ISO/IEC 27001:2005 – An Introduction

Rupam Bhattacharya

What is Information?

• Current Business Plans

• Future Plans

• Intellectual Property (Patents, etc)

• Employee Records

• Customer Details

• Business Partners Records

• Financial Records

Enterprise/Corporate IT Hardware Resources

Software & Network Risks

Structure of 27000 series

27000 Fundamentals & Vocabulary

27001:ISMS

27003 Implementation Guidance

27002 Code of Practice for ISM

27004 Metrics & Measurement

27005

Risk Management

27006 Guidelines on ISMS accreditation

ISO 27001:2005

• ISO/IEC 27001:2005 formally specifies a management system that is intended to bring information security under explicit management control.

• Annex (Control Objectives and Controls ) • 11 Security Domains (A5 A 15)

• Layers of security

• 39 Control Objectives • Statement of desired results or purpose

• 133 Controls • Policies, procedures, practices, software controls and organizational

structure

• To provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected

• Exclusions in some controls are possible, if they can be justified???

Contains

The standard contains 11 domains(apart from introductory sections) • Security policy - management direction • Organization of information security - governance of information security • Asset management - inventory and classification of information assets • Human resources security - security aspects for employees joining, moving and

leaving an organization • Physical and environmental security - protection of the computer facilities • Communications and operations management - management of technical

security controls in systems and networks • Access control - restriction of access rights to networks, systems, applications,

functions and data • Information systems acquisition, development and maintenance - building

security into applications • Information security incident management - anticipating and responding

appropriately to information security breaches • Business continuity management - protecting, maintaining and recovering

business-critical processes and systems • Compliance - ensuring conformance with information security policies,

standards, laws and regulations

The PDCA Cycle

• Plan (establishing the ISMS) • Establish the policy, the ISMS objectives, processes and procedures

related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization.

• Do (implementing and workings of the ISMS) • Implement and exploit the ISMS policy, controls, processes and

procedures. • Check (monitoring and review of the ISMS) • Assess and, if applicable, measure the performances of the

processes against the policy, objectives and practical experience and report results to management for review.

• Act (update and improvement of the ISMS) • Undertake corrective and preventive actions, on the basis of the

results of the ISMS internal audit and management review, or other relevant information to continually improve the said system.

A.5 Security Policy

To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

• Approved by Management

• Communicated to Employees and relevant external parties

• Reviewed at planned intervals

• Ensure its continuing suitability, adequacy, and effectiveness.

A.6 Organization of Information Security

To manage information security within the organization.

• Management shall actively support security within organization.

• Co-ordinated by representatives from different parts of organization.

• Confidentiality and non-disclosure agreements.

• Appropriate contacts with relevant authorities, security forums and professional associations shall be maintained.

• Independent reviews should be conducted at planned intervals or when significant changes to the security implementation occur.

A.7 Asset Management

Typical policy statements for Asset Management include:

• All assets shall be clearly identified, documented and regularly updated in an asset register

• All assets shall have designated owners and custodians listed in the asset register

• All assets will have the respective CIA (Confidentiality, Integrity and Availability) rating established in the asset register

• All employees shall use company assets according to the acceptable use of assets procedures

• All assets shall be classified according the asset classification guideline of the company

A.8 Human Resource Security

Prior to Employment:

• Define roles and responsibilities.

• Background verification

• Terms and Conditions of employment

During Employment

• Application of security according to roles and responsibilities.

• InfoSec awareness, education and training.

• Disciplinary process for employees who have commited security breach.

Post Termination or Change

• Termination responsibilities

• Return of Assets

• Removal of access rights.

A.9 Physical and Environmental Security

Secure Areas

• Physical security perimeter

• Physical entry controls

• Securing offices, rooms and facilities

• Protecting against external and environmental threats

• Guidelines for working in secure areas

• Public access, delivery and loading areas

Equipment Security

• Equipment sitting, support utilities and cabling security

• Maintenance, secure disposal/re-use and removal.

A.10 Communications and Operations Management

Operational procedures and responsibilities

• Documented operating procedures

• Change management

• Segregation of duties

• Separation of development, test and operational facilities

Third Party Service Delivery Management

• Implement security controls, service definition and delivery levels in agreement.

• Monitoring and review of third party services

• Managing changes to third party services

Company

A company may want to adopt ISO 27001 for the following reasons:

• It is suitable for protecting critical and sensitive information

• It provides a holistic, risk-based approach to secure information and compliance

• Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers

• Demonstrates security status according to internationally accepted criteria

• Creates a market differentiation due to prestige, image and external goodwill

• If a company is certified once, it is accepted globally.

