iso 27001 - parker solutions...
TRANSCRIPT
Inspiring Business Confidence.
ISO 27001whItepaper, January 2015
enquiries@parkersolutionsgroup.co.ukwww.parkersolutionsgroup.co.ukAuthor: Graeme Parker
Out with the Old, in with the new... This whitepaper provides an overview of the new version of the ISO 27001 standard and what impact the changes may have on an organisation, whether an organisation is certified or not.
AbstrAct The last version of the ISO 27001 standard dates from 2005. In terms of technology and security, this is a long time ago, and things have changed dramatically in the last 8 years. The explosion of the Internet, both for personal and business purposes, the emergence of cloud based services, the increased use of mobile devices, growing trends of outsourcing and changes in work habits have all shown that the 2005 standard is reliable, but ageing pillar of Information Security. Therefore, the ISO committee decided to revamp the 27001 standard and bring it into the present in order to be more aligned to today’s technologies and practices.
In this whitepaper we will provide you with an overview of the new standard and how it differs from the 2005 version. This paper touches the main issues, but cannot address all details and subtleties. If you require a more in depth impact analysis for your organisation, please do not hesitate to contact us.
2
3
cOntext The ISO 27001 standard is well known and considered a gold standard in Information Security Management. It is the basis for independent certification and is often adopted as the foundation for industry and national standards. It is interesting to know that most people consider the set of 133 controls of Annex A ‘the standard’ and use that as a checklist for their organisation, whereas an actual effective implementation is conducted based on chapter 4 to 8 that define the ISMS (Information Security Management System). Annex A is simply a list of controls that can be chosen to address specific Information Security risks. The processes in chapter 4-8 are the critical ones as they focus on governance and risk management.
How can an organisation select controls if it is not familiar with its risks? In theory, the ISO certification and treatment of risks could be completed using another set of controls, like PCI-DSS™ or CoBIT™, by replacing Annex A with another control set. The steps for implementing an effective risk based and certifiable ISMS will however still be the same.
The 2005 version of the standard was written in the context of an organisation that used centralised facilities with connections to the outside world (i.e. an organisation sitting behind its firewall). The external environment in which the organisation operated and the associated supply chains were not taken into consideration and risks to the organisation were considered to be rather static.
In the past 8 years a lot has changed. Organisations do not operate as an island anymore, but are connected to many other organisations and people. The dependencies on external actors have strongly increased and the model of centralised facilities is impossible to be maintained with the large push toward mobile and cloud computing. The threat landscape has shifted as well, from hacktivism and nuisance attacks to organised crime, the threats to the assets of an organisation have both diversified and intensified and predictions are that this will continue to be the case in the years ahead.
The impact of an incident has also changed. Due to the increased dependency on IT facilities and the interconnection to external parties, a security breach can cause serious damage to an organisation and its reputation. In some cases it can even mean the end of an organisation. A real world example of this is Diginotar, the Dutch Certificate Authority that was subject to a hacking attack. See this article by John Leyden.
These dynamics have been addressed in the new standard by rewriting and redefining the mandatory controls for the ISMS.
MAnAgeMent systeMs To address the ever evolving threats and risks, an organisation needs to understand and stay in control of their risks. This is central to maintaining an effective, proportionate and efficient security posture in any organisation. The risk based approach prevents both overspending and misspending of valuable resources.
Using a risk based approach, an organisation is able to spend its resources towards mitigating risks that are real (for that organisation in its context), and mitigate these risks to a level that is acceptable to the organisation. It also enables an organisation to choose the proper controls that have the most effect at the lowest cost. In addition appropriate risk management can see opportunities and the management system can allow organisations to seize opportunities in a secure manner. Consider the positive and negative issues of using social media; is it a risk or opportunity? Section 6.1 of the standards references opportunities.
To remain in control of its information security, an organisation needs a management system. This management system is a combination of people, processes and technology that is focussed on maintaining and improving its security position based on risk. In the past, information security was considered mainly a technology problem that could be solved by deploying more technology. Technology is however only a small part of the problem (and therefore the solution). Maintaining and improving your Information Security posture is an on-going effort and needs the right people doing the right things, in the right way, supported by the right technology.
The new standard addresses and embraces this risk based approach. This is reflected in the restructuring and rewriting of the mandatory chapters that define the ISMS. The first chapter addresses the context of the organisation. In the next ISMS chapters the issues of leadership, risk assessment, operation, planning and improvement are addressed. These new chapters show that operation and direction of the ISMS is the key, and that these are driven by the context of and risks to the organisation and the external circumstances influencing the organisation.
