In my previous post on what are security threats, now let us take a look on ISO 27001 - Information Security Management System can aid an organization in securing and protecting their vital information.
What exactly is Information Security Management System?
ISO/IEC 27001 is an Information Security Management System (ISMS)
addressed a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard).
manages an overarching framework through which the organization identifies, analyzes and addresses its information risks.
ensures that the security arrangements are implemented, maintained and always improving
suitable for all industries and all types of organizations
does not formally mandate or imposed specific information security controls since every controls varies markedly across the wide range of organizations
Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information risks.
Furthermore, management may elect to avoid, share or accept information risks rather than mitigate them through controls - a risk treatment decision within the risk management process.
Structure of the Standard
0. Introduction
The standard describes a process for systematically managing information risks.
1. Scope
It specifies generic ISMS requirements suitable for organizations of any type, size or nature.
2. Normative references
Only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the remaining ISO27K standards are optional
3. Terms and definitions
Terms and definitions used in the Standards (see ISO/IEC 27000 for more details)
4. Context of the organization
Understanding the organizational context, the needs and expectations of ‘interested parties’ and defining the scope of the ISMS. Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” the ISMS
5. Leadership
Top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities
6. Planning
Outlines the process to identify, analyze and plan to treat information risks, and clarify the objectives of information security
7. Support
Adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled
8. Operation
A bit more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors)
9. Performance evaluation
Monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary
10. Improvement
Address the findings of audits and reviews (e.g. Non-conformities and corrective actions), make continual refinements to the ISMS
Annex A : Reference control objectives and controls
The annex is ‘normative’, implying that certified organizations are recommended to use it to its best of the organization's practices and constraints and are free to deviate or supplement it in order to address its particular information risks.
Annex A alone is hard to interpret, thus referring to ISO/ IEC 27002 for more useful detail on the implementation of controls and guidance is recommended.
Mandatory requirements for certification
ISO/IEC 27001 is a formalized specification for an ISMS with two distinct purposes:
It lays out the design for an ISMS, describing the important parts at a fairly high level;
It can (optionally) be used as the basis for formal compliance assessment by accredited certification auditors in order to certify an organization compliant.
The following mandatory documentation is explicitly required for certification:
ISMS scope (as per clause 4.3)
Information security policy (clause 5.2)
Information risk assessment process (clause 6.1.2)
Information risk treatment process (clause 6.1.3)
Information security objectives (clause 6.2)
Evidence of the competence of the people working in information security (clause 7.2)
Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b)
Operational planning and control documents (clause 8.1)
The results of the [information] risk assessments (clause 8.2)
The decisions regarding information risk treatment (clause 8.3)
Evidence of the monitoring and measurement of information security (clause 9.1)
The ISMS internal audit program and the results of audits conducted (clause 9.2)
Evidence of top management reviews of the ISMS (clause 9.3)
Evidence of non-conformities identified and corrective actions arising (clause 10.1)
Various others: Annex A mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures.
However, despite Annex A being normative, organizations are not formally required to adopt and comply with Annex A: they can use other structures and approaches to treat their information risks
Certification auditors will almost certainly check that these fifteen (15) types of documentation to ensure they are present and fit for its intended purpose.
ISMS scope, and Statement of Applicability (SoA)
The purpose of this standard is to drive an all-level, company-wide management system to deal with information risks in an appropriate and systematic manner, it is the decision of the organization to scope the ISMS according to the organization's needs, products, process and activities.
A documented ISMS scope is one of the mandatory requirements for certification.
Although the “Statement of Applicability” (SoA) is not explicitly defined, it is a mandatory requirement of section 6.1.3.
SoA refers to the output from the information risk assessments and the decisions, the controls in treating those risks. The SoA may, for instance, take the form of a matrix identifying various types of information risks on one axis and risk treatment options on the other, showing how the risks are to be treated in the body, and perhaps who is accountable for them.
The information security control objectives and controls from ISO/IEC 27002 are provided as a checklist at Annex A in order to avoid ‘overlooking necessary controls’: they are not required.
For example, if management of an organization decides to accept malware risks without implementing conventional antivirus controls, the certification auditors definitely challenge such a bold assertion and if provided the associated analyses and decisions were sound and justified, , the auditor shall have no good reason to refuse to certify the organization since antivirus controls are not in fact mandatory.
Metrics
In effect (without actually using the term “metrics”), the 2013 edition of the standard requires the use of metrics on the performance and effectiveness of the organization’s ISMS and information security controls.
Section 9, “Performance evaluation”, requires the organization to determine and implement suitable security metrics but gives only high-level requirements.
ISO/IEC 27004 offers advice on what and how to measure in order to satisfy the requirement.
If you have any queries regarding ISO 27001:2013, please feel free to contact me at
engsoon@gensmgt.com.
Comments