andtransmission of information or data withinthose boundaries and the information assetswithin those systems

· identifying the relationships between thesesystems, the information assets and theorganisational objectives and tasks

· identifying the systems and information assetsthat are critical to the achievement of theseorganisational objectives and tasks and, ifpossible, ranking them in order of priority.Clause A.7.1 is the Annex A control that dealswith the asset inventory and it identifiesclearly the classes or types of informationasset that should be considered, andrecommends that the information securityclassification of the asset be determined at thisstage (Control A.7.2 says that informationshould be appropriately classified).

12: Risk Assessment

46

Asset owners

At the same time as identifying the assets that arewithin the scope of the ISMS, the ‘owners’ ofthose assets must (4.2.1.d.1) be identified.ISO27001 defines ‘owner’ as the ‘individual orentity that has approved managementresponsibility for controlling the production,development, maintenance, use and security of theassets’.18 Every asset must have an owner (controlrequirement A.7.1.2 – ownership of assets). Theowner of the asset is the person – or part of thebusiness – that is responsible for appropriateclassification and protection of the asset.

Threats (4.2.1.d.2)

Threats are things that can go wrong or that can‘attack’ the identified assets. They can be eitherexternal or internal. ISO27001 requires the ISMSto be based on the foundation of a detailedidentification and assessment of the threats to eachindividual information asset that is within thescope.

Vulnerabilities (4.2.1.d3)

These leave a system open to attack by somethingthat is classified as a threat or allow an attack tohave some success or greater impact. A vulner-ability can be exploited by a threat. Identify – forevery identified asset, and for each of the threatslisted alongside each of the assets – thevulnerabilities that each threat could exploit.

18 ISO/IEC 27001:2005, footnote 2.

12: Risk Assessment

47

Impacts (4.2.1.d.4)

The successful exploitation of a vulnerability by athreat will have an impact on the asset’savailability, confidentiality or integrity. Theseimpacts should all be identified and, whereverpossible, assigned a value. ISO27001 is clear thatthese impacts should be assessed under each ofthese three headings; a single threat, therefore,could exploit more than one vulnerability and eachexploitation could have more than one type ofimpact.

The standard’s requirement is to assess the extentof the possible loss to the business for eachpotential impact. One object of this exercise is toprioritise treatment (controls) and to do so in thecontext of the organisation’s acceptable riskthreshold; it is acceptable to categorise possibleloss rather than attempt to calculate it exactly.

Risk assessment (4.2.1.e)

Risk assessment involves identifying the potentialbusiness harm that might result from each of theidentified risks.

Likelihood

There must be an assessment of the likelihood orprobability of the identified impact actuallyoccurring. Probabilities might range from ‘notvery likely’ (e.g. major earthquake in southernEngland destroying primary and backup facilities)to ‘almost daily’ (e.g. several thousand automatedmalware and hack attacks against the network).

12: Risk Assessment

48

Calculate the risk level

Finally, assess the risk level for each impact.Every organisation has to decide for itself what itwants to set as the thresholds for categorising eachpotential impact.

Risk treatment plan

Clause 4.2.2.a of ISO27001 (supported byClause 4.2 of ISO27002) requires the organisationto ‘formulate a risk treatment plan that identifiesthe appropriate management action,responsibilities and priorities for managinginformation security risks’. This also specificallycross-refers to Clause 5, a substantial clausedealing in detail with management responsibility.The risk treatment plan must be documented. Itshould be set within the context of theorganisation’s information security policy and itshould clearly identify the organisation’s approachto risk and its criteria for accepting risk. Thesecriteria should, where a risk treatment frameworkalready exists, be consistent with the requirementsof ISO27001.

49

CHAPTER 13: THE STATEMENT OFAPPLICABILITY (SOA)

While the statement of applicability is central to anISMS and to accredited certification of the ISMS(it is the document from which an auditor willbegin the process of confirming whether or notappropriate controls are in place and operative), itcan really only be prepared once the riskassessment has been completed and the risktreatment plan documented.

