ISO27001 / ISO27002

ISO27001 / ISO27002: A Pocket Guide

ALAN CALDER
Copyright Date: 2013
Edition: 2
Published by: IT Governance Publishing
Pages: 78
https://www.jstor.org/stable/j.ctt5hh4qg
  • Cite this Item
  • Book Info
    ISO27001 / ISO27002
    Book Description:

    Information is one of your organisation’s most important resources. Keeping it secure is therefore vital to your business. This handy pocket guide is an essential overview of two key information security standards that cover the formal requirements (ISO27001:2013) for creating an Information Security Management System (ISMS), and the best-practice recommendations (ISO27002:2013) for those responsible for initiating, implementing or maintaining it.

    eISBN: 978-1-84928-523-0
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. FOREWORD
    (pp. 5-6)

    ISO/IEC 27001:2013 is the international Standard for Information Security Management Systems (ISMSs). Closely allied to ISO/IEC 27002:2013, this Standard (sometimes called the ISMS Standard) can help organisations meet all their information-related regulatory compliance objectives and can help them prepare and position themselves for new and emerging regulations.

    Information is the lifeblood of today’s organisation and, therefore, ensuring that information is simultaneously protected and available to those who need it is essential to modern business operations. Information systems are not usually designed from the outset to be secure. Technical security measures and checklists are limited in their ability to protect a...

  3. ABOUT THE AUTHOR
    (pp. 7-7)
  4. ACKNOWLEDGEMENTS
    (pp. 8-8)
  5. Table of Contents
    (pp. 9-9)
  6. INTRODUCTION
    (pp. 10-11)

    It is a truism to say that information is the currency of the information age. Information is, in many cases, the most valuable asset possessed by an organisation, even if that information has not been subject to a formal and comprehensive valuation.

    IT governance is the discipline that deals with the structures, standards and processes that boards and management teams apply in order to effectively manage, protect and exploit their organisation’s information assets.

    Information security management is the subset of IT governance that focuses on protecting and securing an organisation’s information assets.

    An asset can be defined as ‘anything that...

  7. CHAPTER 1: THE ISO/IEC 27000 FAMILY OF INFORMATION SECURITY STANDARDS
    (pp. 12-14)

    ISO27001, the international Information Security Management Standard, was published in 2005 and updated in 2013. It is becoming widely known and followed.

    It is now part of a much larger family, of which ISO/IEC 27000 is the root for a whole numbered series of international standards for the management of information security.

    Developed by a subcommittee of a joint technical committee (ISO/IEC JTC SC27) of the International Standards Organisation (ISO) in Geneva and the International Electrotechnical Commission (IEC), these standards now provide a globally recognised framework for best practice information security management.

    The correct designation for most of these standards...

  8. CHAPTER 2: BACKGROUND TO THE STANDARDS
    (pp. 15-18)

    The very first formal information security Standard, BS7799, was originally issued in the UK in April 1999 as a two-part standard. An earlier code of practice had been substantially revised and became Part 1 of the new Standard (BS7799-1:1999) and a new Part 2 (BS7799-2:1999) was drafted and added.

    The link between the two standards was created at this point:

    Part 1 was a code of practice

    Part 2 was a specification for an ISMS that deployed controls selected from the code of practice.

    The original Part 2 specified, in the main body of the Standard, the same set of...

  9. CHAPTER 3: SPECIFICATION VS CODE OF PRACTICE
    (pp. 19-20)

    ISO/IEC 27001:2013 is a specification for an information security management system. It uses words like ‘shall’. It sets out requirements. It is the specification against which first-, second- and third-party audits can be carried out.

    A first-party audit is an audit of an organisation’s own practices that is carried out by that organisation. A second-party audit is carried out by a partner organisation, usually pursuant to a commercial relationship of some description. A third-party audit is one carried out by an independent third party, such as a certification body or external auditor.

    A code of practice or a set of...

  10. CHAPTER 4: CERTIFICATION PROCESS
    (pp. 21-22)

    ISO27001 provides a specification against which an organisation’s ISMS can be independently audited by an accredited certification body. If the ISMS is found to conform to the specification, the organisation can be issued with a formal certificate confirming this.

