IT SAFETY AND FRAUD PREVENTION
Information Security Management System
Course: IT SAFETY AND FRAUD PREVENTION
Notes No.: 06
By: Ronald Pong
Class Code: CD 85-315-13-01 (81)
Date: June, 2009
International Organization for Standardization (ISO)
Established in 1947
Published over 16,077 international standards
ISO meetings attract some 30,000 experts a year
Federation comprised of 156 national standards bodies
National member bodies manage development work
ISO standards are consensus based
• Management systems are just that—systems to manage a particular area or areas within an organization
• For instance, often companies have many management systems (e.g. quality, health & safety, environment, finance,
and, most recently, security of their IS system)
• In 1987, ISO 9001, a quality management system (QMS), was first published to provide a standard for managing the
quality of an organization’s product (based on manufacturing, initially, with service being factored into the revisions
issued in 1994 and then again in 2000)
• In 1996, ISO 14001, an environmental management system (EMS) was born, with a revision in 2004
• There are over 10,000 standards, but the most well-known ones are the management system standards, of which, ISO
27001, is one
Introduction ISO 27000 & ISMS
Information Security Management System (ISMS)
• Information Security Management System
•That part of the overall management system, based on a
business risk approach, to establish, implement, operate, monitor,
– Strategic decision of an organization review, maintain and improve information security
• Design and implementation •Is a Management Process
– Needs and objectives •Not a technological process
– Security requirements
– Processes employed
– Size and structure of the organization
• Scaled with ‘needs’ – simple situation requires a simple ISMS solution
• The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short) comprises information
security standards published jointly by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC).
• The series provides best practice recommendations on information security management, risks and controls within the
context of an overall Information Security Management System (ISMS), similar in design to management systems for
quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
• The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security
issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their
information security risks, then implement appropriate information security controls according to their needs, using the
guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept
incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach,
that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.
• The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Sub Committee 27), an
international body that meets in person twice a year.
• Published standards
• ISO/IEC 27000 - introduction to the family of standards plus a glossary of common terms
• ISO/IEC 27001 - standard for the establishment, implementation, control and improvement of the Information Security
Management System (based on British Standard BS 7799 Part 2, first published by ISO/IEC in 2005)
• ISO/IEC 27002 - code of practice providing good practice advice on ISMS (previously known as ISO 17799 itself based on
British Standard BS 7799 Part 1, last revised in 2005 and renumbered ISO/IEC 27002:2005 in July 2007).
• ISO/IEC 27005 - designed to assist the satisfactory implementation of information security based on a risk management
approach (published in 2008).
• ISO/IEC 27006 - a guide to the certification/registration process (published in 2007).
• ISO/IEC 27011 - information security management guidelines for the telecommunications industry (published by ISO/IEC in
2008 and also published by the ITU as X.1051).
• In preparation
• ISO/IEC 27003 - an ISMS implementation guide
• ISO/IEC 27004 - a standard for information security management measurements
• ISO/IEC 27007 - a guideline for ISMS auditing (focusing on the management system)
• ISO/IEC 27008 - a guideline for Information Security Management auditing (focusing on the security controls)
• ISO/IEC 27013 - a guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
• ISO/IEC 27014 - an information security governance framework
• ISO/IEC 27015 - information security management guidelines for the finance and insurance sectors
• ISO/IEC 27031 - a specification for ICT readiness for business continuity
• ISO/IEC 27032 - a guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet)
• ISO/IEC 27033 - IT network security, a multi-part standard based on ISO/IEC 18028:2006
• ISO/IEC 27034 - a guideline for application security
ISO/IEC 27001, part of the growing ISO/IEC 27000 series of standards, is an information security management system (ISMS)
standard published in October 2005 by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 - Information technology—Security techniques—
Information security management systems—Requirements but it is commonly known as "ISO 27001".