The statement of applicability is a statement as towhich of the controls identified in Annex A toISO27001 are applicable to the organisation, andwhich are not. It can also contain additionalcontrols selected from other sources.

SoA and external parties

The SoA must be reviewed on a defined, regularbasis. It is the document that is used todemonstrate to third parties the degree of securitythat has been implemented and is usually referredto, with its issue status, in the certificate ofcompliance issued by third-party certificationbodies.

Controls and Annex A

Clause 4.2.1.g of ISO27001 requires the organi-sation to select appropriate control objectives andcontrols from those specified in Annex A andrequires the selection (and exclusion) of controls

13: The Statement of Applicability (SoA)

50

to be justified. However, it states that additionalcontrols may also be selected from other sources.

ISO27002 provides good practice on the purposeand implementation of each of the controls listedin Annex A. There are, however, some areas inwhich organisations may need to go further than isspecified in ISO27002; the extent to which thismay be necessary is driven by the degree to whichtechnology and threats have evolved since thefinalisation of ISO27002.

Controls (4.2.1.f.1)

Controls are the countermeasures forvulnerabilities. The formal ISO27002 definition ofa control is a ‘means of managing risk, includingpolicies, procedures, guidelines, practices or orga-nisational structures, which can be of anadministrative, technical, management, or legalnature. Control is also used as a synonym forsafeguard or countermeasure’.

Apart from knowingly accepting risks that fallwithin whatever criteria of acceptability theorganisation has adopted in its risk treatment plan,or transferring the risk (through contract orinsurance), the organisation can decide toimplement a control to reduce the risk.

Residual risks

It is not possible or practical to provide totalsecurity against every single risk, but it is possibleto provide effective security against most risks bycontrolling them to a level where the residual risk


51

is acceptable to management. Management mustformally accept the residual risk (Clause 4.2.1.h).

Risks can and do change, however, so the processof reviewing and assessing risks and controls is anessential, ongoing one (Clause 4.2.3).

Control objectives

Controls are selected in the light of a controlobjective. A control objective is a statement of anorganisation’s intent to control some part of itsprocesses or assets and what it intends to achievethrough application of the control. One controlobjective may be served by a number of controls.

Annex A of ISO27001 identifies appropriatecontrol objectives, and lists the controls, for eachof the control objectives, which at a minimumserve those objectives. The organisation mustselect its control objectives from Annex A in thelight of its risk assessment, and then ensure thatthe controls it chooses to implement (whether fromthe annex or from additional sources) will enable itto achieve the identified objective.

Plan for security incidents

It is important that, when considering controls, thelikely security incidents that may need to bedetected are identified, considered and plannedfor. Clause 4.2.2.h of the standard requires theimplementation of controls that will enable‘prompt detection of and response to securityincidents’.

The process of selecting individual controls fromthose listed in the standard’s Annex A should


52

include consideration of what evidence will berequired, and what measurements of effectiveness(4.2.2.d) will be made to demonstrate:

· that the control has been implemented and isworking effectively

· that each risk has, thereby, been reduced to anacceptable level, as required by Clause 4.2.1 ofthe standard. Controls must be constructed insuch a manner that any error, or failure duringexecution, is capable of prompt detection andthat planned corrective action, whetherautomated or manual, is effective in reducingto an acceptable level the risk of whatever mayhappen next.

53

CHAPTER 14: IMPLEMENTATION

Implementation of the ISMS involves thefollowing five tasks:

· Implement the risk treatment plan and thecontrols identified in the SoA (4.2.2.b and c).

· Define how to measure and assess theeffectiveness of all the controls (4.2.2.d).

· Implement training and awarenessprogrammes (4.2.2.e), which links toControl A.8.2.2 – information securityawareness, education and training.

