![]()
CHAPTER 1: INTRODUCTION TO THE INTERNATIONAL INFORMATION SECURITY STANDARDS ISO27001 AND ISO27002
What is information security?
It is a truism to say that information is the currency of the information age. Information is, in many cases, the most valuable asset possessed by an organisation, even if that information has not been subject to a formal and comprehensive valuation.
IT governance is the discipline that deals with the structures, standards and processes that boards and management teams apply to effectively manage, protect and exploit their organisationsâ information assets.
Information security management is the subset of IT governance that focuses on protecting and securing an organisationâs information assets. The international standard ISO27000 defines information security as the âpreservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involvedâ.
Reasons to implement an information security management system (ISMS)
There are, broadly, four reasons for an organisation to implement an ISMS:
- Strategic: a government or parent company requirement, or a strategic board decision, to better manage its information security within the context of its overall business risks.
- Customer confidence: the need to demonstrate to one or more customers that the organisation complies with information security management best practice, or the opportunity to gain a competitive edge over its competitors, in both customer and supplier relationships.
- Regulatory: the desire to meet various statutory and regulatory requirements, particularly around computer misuse, data protection and personal privacy.
- Internal effectiveness: the desire to manage information more effectively within the organisation.
Although not explicitly stated in ISO27001, it should be remembered that while all four of these reasons for adopting an ISMS are good, having an ISO27001-compliant ISMS will not automatically confer immunity from legal obligations. The organisation will have to ensure that it understands the range of legislation and regulation with which it must comply, ensure that these requirements are reflected in the ISMS as it is developed and implemented, and then ensure that the ISMS works as designed.
The ISMS and regulation
Regulations and the law in each of the areas mentioned above are still evolving; they are sometimes poorly drafted, often contradictory (particularly between jurisdictions) and have little or no case law to provide guidance for organisations in planning their compliance efforts. It can be difficult for organisations to identify specific methods for complying with individual laws. In these circumstances, implementation of a best practice ISMS may support a defence in court that the management did everything that was reasonably practicable for it to do in meeting its legal and regulatory requirements. Of course, every organisation would have to take its own legal advice on issues such as this, and neither this book nor these authors provide guidance of any sort on this issue.
ISO/IEC 27001:2013 (âISO27001â or âthe Standardâ)
Published by the International Organization for Standardization (ISO), this is the most recent, most up-to-date, international version of a standard specification for an information security management system. It is vendor-neutral and technology-independent. It is designed for use in organisations of all sizes (âintended to be applicable to all organisations, regardless of type, size and natureâ1) and in every sector (e.g. commercial enterprises, government agencies, not-for-profit organisations), anywhere in the world. It is a management system, not a technology specification and this is reflected in its formal title, which is Information technology â Security techniques â Information security management systems â Requirements. ISO27001 is also the first of a series of international information security standards, all of which have ISO2700X numbers.
ISO/IEC 27001:2013 is a specification for an ISMS. It sets out requirements and uses words like âmustâ and âshallâ. One mandatory requirement is that controls determined during the information security risk treatment should be compared âwith those in Annex A [to] verify that no necessary controls have been omittedâ.2 Annex A to ISO/IEC 27001:2013 lists the 114 controls that are in ISO/IEC 27002:2013, follows the same numbering system as that standard and uses the same words and definitions.
As Annex A of ISO27001 states, âThe control objectives and controls listed [below] are directly derived from and aligned with those listed in ISO/IEC 27002:20013â.3 ISO27002 provides substantial implementation guidance on how individual controls should be approached. Anyone implementing an ISO27001 ISMS will need to study both ISO27001 and ISO27002.
While ISO27001 mandates the use of ISO27002 as a source of guidance on controls, control selection and control implementation, it does not limit the organisationâs choice of controls to those in ISO27002. Clause 6.1.3 c) of ISO27001states:
The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.
ISO/IEC 27002:2013 (âISO27002â)
This standard is titled Information technology â Security techniques â Code of practice for information security controls. Published in September 2013, it replaced ISO/IEC 27002:2005, which has now been withdrawn. Prior to this, until August 2007, it was designated ISO17799.
ISO/IEC 27002:2013 is a code of practice. It provides guidance and uses words like âmayâ and âshouldâ. It provides an internationally accepted framework for best practice in information security management and systems interoperability. It also provides guidance on how to implement an ISMS capable of certification, to which an external auditor could refer. It does not provide the basis for an international certification scheme.
Definitions
The definitions used in both standards are standardised within ISO/IEC 27000. This ensures that consistent definitions are available for all ISO2700X standards.
Risks to information assets
An asset is defined in ISO27000 as âanything that has value to the organisationâ. Information assets are subject to a wide range of threats, both external and internal, ranging from the random to the highly specific. Risks include acts of nature, fraud and other criminal activity, user error and system failure. Information risks can affect one or more of the three fundamental attributes of an information asset, its:
- availability
- confidentiality
- integrity.
These three attributes, commonly known as the âsecurity triadâ, are defined in ISO27000 as follows:
- availability: the âproperty of being accessible and usable upon demand by an authorised entityâ, which allows for the possibility that information has to be accessed by software programs as well as human users;
- confidentiality: the âproperty that information is not made available or disclosed to unauthorised individuals, entities, or processesâ;
- integrity: the âproperty of protecting the accuracy and completeness of assetsâ (i.e. preventing unauthorised changes, whether malicious or accidental).
Information Security Management System
ISO27000 defines an ISMS as:
Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. The management system includes organisational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.
An ISMS exists to preserve confidentiality, integrity and availability. It secures the confidentiality, availability and integrity of the organisationâs information and information assets, and its most critical information assets are those for which all three attributes are important.
Relationship between the standards
The working relationship between ISO27001 and ISO27002 needs to be very clear, as ISO27001 relies to such a substantial extent on ISO27002 that it mandates its use.
The link between the two standards was created in 1999, when BS7799 was first published as a two-part standard:
- Part 1 was a code of practice.
- Part 2 was a specification for an ISMS that deployed controls selected from the code of practice.
The original Part 2 specified, in the main body of the Standard, the same set of controls that were described, in far greater detail (particularly with regard to implementation) in Part 1. These controls were later removed from the main body of Part 2 and listed in an annex, Annex A.
This relationship continues today, between the specification for the ISMS that is contained in one part of the combined standard, and the detailed guidance on the information security controls that should be considered in developing and implementing the ISMS and which are contained in the other part of the combined standard. The addition of further standards in the ISO2700x series has not changed this fundamental relationship between ISO27001 and ISO27002; rather, it has expanded the range of guidance in ISO27002 to refer to those other standards where relevant.
Specification compared to a code of practice
ISO/IEC 27001:2013 is a specification for an ISMS. It uses words like âshallâ. It sets out requirements.
A code of practice or a set of guidelines uses words like âshouldâ and âmayâ, allowing individual organisations to choose which elements of the standard to implement, and which not. A specification does not provide any such latitude.
Any organisation that implements an ISMS that it wishes to have assessed against ISO/IEC 27001 will have to follow the specification contained in the Standard.
As a general rule, organisa...
