The blog post provides a detailed guide on conducting an ISO 27001 audit, which is crucial for ensuring compliance with information security standards. It covers both internal and certification audits, explaining their purposes, the audit process, and steps such as setting the audit criteria, reviewing documentation, conducting a field review, and reporting findings. The article also emphasizes the importance of having an independent auditor and following up on corrective actions to ensure proper risk management.
On the morning of August 4, 2022, Advanced, a supplier for the UK’s National Health Service (NHS), was hit by a major cyberattack. Key services including NHS 111 (the NHS’s 24/7 health helpline) and urgent treatment centers were taken offline, causing widespread disruption. This attack served as a brutal reminder of what can happen without a standardized set of controls in place. To protect themselves, organizations should look to ISO 27001.
ISO 27001 is an internationally recognized Information Security Management System standard. It was first published in 2005 to help businesses implement and maintain a solid information security framework for managing risks such as cyberattacks, data leaks and theft. As of October 25, 2022, it has been updated in several important ways.
The standard is made up of a set of clauses (clauses 4 through 10) that define the management system, and Annex A which defines a set of controls. The clauses include risk management, scope and information security policy, while Annex A’s controls include patch management, antivirus and access control. It’s worth noting that not all of the controls are mandatory; businesses can choose to use those that suit them best.
Why is ISO 27001 being updated?
It’s been nine years since the standard was last updated, and in that time, the technology world has changed in profound ways. New technologies have grown to dominate the industry, and this has certainly left its mark on the cybersecurity landscape.
With these changes in mind, the standard has been reviewed and revised to reflect the state of cyber- and information security today. We have already seen ISO 27002 (the guidance on applying the Annex A controls) updated. The number of controls has been reduced from 114 to 93, a process that combined several previously existing controls and added 11 new ones.
Many of the new controls were geared to bring the standard in line with modern technology. There is now, for example, a new control for cloud technology. When the controls were first created in 2013, cloud was still emerging. Today, cloud technology is a dominant force across the tech sector. The new controls thus help bring the standard up to date.
In October, ISO 27001 was updated and brought in line with the new version of ISO 27002. Businesses can now achieve compliance with the updated 2022 controls, certifying themselves as meeting this new standard, rather than the now-outdated list from 2013.
How can ISO 27001 certification benefit your business?
Implementing ISO 27001 brings a host of information security advantages that benefit companies from the outset.
Companies that have invested time in achieving ISO 27001 certification will be recognized by their customers as organizations that take information security seriously. Companies that are focused on the needs of their customers should want to address the general feeling of insecurity in their users’ minds.
Moreover, as part of the increasingly rigorous due-diligence processes that many companies are now undertaking, ISO 27001 is becoming mandatory. Therefore, organizations will benefit from taking the initiative early to avoid missing out commercially.
In the case of cyber-defense, prevention is always better than cure. Attacks mean disruption, which almost always proves costly for an organization, in regard to both reputation and finances. Therefore, we might view ISO 27001 as a form of cyber-insurance, where the correct steps are taken preemptively to save organizations money in the long term.
There’s also the matter of education. Often, an organization’s weakest point, and thus the point most often targeted, is the user. Compromised user credentials can lead to data breaches and compromised services. If users were more aware of the nature of the threats they face, the likelihood of their credentials being compromised would decrease significantly. ISO 27001 offers clear and cogent steps to educate users on the risks they face.
Ultimately, whatever causes a business to choose implementation of ISO 27001, the key to getting the most out of it is ingraining its processes and procedures in their everyday activity.
Overcoming the challenge of ISO 27001 certification
A lot of companies have already implemented many controls from ISO 27001, including access control, backup procedures and training. It might seem at first glance that, as a result, they’ve already achieved a higher standard of cybersecurity across their organization. However, what they continue to lack is a comprehensive management system to actually manage the organization’s information security, ensuring that it is aligned with business objectives, tied into a continuous improvement cycle, and part of business-as-usual activities.