· Manage the ISMS (4.2.2.f and g). All theinterlocking controls and processes must bekept working, and new threats identified,evaluated and, if necessary, neutralised. Peoplemust be recruited and trained, theirperformance supervised, and their skillsdeveloped in line with the changing needs ofthe business.

· Implement an incident detection and responseprocedure (4.2.2.h), which links to Clause 13of Annex A, information security incidentmanagement. This clause contains two controlobjectives and five controls that differentiatebetween an event and an incident and definehow the response should be managed.

54

CHAPTER 15: CHECK AND ACT

Clause 4.2.3 of the standard is all aboutmonitoring and review. It contains the requirementfor management to be actively involved in thelong-term management of the ISMS whilerecognising the reality that the informationsecurity threat environment changes even morequickly than the business environment. This clausedeals, broadly, with three types of activity:monitoring, auditing and reviewing.

Monitoring

The purpose of monitoring activity is primarily todetect processing errors and information securityevents quickly so that immediate corrective actioncan be taken. Monitoring should be formal,systematic and widespread. Security categoryA.10.10 (monitoring) contains controls that arespecifically related to monitoring IT activity andthese are linked to this part of ISO27001. Controlarea A.13, information security incident manage-ment, also recognises that the organisation mustmonitor for deviations and incidents, respond tothem and learn from them.

Auditing

Audits should be planned to ensure that thecontrols documented in the SoA are effective andare being applied, and to identify non-conformances and opportunities for improvement.Control objective A.15.2 (compliance withsecurity policies and standards, and technical

15: Check and Act

55

compliance checking) deals specifically with thisissue and mandates regular, planned compliancereviews at both the process and the technicallevels. Control objective A.15.3 deals with thesecurity requirements for audit tools. The auditrequirement is described in more depth in Clause 6of ISO27001, which lays out two importantaspects of the process:

· the audit programme ‘shall be planned, takinginto consideration the status and importance ofthe processes and areas to be audited, as wellas the results of previous audits’;19

· ‘the management responsible for the areabeing audited shall ensure that actions aretaken without undue delay to eliminatedetected non-conformities and their causes’.20

Management at all levels of the organisation has arole to play in the effective implementation,maintenance and improvement of the ISMS. Thismust be taken into account in managerial andsupervisory job descriptions, employmentcontracts, induction and other training, andperformance reviews.

Reviewing

Reviews of internal and external audit policies,performance reports, exception reports, riskassessment reports and all the associated policiesand procedures are undertaken to ensure that theISMS is continuing to be effective within itschanging context.

19 ISO/IEC 27001:2005, Clause 6.20 Ibid.

15: Check and Act

56

The Annex A controls that are directly relevant tothis stage of the ISMS PDCA cycle are:

· A.5.1.2: review of the information securitypolicy

· A.5.1.8: independent review of informationsecurity

· A.10.2.2: monitoring and review of third-partyservices

· A.10.10: ‘monitoring’ itself as a single controlobjective that is related, obviously, tomonitoring, and which contains six controls

· A.11.2.4: review of user access rights· A.12.2: correct processing in applications, a

control objective that in effect deals withmonitoring application use and data processing

· A.13.2.2: learning from information securityincidents

· A.14.1.5: testing, maintaining and reassessingbusiness continuity plans.

All these controls must be addressed in this thirdphase of the ISMS development and imple-mentation. The findings and outcomes of moni-toring and reporting activities must be translatedinto corrective or improvement action and, for thepurposes of the ISMS, the audit trail thatdemonstrates the decision-making process and theimplementation of those decisions should beretained in the ISMS records.

Act – maintain and improve the ISMS

This is a short section, and it reflects the relativebrevity of the requirements of section 4.2.4 of

15: Check and Act

57

ISO27001. This clause sets out the requirementthat everything learned through monitoring andreviewing activities should be implemented. It alsolinks to Section 8 of the standard, whose threeclauses (8.1, continual improvement; 8.2,corrective action; and 8.3, preventative action)specify the nature and purpose of the activity thatmust be part and parcel of the daily actions ofeveryone involved in the day-to-day managementof the ISMS.

