ISO27001 and 27002

1
ISO27001 and 27002

• Removing the Smoke Mirrors
• Ken Anderson

2
AGENDA

• History of ISO and Timeline
• Overview of ISO 27000
• Threats and Impacts ISO addresses
• Objectives and benefits for measuring security
• Best Practices

3
History of ISO - Timeline

• 1992The Department of Trade and Industry (DTI),
  which is part of the UK Government, publish a
  'Code of Practice for Information Security
  Management'.
• 1995This document is amended and re-published by
  the British Standards Institute (BSI) in 1995 as
  BS7799.
• 1996Support and compliance tools begin to
  emerge, such as COBRA. David Lilburn Watson
  becomes the first qualified certified BS7799
  ccure Auditor
• 1999The first major revision of BS7799 was
  published. This included many major
  enhancements.Accreditation and certification
  schemes are launched. LRQA and BSI are the first
  certification bodies.

4
History of ISO The Timeline

• 2000In December, BS7799 is again re-published,
  this time as a fast tracked ISO standard. It
  becomes ISO 17799 (or more formally, ISO/IEC
  17799).
• 2001The 'ISO 17799 Toolkit' is launched.
• 2002A second part to the standard is published
  BS7799-2. This is an Information Security
  Management Specification, rather than a code of
  practice. It begins the process of alignment with
  other management standards such as ISO 9000.
• 2005A new version of ISO 17799 is published.
  This includes two new sections, and closer
  alignment with BS7799-2 processes..
• 2005ISO 27001 is published, replacing BS7799-2,
  which is withdrawn. This is a specification for
  an ISMS (information security management system),
  which aligns with ISO 17799 and is compatible
  with ISO 9001 and ISO 14001

5
Where did 17799 come from?

• BS7799 was conceived, as a technology-neutral,
  vendor-neutral management system that, properly
  implemented, would enable an organization's
  management to assure itself that its information
  security measures and arrangements were
  effective.
• From the outset, BS7799 focused on protecting the
  availability, confidentiality and integrity of
  organizational information and these remain,
  today, the driving objectives of the standard.
• BS7799 was originally just a single standard, and
  had the status of a Code of Practice. In other
  words, it provided guidance for organizations,
  but hadn't been written as a specification that
  could form the basis of an external third party
  verification and certification scheme.

6
Overview ISO 27000 (base standard)

• Published standards
• ISO/IEC 27001 - the certification standard
  against which organizations' ISMS may be
  certified (published in 2005)
• ISO/IEC 27002 - the re-naming of existing
  standard ISO 17799 (last revised in 2005, and
  renumbered ISO/IEC 270022005 in July 2007)
• ISO/IEC 27006 - a guide to the certification/regis
  tration process (published in 2007)
• In preparation
• ISO/IEC 27000 - a standard vocabulary for the
  ISMS standards
• ISO/IEC 27003 - a new ISMS implementation guide
• ISO/IEC 27004 - a new standard for information
  security management measurements
• ISO/IEC 27005 - a proposed standard for risk
  management
• ISO/IEC 27007 - a guideline for auditing
  information security management systems
• ISO/IEC 27011 - a guideline for
  telecommunications in information security
  management system
• ISO/IEC 27799 - guidance on implementing ISO/IEC
  27002 in the healthcare industry

7
ISO/IEC 27001

• ISO/IEC 27001 certification usually involves a
  three-stage audit process
• Stage 1 is a "table top" review of the existence
  and completeness of key documentation such as the
  organization's security policy, Statement of
  Applicability (SoA) and Risk Treatment Plan
  (RTP).
• Stage 2 is a detailed, in-depth audit involving
  testing the existence and effectiveness of the
  information security controls stated in the SoA
  and RTP, as well as their supporting
  documentation.
• Stage 3 is a follow-up reassessment audit to
  confirm that a previously-certified organization
  remains in compliance with the standard.
  Certification maintenance involves periodic
  reviews and re-assessments to confirm that the
  ISMS continues to operate as specified and
  intended.

