1
INTRODUCTION
Why are these security controls important, and why are they listed in Annex A of ISO 27001? How are they related to risk assessment?
And, is this book the right choice for you?
1.1 Who should read this book?
This book is written primarily for beginners in ISO 27001 and for people with moderate knowledge about security controls (i.e., safeguards) â I structured this book in such a way that someone with no prior experience or knowledge about information security can quickly understand what they are all about; however, if you do have experience with ISO 27001, but feel that you still have gaps in your knowledge, youâll also find this book very helpful.
This book provides an overview of the structure of ISO 27001 Annex A, as well as of the 114 controls that are found in this Annex, and what they mean for smaller and medium-sized organizations (i.e., companies with up to 500 employees). All the principles described here are also applicable to larger organizations, so if you work for a larger company you might find this book useful; however, please be aware that you will have to use more complex methodology â for example, for doing the backup, both the rules and the technology for it will be more complex than for a smaller company.
So, if you are an IT administrator, information security professional, or head of an IT department, or a project manager tasked with implementing security controls in a small or mid-sized company, this book is perfect for you to start understanding this subject.
So, to conclude, this book gives a systematic picture of what ISO 27001 Annex A is all about, and gives an overview of all the controls that are included in this Annex A. It is true that this book doesnât go into details of each and every control, but for that purpose youâll find many links in this book to articles that will explain the details youâre interested in.
1.2 What this book is not
This book is focused on what is the purpose of individual controls and how to manage them; it is not focused on which technology you should be using for particular control. For example, this book will outline what principles are important for doing the backup, but the book doesnât provide you with guidelines on which technology you should purchase.
This book won't give you finished templates for all your policies, procedures, and plans; however, this book will explain to you how to structure the documents, which options you have for writing such documents, and who should be involved in writing and decision making related to each document.
This book is not a copy of ISO 27001 and ISO 27002 standards â you cannot replace reading these standards by reading this book. This book is intended to explain how to interpret the standards (since the standards are written in a rather unfriendly way); however, this book is not a replacement for ISO 27001 nor ISO 27002 â indeed, for detailed guidelines on each and every control from ISO 27001 Annex A you should read ISO 27002 standard.
So, please don't make the mistake of starting an implementation without actually reading ISO 27001 and potentially ISO 27002 â I think you'll find ISO 27001 and ISO 27002 together with this book to be the perfect combination for your future work.
1.3 ISO 27001 vs. ISO 27002
If you had the chance to read both the ISO 27001 and ISO 27002 standards, you probably noticed that ISO 27002 is much more detailed, much more precise â so, whatâs the purpose of ISO 27001 then?
First of all, a company cannot get certified against ISO 27002 because this is not a management standard. In other words, ISO 27002 focuses only on security controls, but it doesnât explain how to build an Information Security Management System, which would include roles and responsibilities, setting the objectives, risk management, internal audits, etc. Therefore, certification against ISO 27002 is not possible.
The controls in ISO 27002 are named the same as in Annex A of ISO 27001 â for instance, in ISO 27002 control 6.1.3 is named Contact with authorities, while in ISO 27001 it is A.6.1.3 Contact with authorities. But, the difference is in the level of detail â on average, ISO 27002 explains one control on one whole page, while ISO 27001 dedicates only one sentence to each control.
Finally, the difference is that ISO 27002 does not make a distinction between which controls are applicable to a particular company, and which are not. On the other hand, ISO 27001 prescribes a risk assessment to be performed in order to identify for each control whether it is required to decrease the risks, and if it is, to which extent it should be applied.
Now, the question arises: why is it that those two standards are published separately; why havenât they been merged, bringing together the positive sides of both standards? The answer is usability â if it was a single standard, it would be too complex and too large for practical use.
To conclude, ISO 27002 is a very good additional standard where you can learn how to implement individual controls from ISO 27001; however, ISO 27002 should not be used without ISO 27001 because this would lead to an isolated effort of a few information security enthusiasts, with no acceptance from the top management and, therefore, with no real impact on the organization.