58

CHAPTER 16: MANAGEMENT REVIEW

Section 7 of ISO27001 (and Control A.5.1.2), which deals with management review of the ISMS, stresses that the management review should take into account the ‘status of preventative and corrective actions’,21 as well as any changes anywhere or to anything that might affect the ISMS, and recommendations for improvement.

It should be noted that corrective and preventative action should be prioritised on the basis of a risk assessment.22

ISO27001 calls, at Control A.5.1.8, for an ‘independent review of information security’, which should take place at planned intervals (or whenever there have been significant changes), and should be comprehensive (‘control objectives, controls, policies, processes, and procedures’). Third-party certification would meet this control requirement.

Assessing and evaluating risks is a core competence required in any organisation that is serious about achieving and maintaining ISO27001 accredited certification. The final sentence of the standard, which makes the point that the prevention ‘of non-conformities is often more cost-effective than corrective action’, sums up the risk-based, cost-effective, common-sense approach of the standard.

21 ISO/IEC 27001:2005, 7.2.d. 22 ISO/IEC 27001:2005, 8.3.

59

CHAPTER 17: ISO27001 ANNEX A

ISO/IEC 27001:2005 Annex A has 11 majorclauses or control areas numbered from A.5 toA.15, each of which identifies one or more controlobjectives. Each control objective is served by oneor more controls. Every control is sequentiallynumbered.

There are, in total, 133 subclauses, each of whichhas an alphanumeric clause number.

Annex A is aligned with ISO27002; this meansthat precisely the same control objectives,controls, clause numbering and wording are usedin both Annex A and in ISO27002. Note the clearstatement that ‘the lists in these tables are notexhaustive and an organisation may consider thatadditional control objectives and controls arenecessary’.23 The 11 control clauses of Annex A(it does not have Clauses 1–4) all start with an Aand are listed below.

· A5: security policy· A6: organising information security· A7: asset management· A8: human resources security· A9: physical and environmental security· A10: communications and operations

management· A11: access control

23 ISO/IEC 27001:2005, Annex A, Introduction.

17: ISO27001 Annex A

60

· A12: information systems acquisition,development and maintenance

· A13: information security incidentmanagement

· A14: business continuity management· A15: compliance.

Annex A control areas and controls

Each of the clauses of Annex A deals with one ormore security categories, and each securitycategory has a control objective and one or morecontrols that will serve to secure that objective.The clauses, security categories, control objectivesand control names are set out below; the detailedcontrol requirements are contained in the standard,and this should be acquired and studied.

Clause A5: security policy

5.1 Information security policy: to providemanagement direction and support forinformation security in accordance withbusiness requirements and relevant lawsand regulations

5.1.1 Information security policy document

5.1.2 Review of the information securitypolicy

Clause A6: information security organisation

6.1 Internal organisation: to manageinformation security within theorganisation


61

6.1.1 Management commitment toinformation security

6.1.2 Information security co-ordination

6.1.3 Allocation of information securityresponsibilities

6.1.4 Authorisation process for informationprocessing facilities

6.1.5 Confidentiality agreements

6.1.6 Contact with authorities

6.1.7 Contact with special interest groups

6.1.8 Independent review of informationsecurity

6.2 External Parties: to maintain thesecurity of organisational informationprocessing facilities and informationassets accessed, processed,communicated to or managed byexternal parties