8
ISO/IEC 27002

• ISO/IEC 27002 provides best practice
  recommendations on IS security management systems
  (ISMS).
• The standard contains the following twelve main
  sections
• Risk Assessment determining asset vulnerability
• Security Policy - management direction
• Organization of Information Security - governance
  of information security
• Asset Management - inventory and classification
  of information assets
• Human Resources Security - security aspects for
  employees joining, moving and leaving an
  organization
• Physical and Environmental Security - protection
  of the computer facilities

9
ISO/IEC 27002

• 7. Communications and Operations Management -
  management of technical security controls
• 8. Access Control - restriction of access rights
  to networks, systems, applications, functions and
  data
• 9. Information Systems Acquisition, development
  and maintenance - building security into
  applications
• 10. Information Security Incident Management -
  anticipating and responding appropriately to
  security breaches
• 11. Business Continuity Management - protecting,
  maintaining and recovering business-critical
  processes and systems
• 12. Compliance - ensuring conformance with
  information security policies, standards, laws
  and regulations

10
ISO/IEC 27002

• Within each section, information security
  controls and their objectives are specified and
  outlined.
• Specific controls are not mandated since
• Each organization is expected to undertake a
  structured information security risk assessment
  process to determine its specific requirements
  before selecting controls that are appropriate to
  its particular circumstances.
• It is practically impossible to list all
  conceivable controls in a general purpose
  standard. Industry-specific implementation
  guidance for ISO/IEC 27001 and 27002 are
  anticipated to give advice tailored to
  organizations in the telecomms, financial
  services, healthcare, lotteries and other
  industries.

11

• ISO 27002 Summary
• (Eye Test)

12
(No Transcript)
13
Information security threats of 2008

• CISSP / ISO27k implementers forum identifies the
  following threats
• Imposition of legal and regulatory obligations.
  
• Cyber-criminals
• Malware, Trojans
• Phishers
• Spammers
• Negligent staff
• Storms, tornados, floods - Acts of God
• Hackers
• Unethical Employees who misuse/misconfigure
  system security functions
• Unauthorized access, modification, disclosure of,
  information assets
• Nations attacking critical information
  infrastructures to cause disruption.
• Technical advances that can render encryption
  algorithms obsolete

14
Information security impacts

• Resulting information security incidents can
  cause
• Disruption to organizational routines and
  processes
• Direct financial losses through information theft
  and fraud
• Decrease in shareholder value
• Loss of privacy
• Reputational damage causing brand devaluation
• Loss of confidence in IT
• Expenditure on information security assest and
  data damaged, stolen, corrupted or lost in
  incidents
• Loss of competitive advantage
• Reduced profitability
• Impaired growth due to inflexible
  infrastructure/system/application environments
• Injury or loss of life if safety-critical systems
  fail

15
Objectives of measuring security

• So what are the objectives of measuring security?
  
• To show ongoing improvement
• To show compliance (with Standards, contracts,
  SLAs, OLAs, etc)
• To justify any future expenditure (new security
  software, training, people, etc)
• ISO 27001 certification requires it. Other
  Management Systems also require it ISO 9001,
  ISO 20000
• To identify where implemented controls are not
  effective in meeting their objectives
• To provide confidence to senior management and
  stakeholders that implemented controls are
  effective.

16
Benefits of measuring security

• So what are the benefits of measuring security?
• Actually eases process of monitoring the
  effectiveness of the ISMS (e.g. less labor
  intensive, for example, if using tools, and
  provides a means of self checking)
• Proactive tools to measure / prevent problems
  arising at a later date (e.g. network
  bottlenecks, disk clutter, development of poor
  human practices)
• Reduction of incidents, etc
• Motivates staff when senior management set
  targets
• Tangible evidence to auditors, and assurance to
  senior management that you are in control i.e.
  Corporate Information Assurance (Corporate
  Governance), and top down approach to Information
  Assurance.

17
What should be measured

• They have been broken down into the following
  categories
• Management Controls Security Policy, IT
  Policies, Security Procedures, Business
  Continuity Plans, Security Improvement Plans,
  Business Objectives, Management Reviews
• Business Processes Risk Assessment Risk
  Treatment Management Process, Human Resource
  Process, SOA selection process, Media Handling
  Process
• Operational Controls Operational Procedures,
  Change Control, Problem Management, Capacity
  Management, Release Management, Back up, Secure
  Disposal, Equipment off site
• Technical Controls Patch Management, Anti-Virus
  Controls, IDS, Firewall, Content Filtering

18
What needs to be measured?

• Measurement can be achieved against
• A particular security control or objective
• A group of controls
• Against main controls within a Standard
• Specific controls within an IT component.