While the benefits of ISO 27001 may be obvious to many in the tech industry, overcoming obstacles to certification is far from straightforward. Here are some steps to take to tackle two of the biggest issues that drag on organizations seeking ISO 27001 certification:
Resources — time, money, and manpower: Businesses will be asking themselves: How can we find the extra budget and dedicate the finite time of our employees to a project that could last six to nine months? The key here is to place trust in the industry experts within your business. They are the people who will be implementing the standard day-by-day, and they should be placed at the wheel.
Lack of in-house knowledge: How can businesses that have no prior experience implementing the standard get it right? In this case, we advise bringing in third-party expertise. External specialists have done this all before: They have already made the mistakes and learned from them, meaning they can come into your organization directly focused on implementing what works. In the long run, getting it right from the outset is a more cost-effective strategy because it will achieve certification in a shorter time.
Next steps toward a successful future
While making this all a reality for your business can seem daunting, with the right plan in place, businesses can rapidly benefit from all that ISO 27001 certification has to offer.
It’s also important to recognize that this October was not the cutoff point for businesses to achieve certification for the new version of the standard. Businesses will have a few months before certification bodies will be ready to offer certification, and there will likely then be a two-year transition period after the new standard’s publication before ISO 27001:2013 is fully retired.
Ultimately, it’s vital to remember that while implementation comes with challenges, ISO 27001 compliance is invaluable for businesses that want to build their reputations as trusted and secure partners in today’s hyper-connected world.
ISO 27001 is a widely-known international standard on how to manage information security.
In this Help Net Security video, Nicky Whiting, Director of Consultancy, Defense.com, talks about the challenges of achieving ISO 27001, a widely-known international standard.
ISO 27001 certification is not obligatory. Some organizations choose to implement it in order to benefit from the best practice it contains. Others decide they want to get certified to reassure customers and clients.
However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.
Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.
What is ISO 27001?
ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.
The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance.
This is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale implementation project.
ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.
These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.
This is because the Standard explains how each control works, what its objective is, and how you can implement it.
The differences between ISO 27001 and ISO 27002
There are three main differences between ISO 27001 and ISO 27001:
Detail
If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.
Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.
Certification
You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.
Applicability
A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.
ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.
When you should use each standard
ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.
If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.
This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.
Developed by the team that led the world’s first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.
You’ll learn from expert information security consultants, as they explain:
ISO 27001 management system documentation;.
How to plan, scope and communicate throughout your ISO 27001 project; and
The key steps involved in an ISO 27001 risk assessment.
ISO/IEC 27701 is the international standard that serves as an extension to an ISO 27001/ ISO 27002 #ISMS (information security management system). It provides guidelines for implementing, maintaining, and continually improving a #PIMS (privacy information management system).
Develop a privacy information management system as an extension to your ISO 27001-conformant ISMS with ISO/IEC 27701. Supports GDPR compliance.
SECURITY TECHNIQUES — EXTENSION TO ISO/IEC 27001 AND ISO/IEC 27002 FOR PRIVACY INFORMATION MANAGEMENT SYSTEM #PIMS
Key features:
* The Standard includes mapping to the GDPR, ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151
* Integrates with other management system standards, including the information security standard, ISO/IEC 27001
* Provides PIMS-specific guidance for ISO/IEC 27002
* Specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS
* Supports compliance with the GDPR and DPA 2018
* Provides guidance for data controllers and processors responsible for processing personal data
ISO 27701 Gap Analysis Tool
Achieve full compliance with ISO 27701:2019
The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).
It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.
What does the tool do?
Contains a set of sample audit questions
Lists all ISO 27701:2019 requirements, identifying where documentation is mandatory for compliance
Provides a clear, colour-coded report on the state of compliance
The executive summary displays the results of compliance in a clear table so that you can report on your results and measure the closure of gaps.
The tool is designed to work in any Microsoft environment. It does not need to be installed like software, and it does not depend on complex databases; it relies on human involvement.
ISO 27701 The New Privacy Extension for ISO 27001
httpv://www.youtube.com/watch?v=-NUfTDXlv30
Quick Guide to ISO/IEC 27701 – The Newest Privacy Information Standard
httpv://www.youtube.com/watch?v=ilw4UmMSlU4
With the number of ISO 27001 certifications rising fast in the US, organizations will be looking to implement an ISO 27001-compliant information security management system (ISMS) quickly, before any of their competitors.