6.2.1 Identification of risks related to externalparties

6.2.2 Addressing security when dealing withcustomers

6.2.3 Addressing security in third-partyagreements

Clause A7: Asset management

7.1 Responsibility for assets: to achieveand maintain appropriate protection oforganisational assets


62

7.1.1 Inventory of assets

7.1.2 Ownership of assets

7.1.3 Acceptable use of assets

7.2 Information classification: to ensurethat information assets receive anappropriate level of protection

7.2.1 Classification guidelines

7.2.2 Information labelling and handling

Clause A8: Human resources security

8.1 Before employment: to ensure that allemployees, contractors and third-partyusers understand their responsibilities,and are suitable for the roles they areconsidered for, and to reduce the risk oftheft, fraud or misuse of facilities

8.1.1 Roles and responsibilities

8.1.2 Screening

8.1.3 Terms and conditions of employment

8.2 During employment: to ensure that allemployees, contractors and third-partyusers are aware of information securitythreats and concerns, and of theirresponsibilities and liabilities, and areequipped to support organisationalsecurity policy in the course of theirnormal work, and to reduce the risk ofhuman error.

8.2.1 Management responsibilities


63

8.2.2 Information security awareness,education and training

8.2.3 Disciplinary process

8.3 Termination or change ofemployment: to ensure that employees,contractors and third-party users exit anorganisation or change employment inan orderly manner

8.3.1 Termination responsibilities

8.3.2 Return of assets

8.3.3 Removal of access rights

Clause A9: Physical and environmental security

9.1 Secure areas: to prevent unauthorisedphysical access, damage and interferenceto the organisation’s premises andinformation

9.1.1 Physical security perimeter

9.1.2 Physical entry controls

9.1.3 Securing offices, rooms and facilities

9.1.4 Protecting against external andenvironmental threats

9.1.5 Working in secure areas

9.1.6 Public access, delivery and loading areas

9.2 Equipment security: to prevent loss,damage, theft or compromise of assetsand interruption to the organisation’sactivities


64

9.2.1 Equipment siting and protection

9.2.2 Supporting utilities

9.2.3 Cabling security

9.2.4 Equipment maintenance

9.2.5 Security of equipment off-premises

9.2.6 Secure disposal or reuse of equipment

9.2.7 Removal of property

Clause A10: Communications and operationsmanagement

10.1 Operational procedures andresponsibilities: to ensure the correctand secure operation of informationprocessing facilities

10.1.1 Documented operating procedures

10.1.2 Change management

10.1.3 Segregation of duties

10.1.4 Separation of development, test andoperational facilities

10.2 Third-party service deliverymanagement: to implement andmaintain the appropriate level ofinformation security and service deliveryin line with third-party service deliveryagreements

10.2.1 Service delivery

10.2.2 Monitoring and review of third-partyservices


65

10.2.3 Managing changes to third-partyservices

10.3 System planning and acceptance: tominimise the risks of systems failures

10.3.1 Capacity planning

10.3.2 System acceptance

10.4 Protection against malicious andmobile code: to protect the integrity ofsoftware and information

10.4.1 Controls against malicious code

10.4.2 Controls against mobile code

10.5 Back-up: to maintain the integrity andavailability of information andinformation processing facilities

10.5.1 Information back-up

10.6 Network security management: toensure the safeguarding of informationin networks and the protection of thesupporting infrastructure

10.6.1 Network controls

10.6.2 Security of network services

10.7 Media handling: to prevent theunauthorised disclosure, modification,removal or destruction of assets andinterruption to business activities

10.7.1 Management of removable computermedia

10.7.2 Disposal of media


66

10.7.3 Information handling procedures

10.7.4 Security of system documentation

10.8 Exchanges of information: to maintainthe security of information exchangedwithin an organisation and with anyexternal entity

