Information security management system

What is ISO 27001?

It is a recognized standard which describe best practice of information security management system.

  

How does ISO 27001 work

The focus of ISO 27001 is to protect the confidentiality, integrity and availability of the information in a company. This is done by finding out what potential problems could happen to the information (i.e., risk assessment), and then defining what needs to be done to prevent such problems from happening (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 27001 is based on managing risks: find out where the risks are, and then systematically treat them.

The safeguards (or controls) that are to be implemented are usually in the form of policies, procedures and technical implementation (e.g., software and equipment). However, in most cases companies already have all the hardware and software in place, but they are using them in an unsecure way – therefore, the majority of the ISO 27001 implementation will be about setting the organizational rules (i.e., writing documents) that are needed in order to prevent security breaches. Since such implementation will require multiple policies, procedures, people, assets, etc. to be managed, ISO 27001 has described how to fit all these elements together in the information security management system (ISMS).

So, managing information security is not only about IT security (i.e., firewalls, anti-virus, etc.) – it is also about managing processes, legal protection, managing human resources, physical protection, etc.

Benefit of ISO 27001.

Why is ISO 27001 good for your company?

There are 4 essential business benefits that a company can achieve with the implementation of this information security standard:

Comply with legal requirements – there are more and more laws, regulations and contractual requirements related to information security, and the good news is that most of them can be resolved by implementing ISO 27001 – this standard gives you the perfect methodology to comply with them all.

Achieve marketing advantage – if your company gets certified and your competitors do not, you may have an advantage over them in the eyes of the customers who are sensitive about keeping their information safe.

Lower costs – the main philosophy of ISO 27001 is to prevent security incidents from happening – and every incident, large or small, costs money. Therefore, by preventing them, your company will save quite a lot of money. And the best thing of all – investment in ISO 27001 is far smaller than the cost savings you’ll achieve.

Better organization – typically, fast-growing companies don’t have the time to stop and define their processes and procedures – as a consequence, very often the employees do not know what needs to be done, when, and by whom. Implementation of ISO 27001 helps resolve such situations, because it encourages companies to write down their main processes (even those that are not security-related), enabling them to reduce the lost time of their employees.

What does ISO 27001 actually look like?

ISO/IEC 27001 is split into 11 sections, plus Annex A. Sections 0 to 3 are introductory (and are not mandatory for implementation), while sections 4 to 10 are mandatory – meaning that all their requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.

According to Annex SL of the International Organization for Standardization ISO/IEC Directives, the section titles in ISO 27001 are the same as in ISO 22301:2012, in the new ISO 9001:2015, and other management standards, enabling easier integration of these standards.

Section 0: Introduction – explains the purpose of ISO 27001 and its compatibility with other management standards.

Section 1: Scope – explains that this standard is applicable to any type of organization.

Section 2: Normative references – refers to ISO/IEC 27000 as a standard where terms and definitions are given.

Section 3: Terms and definitions – again, refers to ISO/IEC 27000.

Section 4: Context of the organization – this section is part of the Plan phase in the PDCA cycle and defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.

Section 5: Leadership – this section is part of the Plan phase in the PDCA cycle and defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information security policy.

Section 6: Planning – this section is part of the Plan phase in the PDCA cycle and defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.

Section 7: Support – this section is part of the Plan phase in the PDCA cycle and defines requirements for availability of resources, competences, awareness, communication, and control of documents and records.

Section 8: Operation – this section is part of the Do phase in the PDCA cycle and defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.

Section 9: Performance evaluation – this section is part of the Check phase in the PDCA cycle and defines requirements for monitoring, measurement, analysis, evaluation, internal audit and management review.

Section 10: Improvement – this section is part of the Act phase in the PDCA cycle and defines requirements for non-conformities, corrections, corrective actions and continual improvement.

Annex A – this annex provides a catalogue of 114 controls (safeguards) placed in 14 sections (sections A.5 to A.18).

See also:  Has the PDCA Cycle been removed from the new ISO standards?

How to implement ISO 27001

To implement ISO 27001 in your company, you have to follow these 16 steps:

1) Get top management support
2) Use project management methodology
3) Define the ISMS scope
4) Write the top-level Information security policy
5) Define the Risk assessment methodology
6) Perform the risk assessment and risk treatment
7) Write the Statement of Applicability
8) Write the Risk treatment plan
9) Define how to measure the effectiveness of your controls and of your ISMS
10) Implement all applicable controls and procedures
11) Implement training and awareness programs
12) Perform all the daily operations prescribed by your ISMS documentation
13) Monitor and measure your ISMS
14) Perform internal audit
15) Perform management review
16) Implement corrective actions

For more detailed explanation of these steps, see ISO 27001 implementation checklist.

