ISMS and 27000 Family of Standards

Dr Angelika Plate www.aexis.de

copyright AEXIS Security Consultants, 2000-2009

WG1 ISMS Standards Chair Ted Humphreys Vice Chair Angelika Plate

WG4 ISMS Services Chair Meng-Chow Kang

ISO/IEC JTC1 SC27 Chair Walter Fumy Vice Chair Marijike de Soete Secretary Krystyna Passia (DIN)

WG5 Privacy, ID management and Biometrics Chair Kai Rannenberg

WG2 Security Techniques Chair Kenji Namura

WG3 Security Evaluation Chair Mats Ohlin

copyright AEXIS Security Consultants, 2000-2009

Information Information security security management management system system (ISMS) (ISMS) [27001] [27001]

Accreditation Accreditation requirements requirements for for ISMS ISMS [27006] [27006] ISMS ISMS audit audit guidelines guidelines [27007] [27007]

Information security security controls controls Information (ex17799) [27002] [27002] (ex17799)

ISMS Implementation Implementation guide guide ISMS [27003] [27003]

Information security security Information management measurements measurements management [27004] [27004]

ISMS Risk Risk management management ISMS [27005] [27005]

ISMS Overview Overview & & ISMS terminology [27000] [27000] terminology

Accreditation and certification

ISMS ISMS for for Telecoms Telecoms [27011] [27011] Other Other sector-specific sector-specific developments developments

27001 supporting guidance material

Sector-Specific developments
copyright AEXIS Security Consultants, 2000-2009

Standard 27000 27001 27002 27003 27004 27005 27006 27007 27008

Title Overview and vocabulary ISMS requirements Information security management Code of Practice ISMS Implementation guide ISM Measurements ISMS Risk management Accreditation requirements for certification bodies ISMS Audit guidelines Guidance on auditing ISMS controls

Status FDIS Published now revised Published now revised FCD 2nd FCD Published Published WD WD
copyright AEXIS Security Consultants, 2000-2009

Standard 27010 27011 27012 NP NP NP

Title New NP: Sector to sector interworking and communications for industry and government Information security management guidelines for telecommunications based on ISO/IEC 27002 ISMS guidelines for e-government ISMS for the financial and insurance service sector ISMS for service management Information security governance framework

Status WD On its way to publication WD ----

copyright AEXIS Security Consultants, 2000-2009

IS0/IEC 27001 ISMS Requirements

Highlights and features
Risk management approach
risk assessment risk treatment management decision making

Continuous improvement model Measures of effectiveness Auditable specification (internal and external ISMS auditing) Now under revision
copyright AEXIS Security Consultants, 2000-2009

Topics for Revision

ONLY necessary changes no changes for the sake of change Simple corrections:
4.2.1 b) Confusion between ISMS policy and information security policy in 27002 4.2.3 g) Update security plans. These security plans are not mentioned anywhere else

More fundamental issues:

What about the Statement of Applicability shall it stay or shall it go?
copyright AEXIS Security Consultants, 2000-2009

IS0/IEC 27002 (prev. ISO/IEC 17799)

Code of Practice for information security management From Spring 2007 ISO/IEC 17799 was renumbered as 27002 The standard is now under revision
copyright AEXIS Security Consultants, 2000-2009

ISO/IEC 27002 Code of practice for information security management A catalogue of Best Practice Suggesting a holistic set of controls Not a certification or auditable standard
Security policy Organising information security Asset management Human resources security Physical & environmental security Communications & operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance
copyright AEXIS Security Consultants, 2000-2009

Topics for Revision

Some people want to change the structure my view is to only change the structure where new content yields changes no changes just for the sake of it Example: if controls on application security will be included, a re-structuring of Clause 10 might be useful More controls on
Application security Business continuity Awareness .

copyright AEXIS Security Consultants, 2000-2009

Revision of 27001 & 27002

A design specification for the revision of the two documents is needed My view:
Necessary changes and useful improvements YES Changes without good reasons NO

Meeting with the 27002 editor to discuss the strategy for Beijing Recommendation: Comment not only won changes, but also on what you would like to keep
copyright AEXIS Security Consultants, 2000-2009

ISO/IEC 27003 - Overview

Implementation guidance to help organisations implementing the ISMS requirements Design agreements:
No specification of minimal content or definition of requirements for implementation No particular ways of implementing an ISMS Examples, case studies No overlap with 27004, 27005

copyright AEXIS Security Consultants, 2000-2009

Structure of ISO/IEC 27003

Describing the workflow to implement an ISMS
Obtaining management approval for the ISMS Conducting an analysis of the organization Conducting risk assessment & treatment Designing the ISMS
copyright AEXIS Security Consultants, 2000-2009

Clause Structure
Activity - Defines what is necessary to satisfy
all or part of the objectives

Input - Describes the starting point, such as the

existence of documented decisions or outputs from other ISMS implementation activities

Guidance - Provides detailed information to

enable the objectives to be met

Output - Describes the result or deliverable,

upon completion of the activity

Other information
copyright AEXIS Security Consultants, 2000-2009

Diagrams

copyright AEXIS Security Consultants, 2000-2009

My View of ISO/IEC 27003

In principle not a bad document, a lot of useful information Development is too rushed, it needs a careful review Now already at FCD stage options:
Have an untidy document Have no document at all

copyright AEXIS Security Consultants, 2000-2009

ISO/IEC 27004 - Overview

Scope
Providing guidance on the development and use of measures in order to assess the effectiveness of ISMS processes, control objectives and controls as specified in ISO/IEC 27001