4
5
AlignMent And integrAtiOn When studying the new version of the standard, it is obvious that the external context of the ISMS has become the main driver. ISO now acknowledges the external context of the organisation as an important driver for threats and risks. Using a risk based approach to this external context enables the new version of the standard to better align with the principles of general risk assessment standards like ISO 31000 and 27005.
By using these assessment standards, Information Security has become a business issue, and no longer just an IT issue. By placing Information Security at the business level, proper decisions can be taken based on what is good for the business as a whole, instead from an IT point of view, which often suffers from a technology driven tunnel vision.
This approach also enables the new version of the ISO 27001 standard to be combined more easily with management systems of other ISO standards like ISO 22301 (Business Continuity) and 20000 (Service Management). This integration can reduce cost even further as a number of services in a management system are generic (e.g. document management, internal audit, management review and records management) and thus can be shared. This integration also enables an organisation to assess risks in a holistic manner, looking at the big picture and what is best for business, instead of assessing risk from a limited scope like Information Security alone.
MAin differences And their iMplicAtiOnsMandatory controls As mentioned earlier, an ISO 27001 ISMS and associated certification is always against the mandatory controls that define the ISMS. In the 2005 version of the standards, these mandatory controls are incorporated in chapter 4 to 8. The 2013 version of the standard has expanded on these mandatory controls and they are now integrated in chapter 4 to 10.
The differences between 2005 and 2013 version are not black and white, and mapping 2005 mandatory requirements to the 2013 requirements is not always evident. The table below shows a mapping based on the high level domains and their sub domains.
2005 2013
4 Context of the organisation
4.1Understanding the organisation and its context
4.2Understanding the needs and expectations of interested parties
4.3Determining the scope of the information security management system
4Information Security Management System
4.4Information security management system
4.1 General requirements
4.2 Establishing and managing the ISMS
4.3 Documentation requirements
5 Management responsibility 5 Leadership
5.1 Management commitment 5.1 Leadership and commitment
5.1 Policy
5.2 Resource management 5.3Organisational roles, responsibilities andauthorities
6 Planning
6.1Actions to address risks and opportunities
6.2Information security objectives and plans to achieve them
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
6
7
2005 2013
8 Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9 Performance evaluation
9.1Monitoring, measurement, analysis and evaluation
6 Internal ISMS audit 9.2 Internal audit
7 Management review of the ISMS 9.3 Management review
7.1 General
7.2 Review input
7.3 Review output
8 ISMS improvement 10 Improvement
8.1 Preventive action 10.1 Nonconformity and corrective action
8.3 Continual improvement 10.2 Continual improvement
The differences are obvious when looking at this mapping. The context of the organisation is evidently an important part of the approach as is the overall strategic direction. The main link to the 2005 version is the actual set of requirements to the ISMS. These requirements now are focussing more on the external context of the organisation, in contrast to the internal focus of the 2005 standard.
It has also become evident that the management of an organisation needs to take the lead in Information Security, both as an example and in making business driven decisions. The role of management in the 2005 version is focussed on facilitating the implementation and operation of an ISMS and not necessarily direct risk based alignment with organisational strategy.
The next domains, planning, support, operation, performance evaluation and improvement are more clearly aligned to the Plan Do Check Act cycle that is at the core of each management system. This PDCA cycle applies both to Information Security and to the ISMS itself. By clearly defining these steps the processes for maintaining and improving the ISMS have become clear.