 

Mandatory documentation

ISO 27001 requires the following documentation to be written:

·         Scope of the ISMS (clause 4.3)

·         Information security policy and objectives (clauses 5.2 and 6.2)

·         Risk assessment and risk treatment methodology (clause 6.1.2)

·         Statement of Applicability (clause 6.1.3 d)

·         Risk treatment plan (clauses 6.1.3 e and 6.2)

·         Risk assessment report (clause 8.2)

·         Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)

·         Inventory of assets (clause A.8.1.1)

·         Acceptable use of assets (clause A.8.1.3)

·         Access control policy (clause A.9.1.1)

·         Operating procedures for IT management (clause A.12.1.1)

·         Secure system engineering principles (clause A.14.2.5)

·         Supplier security policy (clause A.15.1.1)

·         Incident management procedure (clause A.16.1.5)

·         Business continuity procedures (clause A.17.1.2)

·         Statutory, regulatory, and contractual requirements (clause A.18.1.1)

And these are the mandatory records:

·         Records of training, skills, experience and qualifications (clause 7.2)

·         Monitoring and measurement results (clause 9.1)

·         Internal audit program (clause 9.2)

·         Results of internal audits (clause 9.2)

·         Results of the management review (clause 9.3)

·         Results of corrective actions (clause 10.1)

·         Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)

Of course, a company may decide to write additional security documents if it finds it necessary.

To see more detailed explanation of each of these documents, download the free white paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision).

How many controls are there in ISO 27001?

There are 114 controls listed in ISO 27001 – it would be a violation of intellectual property rights if I listed all the controls here, but let me just explain how the controls are structured, and the purpose of each of the 14 sections from Annex A:

A.5 Information security policies – controls on how the policies are written and reviewed                                                                                                                        A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking

A.7 Human resources security – controls prior to employment, during, and after the employment

A.8 Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling

A.9 Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities

A.10 Cryptography – controls related to encryption and key management

A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc.

A.12 Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.

A.13 Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc.

A.14 System acquisition, development and maintenance – controls defining security requirements and security in development and support processes

A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers

A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence

A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy

A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security

Catalogue of threats & vulnerabilities  

This list of threats and vulnerabilities can serve as a help for implementing risk assessment within the framework of ISO 27001 or ISO 22301. This list is not final – each organization must add their own specific threats and vulnerabilities that endanger the confidentiality, integrity and availability of their assets.

Threats

Below is a list of threats – this is not a definitive list, it must be adapted to the individual organization:

·         Access to the network by unauthorized persons

·         Bomb attack

·         Bomb threat

·         Breach of contractual relations

·         Breach of legislation

·         Compromising confidential information

·         Concealing user identity

·         Damage caused by a third party

·         Damages resulting from penetration testing

·         Destruction of records

·         Disaster (human caused)

·         Disaster (natural)

·         Disclosure of information

·         Disclosure of passwords

·         Eavesdropping

·         Embezzlement

·         Errors in maintenance

·         Failure of communication links

·         Falsification of records

·         Fire

·         Flood

·         Fraud

·         Industrial espionage

·         Information leakage

·         Interruption of business processes

·         Loss of electricity

·         Loss of support services

·         Malfunction of equipment

·         Malicious code

·         Misuse of information systems

·         Misuse of audit tools

·         Pollution

·         Social engineering

·         Software errors

·         Strike

·         Terrorist attacks

·         Theft

·         Thunderstroke

·         Unintentional change of data in an information system

·         Unauthorized access to the information system

·         Unauthorized changes of records

·         Unauthorized installation of software

·         Unauthorized physical access

·         Unauthorized use of copyright material

·         Unauthorized use of software

·         User error

·         Vandalism

Vulnerabilities

Below is a list of vulnerabilities – this is not a definitive list, it must be adapted to the individual organization:

·         Complicated user interface

·         Default passwords not changed

·         Disposal of storage media without deleting data

·         Equipment sensitivity to changes in voltage

·         Equipment sensitivity to moisture and contaminants

·         Equipment sensitivity to temperature

·         Inadequate cabling security

·         Inadequate capacity management

·         Inadequate change management

·         Inadequate classification of information

·         Inadequate control of physical access

·         Inadequate maintenance

·         Inadequate network management

·         Inadequate or irregular backup

·         Inadequate password management

·         Inadequate physical protection

·         Inadequate protection of cryptographic keys

·         Inadequate replacement of older equipment

·         Inadequate security awareness

·         Inadequate segregation of duties

·         Inadequate segregation of operational and testing facilities

·         Inadequate supervision of employees

·         Inadequate supervision of vendors

·         Inadequate training of employees

·         Incomplete specification for software development

·         Insufficient software testing

·         Lack of access control policy

·         Lack of clean desk and clear screen policy

·         Lack of control over the input and output data

·         Lack of internal documentation

·         Lack of or poor implementation of internal audit

·         Lack of policy for the use of cryptography

·         Lack of procedure for removing access rights upon termination of employment