10.8.1 Information exchange policies andprocedures

10.8.2 Exchange agreements

10.8.3 Physical media in transit

10.8.4 Electronic messaging

10.8.5 Business information systems

10.9 Electronic commerce services: toensure the security of electroniccommerce services, and their secure use

10.9.1 Electronic commerce

10.9.2 Online transactions

10.9.3 Publicly available systems

10.10 Monitoring: to detect unauthorisedactivities

10.10.1 Audit logging

10.10.2 Monitoring system use

10.10.3 Protection of log information

10.10.4 Administrator and operator logs

10.10.5 Fault logging

10.10.6 Clock synchronisation


67

Clause A11: Access control

11.1 Business requirement for accesscontrol: to control access to information

11.1.1. Access control policy

11.2 User access management: to ensureauthorised users’ access and to preventunauthorised access to informationsystems

11.2.1 User registration

11.2.2 Privilege management

11.2.3 User password management

11.2.4 Review of user access rights

11.3 User responsibilities: to preventunauthorised user access andcompromise or theft of information andinformation processing facilities

11.3.1 Password use

11.3.2 Unattended user equipment

11.3.3 Clear-desk and clear-screen policy

11.4 Network access control: to protectnetworked services from unauthorisedaccess

11.4.1 Policy on use of network services

11.4.2 User authentication for externalconnections

11.4.3 Equipment identification in the network


68

11.4.4 Remote diagnostic and configurationport protection

11.4.5 Segregation in networks

11.4.6 Network connection control

11.4.7 Network routing control

11.5 Operating system access control: toprevent unauthorised access toinformation systems

11.5.1 Secure logon procedures

11.5.2 User identification and authentication

11.5.3 Password management system

11.5.4 Use of system utilities

11.5.5 Session timeout

11.5.6 Limitation of connection time

11.6 Application and information accesscontrol: to prevent unauthorised accessto information held in informationsystems

11.6.1 Information access restriction

11.6.2 Sensitive system isolation

11.7 Mobile computing and teleworking: toensure information security when usingmobile computing and teleworkingfacilities

11.7.1 Mobile computing and communications

11.7.2 Teleworking


69

Clause A12: Information systems acquisition,development and maintenance

12.1 Security requirements of informationsystems: to ensure that security is anintegral party of information systems

12.1.1 Security requirements analysis andspecification

12.2 Correct processing in applications: toprevent errors, loss, unauthorisedmodification or misuse of information inapplications

12.2.1 Input data validation

12.2.2 Control of internal processing

12.2.3 Message integrity

12.2.4 Output data validation

12.3 Cryptographic controls: to protect theconfidentiality, authenticity or integrityof information by cryptographic means

12.3.1 Policy on the use of cryptographiccontrols

12.3.2 Key management

12.4 Security of system files: to ensure thesecurity of system files

12.4.1 Control of operational software

12.4.2 Protection of system test data

12.4.3 Access control to program source code


70

12.5 Security in development and supportprocesses: to maintain the security ofapplication system software andinformation

12.5.1 Change control procedures

12.5.2 Technical review of applications afteroperating system changes

12.5.3 Restrictions on changes to softwarepackages

12.5.4 Information leakage

12.5.5 Outsourced software development

12.6 Technical vulnerability management:to prevent damage resulting fromexploitation of published vulnerabilities

12.6.1 Control of technical vulnerabilities

Clause A13: Information security incidentmanagement

13.1 Reporting information security eventsand weaknesses: to ensure informationsecurity events and weaknessesassociated with information systems arecommunicated in a manner allowingtimely corrective action to be taken

13.1.1 Reporting information security events

13.1.2 Reporting security weaknesses

13.2 Management of information securityincidents and improvements: to ensurea consistent and effective approach is


71

applied to the management ofinformation security incidents

13.2.1 Responsibilities and procedures

13.2.2 Learning from information securityincidents

13.2.3 Collection of evidence

Clause A14: Business continuity management

14.1 Information security aspects ofbusiness continuity management: tocounteract interruptions to businessactivities, to protect critical businessprocesses from the effects of majorfailures or disasters and to ensure theirtimely resumption