Optional control library (Annex A) The differences between the optional control sets from Annex A are fewer than for the mandatory controls. The table below lists the mapping between 2013 and 2005.2005 2013
A.5 Security Policy A.5 Security policies
A.5.1 Information security policy
A.5.1Management direction for information security
A.6 Organisation of information security A6 Organisation of information security
A.6.1 Internal Organisation A.6.1 Internal organisation
A.11.7 Mobile computing and Teleworking A.6.2 Mobile devices and teleworking
A.8 Human resources security A.7 Human resource security
A.8.1 Prior to employment A.7.1 Prior to employment
A.8.2 During employment A.7.2 During employment
A.8.3 Termination or change of employment A.7.3 Termination and change of employment
A.7 Asset Management A.8 Asset management
A.7.1 Responsibility for assets A.8.1 Responsibility for assets
A.7.2 Information classification A.8.2 Information classification
A.10.7 Media handling A.8.3 Media handling
A.11 Access Control A.9 Access control
A.11.1Business requirement for access control
A.9.1Business requirements of access control
A.11.2 User access managementA.9.1 User responsibilities
A.11.3 User responsibilities
A.10 Cryptography
A.12.3 Cryptographic controls A.10.1 Cryptographic controls
A.9 Physical and environmental security A.11 Physical and environmental security
A.9.1 Secure areas A.11.1 Secure areas
A.9.2 Equipment security A.11.2 Equipment
A.12 Operations security
A.10.1Operational procedures andresponsibilities
A.12.1Operational procedures and responsibilities
A.10.4Protection against malicious and mobile code
A.12.2 Protection from malware
A.10.5 Back-up A.12.3 Backup
A.10.10 Monitoring A.12.4 Logging and monitoring
A.11.5 Operating system access control A.12.5 Control of operational software
8
9
2005 2013
A.11.6Application and information access control
A.12.1 Correct processing in applications
A.12.4 Security of system files
A.12.6 Technical Vulnerability Management A.12.6 Technical vulnerability management
A.11.4 Network access control
A.15.3Information system audit considerations
A.12.7Information systems audit considerations
A.13 Communications security
A.10.6 Network security management A.13.1 Network security management
A.10.8 Exchange of information A.13.2 Information transfer
A.10.9 Electronic commerce services
A.12Information systems acquisition,development and maintenance
A.14System acquisition, development and maintenance
A.12.1Security requirements of informationsystems
A.14.1Security requirements of information systems
A.12.5Security in development and supportprocesses
A.14.2 Security in development and supportA.10.3
System planning and acceptance processes
A.14.3 Test data
A.15 Supplier relationships
A.6.2 External partiesA.15.1 Security in supplier relationships
A.10.2Third party service delivery management
A.13Information security incident management
A.16Information security incident management
A.13.1Reporting information security events and weaknesses
A.16.1Management of information security incidents and improvements
A.13.2Management of information securityincidents and improvements
A.14 Business continuity management A.17Information security aspects of business continuity management
A.14.1Information security aspects of business continuity management
A.17.1 Information security continuity
A.17.2 Redundancies
A.15 Compliance A.18 Compliance
A.15.2Compliance with security policies andstandards, and technical compliance
A.18.1 Information security reviews
A.15.1 Compliance with legal requirements A.18.2Compliance with legal and contractual requirements
Most of the domains and subdomains from 2005 can be mapped one-to-one or as a combination to the 2013 domains and subdomains.
10
rOAdMAp fOr MigrAting tO the new versiOn Of the stAndArdSince the ISMS is the only mandatory part of the standard, and thus the subject of certification, the migration needs to focus on the ISMS. In most cases the management involvement needs to be made more explicit with roles and responsibilities allocated throughout the organisation. In addition to this, the risk management and plan-do-act-check steps need to be made clear. Parker Solutions Group can help you draw a roadmap for your migration, so please contact us if you need more information or assistance.
AbOut pArKer sOlutiOnsParker Solutions Group was established by Managing Director Graeme Parker in response to the increasing risks and challenges that organisations across the globe are facing.
We are providers of professional training, services and coaching across multiple risk disciplines. Our aim is to enable your organisation to become resilient to threats, to increase your ability to seize opportunities and to ease the effort of meeting compliance requirements.
Our international multi-disciplinary team of professionals is on hand to provide solutions across key risk areas including Cyber Security, Business Continuity, IT and Technology Risk, Energy, Safety, Sustainability and Environmental risk. With our strong knowledge and experience of standards in these areas along with our innovative and proportionate approach we are ready to enable your organisation.
Our mission is to ensure that Governance and Risk Management efforts are implemented efficiently as possible and become a business enabler. We firmly believe that addressing risk should not be a cost or necessary evil but should be a benefit to your organisation.
With a strong team of professionals Parker Solutions Group helps organisations make Risk Management become a business enabler by increasing efficiency and reducing un-necessary cost.
All our solutions are linked to the key objectives of your organisation. We are more than just a consultancy, we can make recommendations and we also have the ability to go that one step further and actually implement working solutions covering people, processes and technologies. Our professional coaching and training services are also designed to enable your organisation to become self-sufficient reducing the reliance on external consultants.
Whether your organisation is a small business, large multinational or a public sector organisation you can be assured that providing a highly professional and excellent service is the core principal of Parker Solutions Group. We have professionally certified and dedicated people with proven skills in the services we offer. Our people have experience working with and assisting a wide variety of organisations around the globe.
We would like to thank PECB for generously providing the graphics for this whitepaper.
for further information and free no obligation discussion please contact us on:
6 George Street, Driffield, York, YO25 6RA UK
+44 (0) 1377 288 570
www.parkersolutionsgroup.co.uk
11