Asset Classification

• CONFIDENTIAL: This category refers to asset information that relates to individuals or is otherwise restricted only to authorized users, and if disclosed outside the company would harm the organization, its customers, or its partners.

• RESTRICTED: The restricted level of asset information pertains to highly sensitive information to the company; which when disclosed would cause substantial damage to the reputation and competitive position of the company in the market.

• INTERNAL: This classification refers to asset information that is potentially available to all personnel within the company, but is not public.

• PUBLIC: This classification refers to asset information that has been published or obtainable from a published source, e.g. the Internet.

User Registration

Typical policy statements can include:

• All users shall have a unique user ID based on a standard naming convention

• A formal authorization process shall be defined and followed for provisioning of user IDs.

• An audit trail shall be kept of all requests to add, modify or delete user accounts/IDs

• User accounts shall be reviewed at regular intervals

• Employee shall sign a privilege form acknowledging their access rights

• Access rights will be revoked for employee changes or leaving jobs

• Privileges shall be allocated to individuals on a ‘need-to-have’ basis.

• A record of all privilege accounts shall be maintained and updated on regular basis

Password Management

Typical organizational password management policies include: • Users shall be forced to change their passwords at the time of first

use • Passwords shall have a minimum length of eight characters • Passwords for all users shall expire in 30/60 days • A record of five previous passwords shall be maintained to prevent

re-use of these passwords • A maximum of three successive login failures shall result in a user’s

account being locked out • Passwords shall not be displayed in clear text when they are being

keyed in • Passwords must include at least one small character (a-z), one

capital character (A-Z) and one numeric character (0 – 9) / one special character (@ # $ & / +)

• All password entry tries shall be logged along with date, time, ip address, machine name, application and user ID for successful, unsuccessful login attempts

Clear Work Environment

Example of clear work environment policies include:

• Critical information shall be protected when not required for use

• Only authorized users shall use the photocopier machines

• All loose documents from employee’s desks shall be confiscated at the end of business day

• A users desktop shall not contain reference to any document directly or indirectly

Operating System and Application Controls Sample operating system and application control policies include:

• All users in the organization shall have a unique ID

• No systems or application details shall be displayed before log-in

• In the condition of log-in failure, the error message shall not indicate which part of the credential is incorrect

• The number of unsuccessful log-in attempts shall be limited to 3/5/6 attempts

• During log-in process, all password entries shall be hidden by a symbol

• The use of system utility program shall be restricted e.g. password utility

• All operating systems and application shall time out due to inactivity in 5/10/15/30 minutes

• All applications shall have dedicated administrative menus to control access rights of users

Network Security

Typical policy statements for Network Security include:

• Appropriate authentication mechanisms shall be used to control the access by remote users.

• Allocation of network access rights shall be provided as per the business and security requirements

• Two-factor authentication shall be used for authenticating users using mobile/remote systems

Benefits

The key benefits of 27001 are:

• It can act as the extension of the current quality system to include security

• It provides an opportunity to identify and manage risks to key information and systems assets

• Provides confidence and assurance to trading partners and clients; acts as a marketing tool

• Allows an independent review and assurance to you on information security practices

Drawbacks

• It has some things that don’t make sense.

• Some controls define almost the same issues causing confusion. Like A.9.2.6 (Secure disposal or re-use of equipment) and A.10.7.2 (Disposal of media)

• Some issues, like relationships with third parties, are scattered around various clauses of Annex A – you can find it in clause A.6.2 (External parties), A.8 (Human resources security) and A.10.2 (Third party service delivery management), and control A.12.5.5 (Outsourced software development)

• Only 6 controls has the word documented in it. Does that mean we can implement all others without documentation?

Changes made in ISO 27001:2013

• No. of sections have increased from 11 to 14.

• Management and Leadership re defined as two separate requirements.

• Section 6: Planning and it’s evaluation

• New chapter added on Performance evaluation

New Controls

• A.6.1.5 Information security in project management

• A.12.6.2 Restrictions on software installation

• A.14.2.1 Secure development policy

• A.14.2.5 Secure system engineering principles

• A.14.2.6 Secure development environment

• A.14.2.8 System security testing

• A.15.1.1 Information security policy for supplier relationships

• A.15.1.3 Information and communication technology supply chain

• A.16.1.4 Assessment of and decision on information security events

• A.16.1.5 Response to information security incidents

• A.17.2.1 Availability of information processing facilities

Summary of sections