14.1.1 Including information security in thebusiness continuity management process

14.1.2 Business continuity and risk assessment

14.1.3 Developing and implementing continuityplans including information security

14.1.4 Business continuity planning framework

14.1.5 Testing, maintaining and reassessingbusiness continuity plans

Clause A15: Compliance

15.1 Compliance with legal requirements:to avoid breaches of any legal, statutory,regulatory or contractual obligations,and of any security requirements


72

15.1.1. Identification of applicable legislation

15.1.2 Intellectual property rights (IPR)

15.1.3 Protection of organisational records

15.1.4 Data protection and privacy of personalinformation

15.1.5 Prevention of misuse of informationprocessing facilities

15.1.6 Regulation of cryptographic controls

15.2 Compliance with security policies andstandards and technical compliance:to ensure compliance of systems withorganisational security policies andstandards

15.2.1 Compliance with security policy andstandards

15.2.2 Technical compliance checking

15.3 Information systems auditconsiderations: to maximise theeffectiveness of, and minimiseinterference with or from, theinformation systems audit process

15.3.1 Information systems audit controls

15.3.2 Protection of information systems auditcontrols

73

ITG RESOURCES

IT Governance Ltd source, create and deliver products and services to meet the real-world, evolving IT governance needs of today’s organisations, directors, managers and practitioners. The ITG website (www.itgovernance.co.uk) is the international one-stop-shop for corporate and IT governance information, advice, guidance, books, tools, training and consultancy.

Copies of all the standards described in this pocket guide can and should be purchased from www.itgovernance.co.uk/standards.aspx.

www.27001.com is the IT Governance Ltd website that deals specifically with information security issues and these information security standards. While it has a specific US orientation, it supports ISO27001 activity around the world. It also has a links page that lists accredited certification bodies and international ISMS user groups.

Pocket Guides

For full details of the entire range of pocket guides, simply follow the links at www.itgovernance.co.uk/publishing.aspx.

Toolkits

ITG’s unique range of toolkits includes the ISO27001 ISMS Toolkit, which contains all the tools and guidance that you will need in order to develop and implement an appropriate ISO27001 ISMS for your organisation. Full details and a free trial can be found at http://www.27001.com/ISMSFreeDemo.aspx.

http://www.itgovernance.co.uk/



http://www.itgovernance.co.uk/publishing.aspx

74

For a free paper on how to implement ISO27001 inyour organisation, there is a free download availableon the home page of www.27001.com.

Best Practice Reports

ITG’s new range of Best Practice Reports is now atwww.itgovernance.co.uk/best-practice-reports.aspx.These offer you essential, pertinent, expertlyresearched information on an increasing number ofkey issues.

Training and Consultancy

IT Governance also offers training and consultancyservices across the entire spectrum of disciplinesin the information governance arena. Detailsof training courses can be accessedat www.itgovernance.co.uk/training.aspx anddescriptions of our consultancy services can be foundat http://www.itgovernance.co.uk/consulting.aspx.

Why not contact us to see how we could help you andyour organisation?

Newsletter

IT governance is one of the hottest topics in businesstoday, not least because it is also the fastest moving,so what better way to keep up than by subscribing toITG’s free monthly newsletter Sentinel? It providesmonthly updates and resources across the wholespectrum of IT governance subject matter, includingrisk management, information security, ITIL and ITservice management, project governance, complianceand so much more. Subscribe for your free copy at:www.itgovernance.co.uk/newsletter.aspx.


http://www.itgovernance.co.uk/best-practice-reports.aspx

http://www.itgovernance.co.uk/training.aspx

http://www.itgovernance.co.uk/consulting.aspx

http://www.itgovernance.co.uk/newsletter.aspx

ISO27001 / ISO27002 A Pocket Guide€¦ · ISO/IEC 17799. ISO/IEC 27003 ISO/IEC 27003 has the...

Documents

Transcript of ISO27001 / ISO27002 A Pocket Guide€¦ · ISO/IEC 17799. ISO/IEC 27003 ISO/IEC 27003 has the...