However, the hardest part of achieving ISO 27001 certification is providing the documentation for the ISMS. Often – particularly in more complex and larger businesses – the documentation can be up to a thousand pages. Needless to say, this task can be lengthy, stressful and complicated.
IT Governance Publishing’s (ITGP) ISO 27001 toolkits offer this documentation in pre-written templates, along with a selection of other tools to:
Help save you months of work as all the toolkits contain pre-written templates created by industry experts that meet ISO 27001:2013 compliance requirements.
Reduce costs and expenses as you tackle the project alone.
Save the hassle of creating and maintaining the documents yourself.
Accelerate your management system implementation by having all of the tools and resources you need at your disposal.
Ensure nothing is left out of your ISMS documentation.
When an organization’s need help with their ISMS projects, they’re normally at a loss.
The two major challenges they face are creating supporting documentation and performing a risk assessment.
With wide range of fixed-price toolkits, these toolkits can provide you with the official ISO 27000 standards, implementation guidance, documentation templates, and risk assessment software to aid your project.
It’s no longer sufficient to suppose that you can defend against any potential attack; you must accept that an attack will inevitably succeed. An organisation’s resilience in identifying and responding to security breaches will become a critical survival trait in the future. The Cyber Resilience Implementation Suite has been designed to help organisations create an integrated management system that will help defend against cyber threats and minimise the damage of any successful attack. This suite of products will help you to deploy the cyber security Standard ISO27001 and the business continuity Standard ISO22301 to create an integrated cyber resilience management system. The books in this suite will provide you with the knowledge to plan and start your project, identify your organisation’s own requirements and apply these international standards. Management systems can require hundreds of documents and policies. Created by experienced cyber security and business continuity professionals, the toolkits in the Cyber Resilience Implementation Suite provide documentation templates to save you weeks of researching and writing and the supporting guidance to ensure you’re applying the necessary polices for your business. Administration and updating of the documentation is made easy with the toolkits’ integrated dashboard, easy customization of templates and one-click formatting.
AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle
Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.
RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.
The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.
Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.
Target market
Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.
Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
ISO 27001 As A Business Tool
More than ever, information security is a key part of a business’ overall plan and objective set. ISO 27001 can help businesses bring their information security practices together and develop a strategy to raise awareness and vigilance throughout the business.
With ISO 27001, all of a business’ information security is brought together, meaning there is a far greater level of accountability across all levels of the organisation.
ISO 27001 is a highly worthwhile tool, a world leading information security management system which integrates compliance into an organisation’s everyday tasks.
Who Is Accountable For ISO 27001?
The short answer is everybody, however there is more to it than that. ISO 27001 stands alone as an information security standard as it places the sole accountability on the business managers. That is, ultimately the buck stops with them, however it is up to them to spread responsibility and delegate as they see fit.
It is down to the business leaders to clearly identify which information security risks apply to their particular business and then take the necessary action to remove the risk entirely, or reduce it to a workable, acceptable level. It is the full responsibility of the managers to check and maintain that ISO 27001 standards are being met across the business.
One aspect which makes ISO 27001 a highly worthwhile tool is that there is room for each business to implement the standard in a way that best suits them. This is far removed from previous standards which have been “blankets”, leading to businesses at times putting things in place when in reality that scenario will never apply to them.
ISO 27001 is only really worthwhile if a business and its leaders gives the necessary level of time and dedication to achieving its aims. The certificate of ISO 27001 is an acknowledgement that an information security management system exists, continuous work must be done to ensure that compliance standards are continually met and the business remains fully protected.
Strong Reputation
A business with an ISO 27001 certification will be highly reputable so long as the standards required are strongly upheld. A dedication to the protection of information, whether it be internal finances or customer details, is highly regarded throughout the world in an age where privacy is highly valued but not often respected.
ISO 27001 raises awareness throughout the business of information security risks, involves all employees throughout a company and therefore delivers a significantly lower level of overall risk.
IT Governance Ltd, the global provider of cyber security management solutions, has announced a value-add offer in March. Organisations that buy the No3 ISO27001 Comprehensive Toolkit before the end of March will receive the Cybersecurity Self Assessment Tool free, making double savings on resource and time.