    Certification is carried out by independent, accredited certification bodies. These are called different things in different countries, including ‘registration bodies’, ‘assessment and registration bodies’, ‘certification/registration bodies’ and ‘registrars’. Whatever they are called, they all do the same thing and are subject to the same requirements.

    An accredited certification body is one that has demonstrated to a national accreditation body (such as,...

  11. CHAPTER 5: THE ISMS AND ISO27001
    (pp. 23-24)

    ISO27000 defines information security (in its definitions section) as the ‘preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved’.

    Information risks can affect one or more of the three fundamental attributes of an information asset – its

    availability

    confidentiality

    integrity.

    These three attributes are defined in ISO27000 as follows:

    Availability: ‘the property of being accessible and usable upon demand by an authorised entity’, which allows for the possibility that information has to be accessed by software programs as well as human users.

    Confidentiality: ‘the property that information...

  12. CHAPTER 6: OVERVIEW OF ISO/IEC 27001:2013
    (pp. 25-26)

    The formal title of this Standard is ‘Information technology – Security techniques – Information security management systems – Requirements’. From October 2013, it replaced the previous edition, ISO/IEC 27001:2005.

    Including end pieces, this Standard is only 30 pages long. The core of the Standard is contained in the nine pages that set out the specifications for the design and implementation of an information security management system, and in the 13 pages of Annex A, which contain the 114 individual controls which must, under the Standard, be considered for applicability.

    The ISMS specification is contained in Clauses 4 to 10 of ISO27001.

    The Standard’s...

  13. CHAPTER 7: OVERVIEW OF ISO/IEC 27002:2013
    (pp. 27-29)

    This Standard’s title is ‘Information technology – Security techniques – Code of practice for information security management’. Published in October 2013, it replaced the previous edition, ISO/IEC 27002:2005.

    It is a code of practice, not a specification. It uses words like ‘should’ and ‘may’: It ‘maybe regarded as a starting point for developing organisationspecific guidelines’.¹

    ISO27002 is more than twice as long as ISO27001, with 90 pages, 8 of which are introductory material. Some 78 pages deal, in detail, with information security controls. This standard has 18 clauses, as shown below:

    Foreword

    0. Introduction

    1. Scope

    2. Normative references

    3. Terms...

  14. CHAPTER 8: DOCUMENTATION AND RECORDS
    (pp. 30-33)

    One of the key reasons for designing and implementing a management system is to enable the organisation to move beyond what is known, in the terms of the capability maturity model, as an ‘ad hoc’ organisation. Anad hocorganisation is one that has ‘no fixed processes, or procedures, results depend very much on individual performance, and a lot of people’s time is spent on “fire fighting”, fixing bugs in software, and resolving incidents’.¹

    ISO9001:2008 is a well-known and widely implemented quality assurance or business process management system. If the organisation does not already have an existing ISO9001 certified management...

  15. CHAPTER 9: MANAGEMENT RESPONSIBILITY
    (pp. 34-36)

    Implementation of an ISMS is something that ISO27001 recognises will affect the whole organisation. The requirements around scoping and the information security policy are explicit that there needs to be a documented justification for any exclusion from the scope, and that the policy should apply across the organisation.

    ISO27001 is also clear that the ISMS should be designed to meet the needs of the organisation, and should be implemented and managed in a way that meets – and continues to meet – those needs.

    ISO27001 contains a requirement that management should ‘[communicate] the importance of effective information security management and of conforming...

  16. CHAPTER 10: PROCESS APPROACH AND THE PDCA CYCLE
    (pp. 37-40)

    The PDCA model or cycle is the Plan–Do–Check–Act cycle that was originated in the 1950s by W. Edwards Deming. It states that that business processes should be treated as though they are in a continuous feedback loop so that managers can identify and change those parts of the process that need improvement. The process, or an improvement to the process, should first be planned, then implemented and its performance measured, then the measurements should be checked against the planned specification, and any deviations or potential improvements identified and reported to management for a decision about what action...

  17. CHAPTER 11: CONTEXT, POLICY AND SCOPE
    (pp. 41-43)

    The first planning step is the scoping exercise.