It is intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which
lists security control objectives and recommends a range of specific security controls. Organizations that implement an ISMS in
accordance with the best practice advice in ISO/IEC 27002 are likely to simultaneously meet the requirements of ISO/IEC
27001 but certification is entirely optional (unless mandated by the organization's stakeholders).
Organizations may be certified as compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide. Certification
against any of the recognized national variants of ISO/IEC 27001 (e.g. JIS Q 27001, the Japanese version) by an accredited
certification body is functionally equivalent to certification against ISO/IEC 27001 itself. Certification audits are usually
conducted by ISO/IEC 27001 Lead Auditors.
In some countries, the bodies which verify conformity of management systems to specified standards are called "certification
bodies", in others they are known as "registration bodies", "assessment and registration bodies", "certification/ registration
bodies", and sometimes "registrars".
The ISO/IEC 27001 certification, like other ISO management system certifications, usually involves a three-stage audit
•Stage 1 is a "table top" review of the existence and completeness of key documentation such as the organization's security
policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP).
•Stage 2 is a detailed, in-depth audit involving testing the existence and effectiveness of the information security controls
stated in the SoA and RTP, as well as their supporting documentation.
•Stage 3 is a follow-up reassessment audit to confirm that a previously-certified organization remains in compliance with the
standard. Certification maintenance involves periodic reviews and re-assessments to confirm that the ISMS continues to
operate as specified and intended.
ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series' is an information security
standard published by the International Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC) as ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it
into line with the other ISO/IEC 27000-series standards. It is entitled Information technology - Security techniques - Code of
practice for information security management. The current standard is a revision of the version first published by ISO/IEC in
2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999.
ISO/IEC 27002 provides best practice recommendations on information security management for use by those who
are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information
security is defined within the standard in the context of the C-I-A triad:
the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access),
integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring
that authorized users have access to information and associated assets when required).
After the introductory sections, the standard contains the following twelve main sections:
•Security policy - management direction
•Organization of information security - governance of information security
•Asset management - inventory and classification of information assets
•Human resources security - security aspects for employees joining, moving and leaving an organization
•Physical and environmental security - protection of the computer facilities
•Communications and operations management - management of technical security controls in systems and networks
•Access control - restriction of access rights to networks, systems, applications, functions and data
•Information systems acquisition, development and maintenance - building security into applications
•Information security incident management - anticipating and responding appropriately to information security breaches
•Business continuity management - protecting, maintaining and recovering business-critical processes and systems
•Compliance - ensuring conformance with information security policies, standards, laws and regulations
ISO/IEC 27004 part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series' is an information security
standard being currently developed by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC). Its current title is Information technology -- Security techniques -- Information security
The purpose of ISO/IEC 27004 is to help organizations measure and report the effectiveness of their information security
management systems, covering both the security management processes and the controls.
ISO/IEC 27005 part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series' is an information security
standard being currently developed by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC). Its full title is ISO/IEC 27005:2008 Information technology -- Security techniques --
Information security risk management.
The purpose of ISO/IEC 27005 is to provides guidelines for information security risk management. It supports the general
concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based
on a risk management approach. It does not specify, recommend or even name any specific risk analysis method, although it
does specify a structured, systematic and rigorous process from analyzing risks through to creating the risk treatment plan.
ISO/IEC 27006, part of a growing family of ISO/IEC Information Security Management System (ISMS) standards, the
'ISO/IEC 27000 series', is an information security standard published by the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC). It is entitled Information technology - Security techniques -
Requirements for bodies providing audit and certification of information security management systems.
ISO/IEC 27006 lays out formal requirements for accredited organizations which certify other organizations compliant with
It effectively replaces EA 7/03 (Guidelines for the Accreditation of bodies operating certification/ registration of. Information
Security Management Systems).
The standard helps ensure that ISO/IEC 27001 certificates issued by accredited organizations are meaningful and
trustworthy, in other words it is a matter of assurance.