The No3 ISO27001 Comprehensive Toolkit contains highly practical books, document templates and risk assessment tool, also providing a 100% return on investment. It helps organisations tackle cybersecurity issues quickly and efficiently, whilst considerably improving their cybersecurity defences.
The recent Symantec Threat Awareness Survey uncovered that over 50% of the 1,900 SME’s interviewed, thought that they were immune to cybercrime because they were too small.
However, Symantec’s report found that since 2010 40% of all attacks were on SME’s. Ross Walker, Symantec director of small business for Symantec UK, commented “hackers are going after ‘low hanging fruits’ these are the companies who are less security aware and do not have the proper defences in place”.
Alan Calder, CEO of IT Governance, says “The best way to build robust and effective cyber defences is by implementing ISO27001, the world’s cybersecurity standard. An ISO27001-compliant Information Security Management System (ISMS) promotes customer confidence, helps vendors win new business and improves organisational efficiency”.
The easiest way to implement an ISO27001-compliant ISMS, especially for SMEs, is with the No 3 Comprehensive ISMS ISO27001 Toolkit. It provides organisations with all the tools they will need for the implementation of an information security management system (ISMS).
The No 3 Comprehensive ISMS ISO27001 Toolkit includes copies of the three key standards (ISO27001, ISO27002 and ISO27005), the Risk Assessment Tool (vsRisk™), the Documentation Template Toolkit and manuals that describe in practical detail how each aspect of the ISMS should be tackled.
One user of the Toolkit said: “Using the templates was the only way that we could deliver a first edition ISMS in under six months. Our deliverable was a work in progress, but miles ahead of where they would have been without the templates”.
Organisations that buy the No 3 Comprehensive ISMS ISO27001 Toolkit before the end of March will receive the Cybersecurity Self Assessment Tool free. It enables any organisation to quickly assess and demonstrate which areas of the organisation are up to scratch and where more attention is required.
BSI and Rotterdam school of management, Erasmus university conducted a research study about ISO/IEC 27001 Information technology. Security techniques. BSI interviewed Henk de Vries who is one of the experts behind the study.
ISO27001 (ISO 27001) ISMS Requirements (Download now)
ISO27002 (ISO 27002) Code of Practice for ISM (Download now)
It is one of an important decision for your organization when you have to decide between ISO 27001 certification and ISO 27002 compliance. When continuous compliance with the standards may save you money in short run but ISO 27001(ISMS) certification outweighs benefits in long run. ISO compliance is a commitment for an organization when it has to be audited (internal) on regular basis to show to your vendors and partners. At the same time ISO certification has to be audited by independent external auditors.
Things that may affect your decision:
a) What will be the cost of achieving ISO compliance? Pick a scope and perform a gap analysis based on ISO 27002 to see where the gaps are. Find out the cost of treating the gaps for your organization including the cost of consultant, cost of tool, and cost of project management. These processes may vary from organization to organization.
b) Does ISO certification will benefit the organization because its competitors already have done it? (How much business an organization may lose or perhaps prospective new customers.)
c) Achieving certification may save money, time and efforts in long run by aiding your organization in compliance effort (PCI, HIPAA, SOX, NIST, GLBA). (Hey auditor we are already certified in specific controls, How much of the spending can be safe on other audits.)
d) Do enough customers will demand/require the certification in order to do business with them? Not having ISO certification may be a business disabler and organization may lose important customers which will affect company’s bottom line.
Risks of being non-compliant:
• No assurance to customers regarding InfoSec controls
• May lose customers in the long run
• May affect future business
Benefits of certification:
• Business enabler
• Align with the business goals
• Everyone is responsible for InfoSec
• De-facto InfoSec standards
• ISO 9000, ISO 14000, ISO 20000 compatible
• Commonly accepted best practice
• Capable of external certification
Three years ago, California state IT council adopted the information security program guide which help organizations to comply with SB 1386. The council advised the use of information security standard ISO 27002 framework to comply and meet the needs of SB 1386.
This legislation deals with the security of personal information and is applicable to all organisations (state and government agencies, non-profit, companies of all sizes, regardless of geographic location) holding personal data on any person living in California. SB-1386 requires such information holders to disclose any unauthorised access of computerised data files containing personal information.
In response, IT Governance’s comprehensive ‘SB-1386 & ISO27002 Implementation Toolkit’ is specifically designed by experts in data compliance legislation to guide organisations on how to conform to SB-1386. The toolkit conforms to ISO27002 and, if desired, also helps organisations prepare for any external certification process (ISO 27001) that would demonstrate conformance with such a standard. The State of California has itself formally adopted ISO/IEC 27002 as its standard for information security and recommended that organisations use this standard as guidance in their efforts to comply with California law.
Which businesses are affected by SB 1386 law?
o If you have a business in California
o Outsourcing company who does business with a company in California or have customers in California
o Data centers outside of California which store information of California residents
Toolkits are designed to help organizations who need to comply with a law like SB 1386. SB 1386 and ISO 27002 implementation toolkit assist ISO 27002 compliance. Also help organizations who are interested in certification to lay in the ground work for (ISO 27001) certification that would demonstrate the conformance with world class information security management systems.
The Comprehensive SB1386 Implementation toolkit comprises of:
1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.
2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.
3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:
o automates and delivers an ISO/IEC 27001-compliant risk assessment
o Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
o Comprehensive best-practice alignment
o Supports ISO 27001
o Supports ISO 27002 (ISO/IEC 17799)
o Conforms to ISO/IEC 27005
o Conforms to NIST SP 800-30
o The wizard-based approach simplifies and accelerates the risk assessment process;
o Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases.
4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799).
Definition – A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.
A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.
The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.
There are several risk assessment frameworks that are accepted as industry standards including:
Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.
Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.
To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:
1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.
2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.
3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.
4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.
5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.
The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.
Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.
The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.
Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.
Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.
Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.
In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks
• Avoidance (eliminate)
• Reduction (mitigate)
• Transfer (outsource or insure)
• Retention (accept and budget)
Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.
Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.
On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.
Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.
Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system
The organizations need to establish security program to manage their day to day risks. Before selecting the controls from standards such as (NIST 800-53 or ISO 27002), organizations need to have complete inventory of the assets involved in the scope. Assets involved in the scope would require a comprehensive risk assessment to determine the sensitivity/criticality of these assets. Depending on the categorization of these assets will determine an appropriate control from standard to mitigate relevant risk. In some cases supplemental controls may be required.
Management of risks involves the risks to the organization with the operation of an information system or information security management system. Risk management is an effective frame work for selecting appropriate security controls for an information system and assist in selecting of appropriate security controls to protect assets.
Both ISO and NIST standards follow the similar path in control selections. NIST 800-53 has 163 high level controls and 154 medium level controls which have around 95% mapping with ISO 27002 which has 133 controls. While NIST SP 800-53 is required for federal (unclassified) information system, NIST encourages its use in commercial space. Commercial organizations can utilize the NIST standard to create their security program, which will provide a road map to their security strategy and assist in making informed decisions for securing their information assets.
The management of day to day risks is a key element in an organization’s information security program and both NIST and ISO provide an effective framework for selecting and managing the appropriate security controls for information system. ISO utilize PDCA (Plan, Do Check, and Act) Deming model for selecting the appropriate security controls and managing its information security management system. NIST on the other hand utilize the similar framework for selecting and managing appropriate controls for information system and is called risk management framework security life cycle. Copy of the NIST risk management framework security life cycle is available to see an eerie resemblance with PDCA model.
Around 80% of critical infrastructure resides in private sectors which required to be protected by various regulations. Both NIST and ISO can be utilized to protect assets, however in some cases one standard might fit better in your environment then the other or perhaps you are able to manage one standard better then the other. Both standards required their information system to be audited or reviewed by authorized organizations to achieve apporpriate certifications.
According to SF Chronicle article by Deborah Gage (May 8, 2009, c2) consumer reports magazine’s annual “State of the Net” survey finds that cybercrimes has held steady since 2004, with one out of five consumers becoming victims in last two years at a cost to economy of $8 billion. Consumer report can be found on at www.consumerreports.org
Uncertain economic time brings new threats and scams and most of the security experts agree that there’s a possibility of increase in cybercrime for this year. Survey also found that around 1.7 million people were victims of identity theft and 1.2 million had replaced their computers because of infected software.