19
Process for deciding which controls should be
used.

• First, you need to
• Confirm relevance of controls through risk
  assessment
• Define objectives, ensuring they map back to the
  business
• Use existing Indicators wherever possible, e.g.
  in ITIL terms, KPIs
• A KPI helps a business define progress towards a
  particular goal
• KPIs are measurements critical to the success of
  the business.
• Within the ISMS audit framework, identify
  controls which can be continuously monitored,
  using chosen technique
• Before using any tools, confirm the objectives
  with senior managers as well as staff.
  Corroborate with third parties, or through
  SLAs/OLAs where internal third parties are
  concerned e.g. ISO15000 (ITIL)

20
Process for deciding which controls should be
used.

• Establish a baseline, against which all future
  measurements can be contrasted/compared
• Provide periodic reports to appropriate
  management forum/ISMS owners (show graphs,
  pictures paint a thousand words)
• Identify Review Input agreed recommendations,
  corrective actions, etc
• Implement improvements within your Integrated
  Management Systems (IMS) e.g. merged ISOs 9001,
  14000, 27001, 20000
• Establish/agree new baseline, review the output,
  apply the PDCA approach (Plan Do Check
  Act).

21
Measuring the effectiveness of Security
Apply the vulnerability management lifecycle...

• Prioritize based on vulnerability data, threat
  data, and asset classification plan

• Inventory assets
• Identify vulnerabilities
• Develop baseline

• Monitor known vulnerabilities
• Watch unpatched systems
• Alert other suspicious activity

• Eliminate high-priority vulnerabilities
• Establish controls
• Demonstrate progress

22
Regulatory Concerns why look at ISO

• A lot to worry about
• FOIP
• PIPEDA
• Government concerns (e.g. Systrust, GCCR)
• Payment Card Industry (PCI)
• CSOX (Bill 198)
• NERC (Electric Regulatory)
• Cross border regulations (HIPPA, GLBA)
• ISA SP 99 (Future Industrial Standard?)
• There will be more to follow ..

23
Why Best Practices are Important!

• Today, the effective use of best practices can
  help avoid re-inventing wheels, optimize the use
  of scarce IT resources and reduce the occurrence
  of major IT risks, such as
• Project failures
• Wasted investments
• Security breaches
• System crashes
• Failures by service providers to understand and
  meet customer requirements

24
Why Best Practices are Important!

• COBIT, ITIL and ISO 17799 are valuable to the
  ongoing growth and success of an organization
  because
• Companies are demanding better returns from IT
  investments
• Best practices help meet regulatory requirements
  for IT controls
• Organizations face increasingly complex
  IT-related risks
• Organizations can optimize costs by standardizing
  controls
• Best practices help organizations assess how IT
  is performing
• Management of IT is critical to the success of
  enterprise strategy
• They help enable effective governance of IT
  activities
• A management framework helps staff understand
  what to do (policy, internal controls and defined
  practices)
• They can provide efficiency gains, less reliance
  on experts, fewer errors, increased trust from
  business partners and respect from regulators

25
SUMMARY

• ISO started as a management system
• ISO 17799 (BS7799) has become a defacto IT
  standard
• ISO 27000 takes standards to a new level
• Most organizations are using or looking at the
  standard for help
• Many more uses down the road

26
ISO 27000 Reference Links

• http//www.iso.org/iso/home.htm
• http//standards.iso.org/ittf/PubliclyAvailableSta
  ndards/index.html
• http//www.standardsglossary.com/
• http//isotc.iso.org/livelink/livelink/fetch/2000/
  2122/327993/customview.html?funcllobjId327993
• http//en.wikipedia.org/wiki/ISO_27000
• http//www.27000-toolkit.com/
• http//www.iso27001security.com/
• http//www.praxiom.com/27001.htm
• http//www.information-security-policies-and
  standards.com/standard/index.htm
• http//www.informationshield.com/iso17799.html

27

• QUESTIONS ?