ISO/IEC 27007 part of a growing family of ISO/IEC Information Security Management System (ISMS) standards, the 'ISO/IEC
27000 series' is an information security standard being currently developed by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC). Its current title is Information technology --
Security techniques -- Guidelines for Information security management systems auditing.
ISO/IEC 27007 will provide guidance for those auditing ISMSs for various purposes other than certified compliance with
ISO/IEC 27001 (which is covered by ISO/IEC 27006), purposes such as:
•Internal auditing, for example for IT auditors to confirm that an organization's information security controls adequately
mitigate its information security risks;
•External auditing, including IT audits conducted as part of financial audits (e.g. confirming that the information security
controls relating to the general ledger or procurement systems and processes are adequate for the auditors to place reliance
on the associated data/information) and audits of the third party ISMSs (such as those operated by IT service suppliers
whether to check their adequacy per se or to confirm that contractual obligations on them in relation to information security
•Management reviews, including those conducted routinely as part of an operating ISMS to check that everything is in order,
and ad hoc audits following information security incidents, as part of the root cause analysis to generate corrective actions.
ISO 27001:2005 Structure
•Terms & definitions
•Clauses 4 to 8
•Control Objectives & Controls
•Annex B OECD principles
•Annes C Correspondence between Standards
OECD: Organization for Economic Co-operation and Development
•Excluding any of the requirements specified in Clauses 4, 5, 6, 7 and 8 is not
•Reference ISO 27001:2005 (Clause 1.2 Application)
•Information Security Management System
Establish the ISMS
The organization shall do the following.
a) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the organization, its location,
assets, technology, and including details of and justification for any exclusions from the scope.
b) Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology
1) includes a framework for setting objectives and establishes an overall sense of direction and principles for action
with regard to information security;
2) takes into account business and legal or regulatory requirements, and contractual security obligations;
3) aligns with the organizations strategic risk management context in which the establishment and maintenance of the
ISMS will take place;
4) establishes criteria against which risk will be evaluated
5) has been approved by management.
c)Define the risk assessment approach of the organization. 1) Identify a risk assessment methodology that is suited to
the ISMS, and the identified business information security, legal and regulatory requirements. 2) Develop criteria for
accepting risks and identify the acceptable levels of risk. The risk assessment methodology selected shall ensure that
risk assessments produce comparable and reproducible results.
d) Identify the risks. 1) Identify the assets within the scope of the ISMS, and the owners of these assets. 2) Identify
the threats to those assets. 3) Identify the vulnerabilities that might be exploited by the threats. 4) Identify the
impacts that losses of confidentiality, integrity and availability may have on the assets.
e) Analyze and evaluate the risks.
1) Assess the business impact upon the organization that might result from a security failure, taking into account the
consequences of a loss of confidentiality, integrity or availability of the assets.
2) Assess the realistic likelihood of such a security failure occurring in the light of prevailing threats and vulnerabilities, and
impacts associated with these assets, and the controls currently implemented.
3) Estimate the levels of risks.
4) Determine whether the risk is acceptable or requires treatment using the risk acceptance criteria
g) Select control objectives and controls for the treatment of risks.
h) Obtain management approval of the proposed residual risks.
i) Obtain management authorization to implement and operate the ISMS.
j) Prepare a Statement of Applicability. A Statement of Applicability shall be prepared that includes the following: 1) the
control objectives and controls, selected in and the reasons for their selection; 2) the control objectives and controls currently
implemented ; and 3) the exclusion of any control objectives and controls in Annex A and the justification for their exclusion.
Implement and operate the ISMS
The organization shall do the following.
a) Formulate a risk treatment plan that identifies the appropriate management action, resources, responsibilities and
priorities for managing information security risks
b) Implement the risk treatment plan in order to achieve the identified control objectives, which includes consideration
of funding and allocation of roles and responsibilities.
c) Implement controls selected to meet the control objectives.
d) