ISO/IEC Standards
The International Organization for Standardization (ISO) is a nongovernment group that brings both the private and public sectors together and creates solutions for business and society. New standards are created by industries or the ISO itself. When a particular industry identifies a specific need, it informs a technical committee within the ISO to get standards developed. If a committee does not exist, a new one may be set up. To be accepted, though, the members of the ISO technical committee must establish majority support and a global relevance must be set. The technical committees within ISO are composed of experts from specific industries such as technology and business. Additionally, other entities such as laboratories, government agencies, consumer organizations, and academia may join the committee experts.
ISO/IEC 27000 is a series of standards and related terms that guide on matters of information security. This includes implementing, designing, and auditing an information security management system (ISMS). An ISMS describes the policies, standards, and programs related to information security. These standards were established by the ISO and International Electrotechnical Commission (IEC). Other popular series include ISO 9000 and ISO 14000, which deal with quality management and environmental management, respectively. The technical committee directly responsible for the ISO 27000 series is ISO/IEC JTC1 (Joint Technical Committee 1) SC 27 (Subcommittee 27). This nomenclature is especially useful when browsing the standards catalog at the ISO website. The ISO/IEC JTC1 is the joint committee responsible for IT. Within these are several subcommittees. Subcommittee 27 defines IT security techniques. Other subcommittees include SC 37 for biometrics and SC 35 for user interfaces. Within just ISO/IEC JTC 1/SC 27 there are well over 100 published standards. The focus here is on the ISO 27000 series and specifically the first three standards.
Table 4-3 lists the published ISO/IEC standards in the ISMS family of standards. The next two sections provide details on ISO/IEC 27001 and 27002. Both of these standards focus on information security systems and processes and are complementary to each other.
TABLE 4-3 ISO/IEC 27000 ISMS family of standards.
| Type of Standard | Published Standard | Description |
|---|---|---|
| Vocabulary | 27000 | Information security management systems—overview and vocabulary |
| Requirement | 27001 | Information security management systems—requirements |
| 27006 | Requirements for bodies providing audit and certification of information security management systems | |
| Guideline | 27002 | Code of practice for information security controls |
| 27003 | Information security management system implementation guidance | |
| 27004 | Information security management— measurement | |
| 27005 | Information security risk management | |
| 27007 | Guidelines for information security management systems auditing | |
| 27008 | Guidelines for auditors on information security controls | |
| 27013 | Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 | |
| 27014 | Governance of information security | |
| 27016 | Information security management— organizational economics | |
| Sector-specific guideline | 27010 | Information security management for inter-sector and inter-organizational communications |
| 27011 | Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 | |
| 27015 | Information security management guidelines for financial services | |
| 27018 | Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors | |
| 27019 | Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry | |
| 27779 | Information security management in health using ISO/IEC 27002 | |
| Control-specific guideline | 27031 | Guidelines for information and communication technology readiness for business continuity |
| 27032 | Guidelines for cybersecurity | |
| 27033 | Network security—multipart | |
| 27034 | Application security—multipart | |
| 27035 | Information security incident management | |
| 27036 | Information security for supplier relationships—multipart | |
| 27037 | Guidelines for identification, collection, acquisition, and preservation of digital evidence | |
| 27038 | Specification for digital redaction | |
| 27039 | Selection, deployment, and operations of intrusion detection systems (IDSes) | |
| 27040 | Storage security |
ISO/IEC 27001 Standard
ISO/IEC 27001 is a worldwide standard formally known as “ISO/IEC 27001:2013—Information Technology—Security Techniques—Information Security Management Systems—Requirements.” It was originally established in October 2005 as ISO/IEC 27001:2005 and replaced British Standards Institute Security Management Standard BS7799-2.
ISO/IEC 27001 is the best-known specification in the ISMS family of standards. It contains accepted good practices and provides an accepted baseline against which IT auditors can audit. It specifies the auditable requirements for establishing, applying, operating, maintaining, reviewing, monitoring, and improving a control framework based on an organization’s information security risk. Such risk applies to the information structure within the organization. This includes, for example, management responsibility and documentation. It also applies across all departments, such as human resources, facilities, and operations. It looks at the entire organization and its information assets and walks through a process to determine the associated risks. The process calculates the risk and impact to the organization. Then, it considers the steps needed to remove, reduce, or accept the risk.
The requirements established in ISO/IEC 27001 cover all styles of organizations, such as large enterprises to small and medium-sized businesses. This also includes federal agencies and not-for-profit organizations. Although ISO does not perform certifications, it is common for organizations to assert that a product or system is certified to an ISO standard. This may be done by an accredited certification body. Many organizations choose to not become certified, yet still implement the standard. Becoming certified does often lend credibility, but it is certainly not required. Organizations will still benefit from the good practices either way. Further, certification makes it clear that the organization has done the following:
-
Performed due diligence
-
Ensured that information controls meet the organization’s needs on an ongoing basis
-
Considered risks associated with the organization
According to the ISO organization, ISO/IEC 27001:
…specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size, or nature.
In other words, ISO/IEC 27001 provides the high-level framework upon which an organization can implement an ISMS. Optionally, the specification serves as the framework by which accredited auditing organizations may conduct a formal assessment for the purpose of certification.
The contents of ISO/IEC 27001 is made up of the following sections and annex:
-
Introduction—This section briefly summarizes the intent of the standard, which is to establish a continuous process for an ISMS.
-
Scope—This section specifies that ISMS applies to all organizations.
-
Normative references—This section provides references to other documentation that plays a major role in implementing the standard.
-
Terms and definitions—This section simply references ISO/IEC 27000, which defines the vocabulary.
-
Context of the organization—This section lists the internal and external factors that influence the goals of the ISMS.
-
Leadership—This section emphasizes the need to establish and communicate management responsibility.
-
Planning—This section explains the need to establish information security objectives, along with how those objectives will be achieved.
-
Support—This section outlines the required support and documentation needed.
-
Operation—This section details the requirements for assessing the efficiency and effectiveness of the ISMS.
-
Performance evaluation—This section discusses the opportunity to make improvements through monitoring and measuring controls, processes, and management.
-
Improvement—This section addresses the need for issues to be identified and quantified so corrective action can be applied.
-
Annex A—This provides a listing of controls and control objectives, which are related to those found in ISO/IEC 27002.
ISO/IEC 27002 Standard
ISO/IEC 27002 is formally known as “ISO/IEC 27002:2013 Information Technology—Security Techniques—Code of Practice for Information Security Management.” Whereas ISO 27001 formally defines mandatory requirements for an ISMS, ISO/IEC 27002 provides suitable information security controls within the ISMS. ISO/IEC 27002 is merely a code of practice or guideline rather than a certification standard. Thus, organizations are free to select and put in place other controls as they see fit. While at the core, ISO/IEC 27001 provides suitable controls for use within an ISMS, it is often used within a context outside of a formal ISMS. It also serves a couple of other purposes. For example, organizations use ISO/IEC 27001 as a generic framework for commonly accepted controls or as a baseline for developing controls.
Eighteen sections make up ISO/IEC 27002. The introduction and the first four sections provide introductory material, whereas the rest of the sections provide the core recommendations and controls. Sections 5 through 18 provide the following framework:
-
Overview of organizational goals being addressed
-
List of practical controls
-
Guidance for how to put each of the controls in place
-
Additional information, including cross-references within the standards and other standards
The preceding framework applies to the key sections within the documents, which are summarized in the following list:
-
Information Security Policies—Covers management guidance and the need to have a documented information security policy and review process
-
Organization of Information Security—Covers the organization of information security as related to the internal organization parties and mobile devices and teleworking
-
Human Resource Security—Covers employment of employees and those associated with an organization regarding pre-employment checks, dismissal, and change of employment
-
Asset Management—Covers the discovery and classification of assets and information, including how to handle media
-
Access Control—Covers business requirements, user controls, and responsibilities, application-level controls, and access controls for networks and operating systems
-
Cryptography—Covers cryptographic controls, including both the policy on the use of cryptography and key management
-
Physical and Environmental Security—Covers secure facilities and equipment security
-
Operations Security—Covers the largest range of areas, including operational procedures such as change and capacity management; malware, backup, operational software controls, and vulnerability management; and audit, logging, and monitoring
-
Communications Security—Covers network security management and information transfer
-
Systems Acquisition, Development, and Maintenance—Covers systems development and acquisition, including security requirements of systems, correct processing applications, and test data
-
Supplier Relationships—Covers information security and managing aspects related to third parties or suppliers
-
Information Security Incident Management—Covers information security incident management, including reporting of events and security weaknesses and improvements
-
Information Security Aspects of Business Continuity Management—Covers protecting critical processes from disruption
-
Compliance—Covers complying with legal requirements, security policies, standards, and technical compliance, and considerations for information systems audits or reviews
Each of the preceding key topics in ISO 27002 comprises many individual controls detailed in the standard. This standard provides wide coverage across the information security domain and is quite specific in the prescription of controls. As a result, the security community has embraced it widely.