Introduction explaining the main parts of the measurement programme Management overview to ease the understanding, especially for SMEs

copyright AEXIS Security Consultants, 2000-2009

Relationship with the ISMS

copyright AEXIS Security Consultants, 2000-2009

Information security measurement model

copyright AEXIS Security Consultants, 2000-2009

Clause Structure
Information security measurement overview Management responsibilities Measures and measurement development Measurement operation Reporting of measurement results Evaluation and improvements of measurements
copyright AEXIS Security Consultants, 2000-2009

Annex B Measurement Examples

ISMS overall effectiveness ISMS Training
ISMS-trained personnel Information Security Training Information Security Awareness Compliance

Password Policies
Password Quality - manual Password Quality - automated

ISMS Review Process ISMS Continual Improvement

ISMS Incidents and effectiveness Corrective Action Implementation

Management Commitment Protection Against Malicious Code Physical Entry Controls Log Files Review Manage Periodic Maintenance Security in Third Party Agreements
copyright AEXIS Security Consultants, 2000-2009

My View of ISO/IEC 27004

Very detailed consideration of measurements Feedback:
Large organisations: we use base and derived measures, but not necessarily in such a complex matter Small organisations: far too complex for us

Annexes give useful examples Downsizing is often necessary More information needed on
How to select good measures How to condense results of measurements
copyright AEXIS Security Consultants, 2000-2009

ISO/IEC 27005
ISO/IEC 27005 Information security risk management
Provides guidance for information security risk management as laid out in ISO/IEC 27001 Is applicable for all organizations (size, type of business, etc.) that need to manage information security risks

Published: Summer 2008

copyright AEXIS Security Consultants, 2000-2009

ISO/IEC 27006
ISO/IEC 27006 is the Requirements for the accreditation of bodies providing certification of ISMSs
Joint initiative from ISO, IAF and CASCO

Based on
ISO/IEC 17021 ISO/IEC 27001

Published since February 2006 Your view about audit time, etc?

copyright AEXIS Security Consultants, 2000-2009

ISO/IEC 27007
ISMS Auditor Guidelines Specific ISMS guidance to complement ISO 19011 Following the revision of ISO 19011 Dealing with guidance for auditors on subjects such as
ISMS Scopes Risk assessment reports Measurements
copyright AEXIS Security Consultants, 2000-2009

25

ISO/IEC 27008
New WD on auditing ISMS controls Issues with that scope:
If this became part of ISMS certification audits, there is inconsistency with other MS audits The ISMS should give information about the well-functioning of controls

One way out: focusing on internal ISMS audits

copyright AEXIS Security Consultants, 2000-2009

26

ISO/IEC 27010
New WD on sector to sector interworking and communications for industry and government Result of a Study Period on Critical Infrastructures Confusion at the last meeting no new draft available, only a Dispo of Comments Scope: This International Standard provides guidance for information
security interworking and communications between industries in the same sectors, in different industry sectors and with governments, either in times of crisis and to protect critical infrastructure or for mutual recognition under normal business circumstances to meet legal, regulatory and contractual obligations.
27

copyright AEXIS Security Consultants, 2000-2009

ISO/IEC 27011
The ITU-T standards group Question 7/17 developed the standard X.1051 Information security management guidelines for telecommunications based on ISO/IEC 27002 The aim is to support the implementation of ISO/IEC 27002 in the telecommunications sector
copyright AEXIS Security Consultants, 2000-2009

ISO/IEC 27011
The standard contains
An overview giving the framework in which it operates Extended versions of the controls from ISO/IEC 27002 to address telecoms

This standard has been adopted by SC 27 as ISO/IEC 27011 (on its way to publication)
copyright AEXIS Security Consultants, 2000-2009

ISO/IEC 27012
A new standard containing ISMS guidelines for e-government 1st WD
The scope of this Standard is to define guidelines supporting the implementation of Information Security Management (ISM) in e-government services To provide guidance to the Public Administration on how to adapt 27002 controls and processes to specific e-government services and legally binding procedures

copyright AEXIS Security Consultants, 2000-2009

NP Financial services
A NWIP for financial and insurance services
Scope: This international standard provides guidance for supporting the implementation of information security management in financial and insurance services sectors This standard is intended to provide guidance on how to adapt the 2700x ISMS Framework. It aims to support in fulfilling sector specific information security related legal and regulatory requirements through an internationally agreed and well-accepted framework
copyright AEXIS Security Consultants, 2000-2009

NP Integrated 20000 and 27001

A NWIP for the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
Scope: To provide guidance on implementing an integrated information security and IT service management system This includes implementation advice on adopting an integrated management system, i.e. to
Implement ISO/IEC 27001 when ISO/IEC 20000-1 is already adopted, or vice versa; Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together; Align already existing ISO/IEC 27001 and ISO/IEC 20000-1 management systems implementations. copyright AEXIS Security Consultants, 2000-2009

NP Information security governance framework

A NWIP for IS governance
Scope:
Help meet corporate governance requirements related to information security Align information security objectives with business objectives Ensure a risk-based approach is adopted for information security management Implement effective management controls for information security management Evaluate, direct, and monitor an information security management system Safeguard information of all types, including electronic, paper, and spoken Ensure good conduct of people when using information
copyright AEXIS Security Consultants, 2000-2009

Thank you for listening

Q&A
copyright AEXIS Security Consultants, 2000-2009