·         Lack of protection for mobile equipment

·         Lack of redundancy

·         Lack of systems for identification and authentication

·         Lack of validation of the processed data

·         Location vulnerable to flooding

·         Poor selection of test data

·         Single copy

·         Too much power in one person

·         Uncontrolled copying of data

·         Uncontrolled download from the Internet

·         Uncontrolled use of information systems

·         Undocumented software

·         Unmotivated employees

·         Unprotected public network connections

·         User rights are not reviewed regularly

·         Complicated user interface

·         Default passwords not changed

·         Disposal of storage media without deleting data

·         Equipment sensitivity to changes in voltage

·         Equipment sensitivity to moisture and contaminants

·         Equipment sensitivity to temperature

·         Inadequate cabling security

·         Inadequate capacity management

·         Inadequate change management

·         Inadequate classification of information

·         Inadequate control of physical access

·         Inadequate maintenance

·         Inadequate network management

·         Inadequate or irregular backup

·         Inadequate password management

·         Inadequate physical protection

·         Inadequate protection of cryptographic keys

·         Inadequate replacement of older equipment

·         Inadequate security awareness

·         Inadequate segregation of duties

·         Inadequate segregation of operational and testing facilities

·         Inadequate supervision of employees

·         Inadequate supervision of vendors

·         Inadequate training of employees

·         Incomplete specification for software development

·         Insufficient software testing

·         Lack of access control policy

·         Lack of clean desk and clear screen policy

·         Lack of control over the input and output data

·         Lack of internal documentation

·         Lack of or poor implementation of internal audit

·         Lack of policy for the use of cryptography

·         Lack of procedure for removing access rights upon termination of employment

·         Lack of protection for mobile equipment

·         Lack of redundancy

·         Lack of systems for identification and authentication

·         Lack of validation of the processed data

·         Location vulnerable to flooding

·         Poor selection of test data

·         Single copy

·         Too much power in one person

·         Uncontrolled copying of data

·         Uncontrolled download from the Internet

·         Uncontrolled use of information systems

·         Undocumented software

·         Unmotivated employees

·         Unprotected public network connections

·         User rights are not reviewed regularly

ISO 27001 risk assessment & treatment – 6 basic steps

. Risk assessment (often called risk analysis) is probably the most complex part of ISO 27001 implementation; but at the same time risk assessment (and treatment) is the most important step at the beginning of your information security project – it sets the foundations for information security in your company.

The question is – why is it so important? The answer is quite simple although not understood by many people: the main philosophy of ISO 27001 is to find out which incidents could occur (i.e. assess the risks) and then find the most appropriate ways to avoid such incidents (i.e. treat the risks). Not only this, you also have to assess the importance of each risk so that you can focus on the most important ones.

Although risk assessment and treatment (together: risk management) is a complex job, it is very often unnecessarily mystified. These 6 basic steps will shed light on what you have to do:

1. ISO 27001 risk assessment methodology

This is the first step on your voyage through risk management. You need to define rules on how you are going to perform the risk management because you want your whole organization to do it the same way – the biggest problem with risk assessment happens if different parts of the organization perform it in a different way. Therefore, you need to define whether you want qualitative or quantitative risk assessment, which scales you will use for qualitative assessment, what will be the acceptable level of risk, etc.

2. Risk assessment implementation

Once you know the rules, you can start finding out which potential problems could happen to you – you need to list all your assets, then threats and vulnerabilities related to those assets, assess the impact and likelihood for each combination of assets/threats/vulnerabilities and finally calculate the level of risk.

In my experience, companies are usually aware of only 30% of their risks. Therefore, you’ll probably find this kind of exercise quite revealing – when you are finished you’ll start to appreciate the effort you’ve made.

3. Risk treatment implementation

Of course, not all risks are created equal – you have to focus on the most important ones, so-called ‘unacceptable risks’.

There are four options you can choose from to mitigate each unacceptable risk:

1.    Apply security controls from Annex A to decrease the risks – see this article ISO 27001 Annex A controls.

2.    Transfer the risk to another party – e.g. to an insurance company by buying an insurance policy.

3.    Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.

4.    Accept the risk – if, for instance, the cost for mitigating that risk would be higher that the damage itself.

This is where you need to get creative – how to decrease the risks with minimum investment. It would be the easiest if your budget was unlimited, but that is never going to happen. And I must tell you that unfortunately your management is right – it is possible to achieve the same result with less money – you only need to figure out how.

4. ISMS Risk Assessment Report

Unlike previous steps, this one is quite boring – you need to document everything you’ve done so far. Not only for the auditors, but you may want to check yourself these results in a year or two.

5. Statement of Applicability

This document actually shows the security profile of your company – based on the results of the risk treatment you need to list all the controls you have implemented, why you have implemented them and how. This document is also very important because the certification auditor will use it as the main guideline for the audit.

For details about this document, see article The importance of Statement of Applicability for ISO 27001.

6. Risk Treatment Plan

This is the step where you have to move from theory to practice. Let’s be frank – all up to now this whole risk management job was purely theoretical, but now it’s time to show some concrete results.

This is the purpose of Risk Treatment Plan – to define exactly who is going to implement each control, in which time frame, with which budget, etc. I would prefer to call this document ‘Implementation Plan’ or ‘Action Plan’, but let’s stick to the terminology used in ISO 27001.

Once you’ve written this document, it is crucial to get your management approval because it will take considerable time and effort (and money) to implement all the controls that you have planned here. And without their commitment you won’t get any of these.

And this is it – you’ve started your journey from not knowing how to setup your information security all the way to having a very clear picture of what you need to implement. The point is – ISO 27001 forces you to make this journey in a systematic way.

      THANK YOU