1.4 The crucial link between risk management and security controls
When speaking with someone new to ISO 27001, very often I encounter the same problem: this person thinks the standard will describe in detail everything they need to do â for example, how often they will need to perform backup, how distant their disaster recovery site should be, or even worse, which kind of technology they must use for network protection or how they have to configure the router.
But, the fact is ISO 27001 does not prescribe these things; it works in a completely different way.
Why is ISO 27001 not prescriptive? Letâs imagine that the standard prescribes that you need to perform a backup every 24 hours â is this the right measure for you? It might be, but believe me, many companies nowadays will find this insufficient â the rate of change of their data is so quick that they need to do backup if not in real time, then at least every hour. On the other hand, there are still some companies that would find the once-a-day backup too often â their rate of change is still very slow, so performing backup so often would be overkill.
The point is â if this standard is to fit any type of a company, then this prescriptive approach is not possible. So, it is simply impossible not only to define the backup frequency, but also which technology to use, how to configure each device, etc.
By the way, this perception that ISO 27001 will prescribe everything is the biggest generator of myths about ISO 27001.
So, you might wonder, âWhy would I need a standard that doesnât tell me anything concretely?â Because ISO 27001 gives you a framework for you to decide on appropriate protection. The same way, e.g., you cannot copy a marketing campaign of another company to your own, this same principle is valid for information security â you need to tailor it to your specific needs.
Risk management is the central idea of ISO 27001. And, the way ISO 27001 tells you to achieve this tailor-made suit is to perform risk assessment and risk treatment. This is nothing but a systematic overview of the bad things that can happen to you (assessing the risks), and then deciding which safeguards to implement to prevent those bad things from happening (treating the risks).
Requirements of interested parties. These requirements are a second crucial input when selecting the safeguards. Interested parties could be government agencies, your clients, partners, etc. â all of them probably expect you to protect the information, and this is reflected in the laws and contracts you have with them. Therefore, your safeguards have to comply with all these requirements as well.
The whole idea here is that you should implement only those safeguards (controls) that are required because of the risks and requirements of interested parties, not those that someone thinks are fancy; but, this logic also means that you should implement all the controls that are required because of the risks or because of these requirements, and that you cannot exclude some simply because you donât like them.
IT alone is not enough to protect the information. If you work in the IT department, you are probably aware that most of the incidents are happening not because the computers broke down, but because the users from the business side of the organization are using the information systems in the wrong way.
And, such wrongdoings cannot be prevented with technical safeguards only â what is also needed are clear policies and procedures, training and awareness, legal protection, discipline measures, etc. Real-life experience has proven that the more diverse safeguards are applied, the higher level of security is achieved.
And, when you take into account that not all the sensitive information is in digital form (you probably still have papers with confidential information on them), the conclusion is that IT safeguards are not enough, and that the IT department, although very important in an information security project, cannot run this kind of project alone.
This fact that IT security is not enough for implementing information security is recognized in ISO 27001 â this standard tells you how to run the information security implementation as a company-wide project where not only IT, but also the business side of the organization, must take part.
1.5 Information security vs. IT security
One would think that IT security and information security are synonyms â after all, isnât information security all about computers?
Not really. The basic point is this â you might have perfect IT security safeguards, but only one malicious act done by, for instance, an administrator can bring the whole IT system down. This risk has nothing to do with computers; it has to do with people, processes, supervision, etc.
Further, important information might not even be in digital form; it can also be in paper form â for instance, an important contract signed with the largest client, personal notes made on a paper notepad by the CEO, or printed administrator passwords stored in a safe.
Therefore, I always like to say to my clients â IT security is only half of information security, because information security also includes physical security, human resources management, legal protection, organization, processes etc. The purpose of information security is to build a system that takes into account all po...