First why all the signs are showing uptick in cybercrimes and second what are we going to do about it.
Management should start considering security as total cost of ownership instead of wasting time on what is ROI of information security. If there is a security breach, somebody in the management should be held accountable not an IT or security personnel. Management will keep demonstrating lax attitude toward data protection and security in general unless there are serious consequences like spending time in jail for lack of security controls (basic due diligence) and not taking appropriate actions for the risks that posed a significant threat to the organization.
PCI, HIPAA and SOX compliance are a good start in a right direction for management to take information security into consideration, but these compliance initiatives don’t address the security of a whole organization. They address security risks of a business unit in an organization. If management is really serious about security then ISO 27002 code of practice is one of the option which should be considered to address the security of the whole organization and ultimately organization should achieve ISO 27001 certification which will build a comprehensive information security management system to manage ongoing risks.
Web 2.0 is major force and has numerous business benefits but it is posing companies to potential new risks.
Social networking sites, such as Facebook, LinkedIn and Twitter, have become the preferred method of communication for a whole generation of people and the ability to post “Status Updates” is fast becoming the new Email. Linkedin is adding one user per second and Facebook has reached 150 million users in just five years.
Some of the associated risks which organizations face as a result relate to phishing, harvesting of email addresses and of course the dangers of (relatively) simple social networking, not only to hack the employee’s present organization, say, but to the organization of losing an employee and all their leads because clients follow ‘their man/woman’ to their new job by tracing where they are at through sites such as LinkedIn. Hackers can follow the conversation on social media to identify the user problem or pain point and pretend to offer a solution which happen to be a malware to steal private and confidential data.
And then of course there is the downside of staff using bandwidth and their work time for purposes other than for which they are employed, and possibly preventing others (due to bandwidth/processing restrictions) from doing what they should. Many of these sites openly encourage people to download video clips.
The solution?
Usually the controls in ISO 27002 code of practice can be selected and applied in a manner to address the associated risks through a combination of management and technical policies, but of course this should be as the result of a risk assessment and should balance the three attributes of C, I and A.
This 112-page best practice report from IT Governance separates the hype from the tangible reality and provides:
1. A workable description of what ‘Web 2.0’ is and what it means, within the business environment, complete with a glossary of Web 2.0 terms.
2. A description of the business benefits to be derived from Web 2.0 technologies, with examples taken from real-life case studies.
3. An identification and discussion of ‘Threat 2.0’ – the information security risks inherent in Web 2.0 technologies, together with latest best-practice recommendations for mitigation.
During financial crisis when companies are cutting budgets. It is imperative that information security will have some budget cut but any drastic budget cut might not be wise. A major security breach might put the organization in irrecoverable situation. In this tough economy security professionals have to do an extraordinary job to sell the security to management and show them how security due diligence can make business safe, successful and compliant.
Do you think the advantages of social media outweigh the potential risks?
“By slipping a simple, three-sentence provision into the gargantuan spending bill passed by the House of Representatives last week, a congressman from Silicon Valley is trying to nudge Congress into the 21st Century. Rep. Mike Honda (D-Calif.) placed a measure in the bill directing Congress and its affiliated organs — including the Library of Congress and the Government Printing Office — to make its data available to the public in raw form. This will enable members of the public and watchdog groups to craft websites and databases showcasing government data that are more user-friendly than the government’s own.”
Would be great if this passes BUT, Government would have to have security provisions so hackers could not manipulate databases in this case raw data. Without proper controls, databases can be easily modified and stolen, so before making the raw data available to public, Congress might need a comprehensive legislation to protect the confidentiality, integrity and availability of the data.
Security principles and controls which should be considered in database legislation?
• Principles of least privilege
• Separation of duties
• Defense in depth at every level
• Strong auditing and monitoring controls
• Security risk assessment to assess risks based on ISO 27002 and NIST 800-53
• Comprehensive risk management program to manage risks