    The scoping requirement is contained in Clause 4.3) of ISO27001. The requirement is that the organisation will ‘determine the boundaries and applicability of the information security management system to establish its scope [taking into consideration] external and internal issues, the requirements [of interested parties, and] interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations’.

    This is built upon the understanding of the organisation and its context, as well as the expectations of interested parties. Clause 4.1 states that the organisation ‘shall determine external and...

  18. CHAPTER 12: RISK ASSESSMENT
    (pp. 44-49)

    The next planning step is the information security risk assessment. Risk assessment is dealt with in clauses 6.1.2 and 8.2 of ISO27001, supported by the guidance of ISO27002 Clause 0.2.

    Rather than being immediately complementary, ISO27002 recognises the value of additional control and management frameworks. The risk assessment guidance offered in ISO27002, therefore, is necessarily brief as it encourages the organisation to choose the approach which is most applicable to its industry, complexity and risk environment.

    ISO27005 is a code of practice and provides detailed and extensive guidance on how to implement the requirements mandated by ISO27001. While the risk...

  19. CHAPTER 13: THE STATEMENT OF APPLICABILITY (SOA)
    (pp. 50-53)

    While the statement of applicability is central to an ISMS and to accredited certification of the ISMS (it is the document from which an auditor will begin the process of confirming whether or not appropriate controls are in place and operative), it can really only be prepared once the risk assessment has been completed and the risk treatment plan documented.

    The statement of applicability is a statement as to which of the controls identified in Annex A to ISO27001 are applicable to the organisation, and which are not. It can also contain additional controls selected from other sources.

    The SoA...

  20. CHAPTER 14: IMPLEMENTATION
    (pp. 54-54)

    Implementation of the ISMS involves the following five tasks:

    Implement the risk treatment plan and the controls identified in the SoA (8.3).

    Define how to measure and assess the effectiveness of all the controls (9.1.b).

    Implement training and awareness programmes (7.2 and 7.3), which links to Control A. 7.2.2 – information security awareness, education and training.

    Manage the ISMS (8.1). All the interlocking controls and processes must be kept working, and new threats identified, evaluated and, if necessary, neutralised. People must be recruited and trained, their performance supervised, and their skills developed in line with the changing needs of the business....

  21. CHAPTER 15: CHECK AND ACT
    (pp. 55-58)

    Clause 9 of the Standard is all about monitoring and review. It contains the requirement for management to be actively involved in the long-term management of the ISMS while recognising the reality that the information security threat environment changes even more quickly than the business environment. This clause deals, broadly, with three types of activity: monitoring, auditing and reviewing.

    The purpose of monitoring activity is primarily to detect processing errors and information security events quickly so that immediate corrective action can be taken. Monitoring should be formal, systematic and widespread. Security category A.12.4 (logging and monitoring) contains controls that are...

  22. CHAPTER 16: MANAGEMENT REVIEW
    (pp. 59-60)

    Clause 9.3 of ISO27001 (and Control objective A.18.2), which deals with management review of the ISMS, stresses that the management review should take into account ‘feedback on the information security performance, including trends in […] nonconformities and corrective actions’,¹ as well as any changes anywhere or to anything that might affect the ISMS, and recommendations for improvement.

    It should be noted that corrective and preventative action should be prioritised on the basis of a risk assessment.²

    ISO27001 calls, at Control A.18.2.1, for an ‘independent review of information security’, which should take place at planned intervals (or whenever there have been...

  23. CHAPTER 17: ISO27001 ANNEX A
    (pp. 61-74)

    ISO/IEC 27001:2013 Annex A has 14 major clauses or control areas numbered from A.5 to A.18, each of which identifies one or more control objectives. Each control objective is served by one or more controls. Every control is sequentially numbered.

    There are, in total, 114 subclauses, each of which has an alphanumeric clause number.

    Annex A is aligned with ISO27002; this means that precisely the same control objectives, controls, clause numbering and wording are used in both Annex A and in ISO27002. Note the clear statement that ‘the control objectives and controls listed in Annex A are not exhaustive and...

  24. ITG RESOURCES
    (pp. 75-78)