ISO/IEC is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical. I talked, earlier this week, about the evident gap between the concern expressed (in the ISBS survey) by the majority of managers about. BS Part 1 BS Part 2 Code of Practice Security Management ISO ISO Series ISO ISO BS Risk.
|Published (Last):||10 April 2014|
|PDF File Size:||19.6 Mb|
|ePub File Size:||16.76 Mb|
|Price:||Free* [*Free Regsitration Required]|
Creative security awareness materials for your ISMS. Please support our sponsors ISMS implementation guidance and further resources. Status of the standard.
Like governance and risk management, information security management is a broad topic with ramifications throughout all organizations. The specific information risk and control requirements may differ in detail but there is a lot of common ground, for instance most organizations need to address the information risks relating to their employees plus contractors, consultants and the external suppliers of information services.
The standard is explicitly concerned with information security, meaning the security of all forms of information e. It recommends information security controls addressing information security control objectives 177999 from risks to the confidentiality, integrity and availability of information. The standard is structured logically around 1799 of related security controls. Many controls could have been put in several sections but, to avoid duplication and conflict, they were arbitrarily assigned to one and, in some cases, cross-referenced from elsewhere.
This has resulted in a few oddities such as section 6. It may not be perfect but it is good enough on the whole.
The areas of the blocks roughly reflects the sizes of the sections. Click the diagram to jump to the relevant description. The standard gives recommendations for those who are responsible for selecting, implementing and managing information security.
However, various other standards are mentioned in the standard, and there is a bibliography. Of the 21 sections or chapters of the standard, 14 specify control objectives and controls. There is a standard structure within each control 17999 The iao of detail is responsible for the standard being nearly 90 A4 pages in length. Few professionals would seriously dispute the validity of the control objectives, or, to put that another way, it would be difficult to argue that an organization need 17999 satisfy the stated control objectives in general.
However, some control objectives 1799 not applicable in every case and their generic wording is unlikely to reflect the precise requirements of every organization, especially given the very wide range of organizations and industries to which the standard applies. Each of the control objectives is supported by at least one controlgiving a total of However, the headline figure is somewhat misleading since the implementation guidance recommends numerous actual controls in the details.
The control objective relating to the relatively simple sub-subsection 9. Whether you consider that to be one or several controls is up to you. Furthermore, the wording throughout isp standard clearly states or implies that this is not a totally comprehensive set. Management should define a set of policies to clarify their direction of, and support for, information security.
Ios organization should lay out the roles and responsibilities for information security, and allocate them to individuals.
ISO/IEC code of practice
Where relevant, duties should be segregated across roles and individuals to avoid conflicts of interest and prevent inappropriate activities. There should be contacts with relevant external authorities such as CERTs and special interest groups on information security matters.
Information security should be an integral part of the management of all types of project. Information security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff e. Managers should ensure that employees and contractors are made aware of and motivated to comply with their information security obligations.
A formal disciplinary process is necessary to handle information security incidents allegedly caused by workers. All information assets should be inventoried and owners should be identified to be held accountable for their security.
Information should be classified and labelled by its owners according to the security protection needed, and handled appropriately. Information storage media should be managed, controlled, moved and disposed of in such a way that the information content is not compromised. Network access and connections should be restricted. Users should be made aware of their responsibilities towards maintaining effective access controls e.
Information access should be restricted in accordance with the access control policy e. There should be a policy on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management.
Specialist advice should be sought regarding protection against fires, floods, earthquakes, bombs etc. Equipment and information should not be taken off-site unless authorized, and must be adequately protected both on and off-site. Information must be destroyed prior to storage media being disposed of or re-used. Unattended equipment must be secured and there should be a clear desk and clear screen policy.
IT operating responsibilities and procedures should be documented. Changes to IT facilities and systems should be controlled. Capacity and performance should be managed.
ISO/IEC – Wikipedia
Development, test and operational systems should be separated. Appropriate backups should be taken and retained in accordance with a backup policy. Clocks should be synchronized. Technical vulnerabilities should be patched, and there should be rules in place governing software installation by users. IT audits should be planned izo controlled to minimize adverse effects on production systems, or inappropriate data access.
Networks and network services should be secured, for example by segregation. There should be policies, procedures and agreements e. Security control requirements should be analyzed and specified, including web applications and transactions. Changes to systems both applications ieo operating systems should be controlled. Software packages should ideally not isoo modified, and secure system engineering principles should be followed.
The development environment should be secured, and outsourced development should be controlled. System security should be tested and acceptance criteria defined to include security aspects. See the status update below, or technical corrigendum 2 for the official correction.
There should be policies, procedures, awareness etc. Service changes should be controlled. There should ieo responsibilities and procedures to manage report, assess, respond to and learn from information security events, incidents and weaknesses consistently and effectively, and to collect forensic evidence.
IT facilities should have sufficient redundancy to satisfy availability requirements. The standard concludes with a reading list of 27! A simple monodigit typo resulting in a reference from section Esteemed representatives of a number of national standards bodies met in person to discuss and consider this dreadful situation at some length and some cost to their respective taxpayers.
What on Earth could be done about it? Unanimous agreement on a simple fix! The standard is currently being revised to reflect changes in information security since the current edition was drafted – things such as BYOD, cloud computing, virtualization, crypto-ransomware, social networking, pocket ICT and IoT, for instance. Rather than leaping straight in to the updates, SC 27 is reconsidering the entire structure of the standard this time around.
Two approaches are currently being considered in parallel:. The existing controls are being reviewed and maybe rewritten given the different contexts.
Such an approach could potentially reduce the number of controls by about half. There is so much content, in fact, and so many changes due to the ongoing evolution of information security, that I feel it has outstripped the capabilities of SC In my considered opinion based on the horrendous problems that dogged the to revision, it is no longer maintainable, hence it is no longer viable in its current form.
I argued that information security and business continuity are so tightly intertwined that this section should be rewritten from scratch to emphasize three distinct but complementary aspects resilience, recovery and contingency.
Indeed I provided a completely re-written section to the committee but, for various unsatisfactory reasons, we have ended up with a compromise that makes a mockery of the entire subject. Take for example the fact that revising the standard has consumed thousands of man-hours of work and created enormous grief for all concerned, over several years, during which time the world around us has moved on.
In the release, there is a complete lack of reference to BYOD and cloud computing – two very topical and pressing information security issues where the standard could have given practical guidance. It bears more than a passing resemblance to a racing horse designed by a committee i. This implies the need for a set of SC 27 projects and editors to work on the separate parts, plus an overall coordination team responsible for ensuring continuity and consistency across them all.
Converting into a multi-partite standard would have several advantages:. However, coordination across several semi-independent project teams would be an onerous task, implying a concerted effort up-front to clearly and explicitly define the ground rules, scopes and objectives of the subsidiary parts, and ongoing proactive involvement of a management team with its fingers on the pulse of all the subsidiary project teams. Option 6 below is a possible solution. It would be small sio to be feasible for the current ways of working within SC SC 27 could adopt collaborative working practices, jointly developing a revised version of through real-time collaborative development and editing of a shared documentat least as far as the Committee Drafts when the approach might revert to the existing formalized methods to complete the process and sio a revised standard.
This is the 21st Century, friends!
Cover all the aspects of information security that need to be covered through other ISO27k standards, 179999 indeed other standards outside the remit of SC Give up on Abandon it as 17999 lost cause. This is the straw man as far as I am concerned: There appears to be a desire to use the libraries to drive and structure further ISO27k standards development, but the proposal is unclear at least to me at this point.
Aside from the not insignificant matter of the extraordinarily slow pace of SC 27, and the constraints of ISO policies, this has the potential to cause utter chaos and confusion, and expense. Please join the discussion on the ISO27k Forum. This 1799 the potential to make the standard, and the project, even more complicated than it already is.
oso On the other hand, it reflects these complexities: At the end of the day, security controls will inevitably be allocated to themes and tagged arbitrarily in places: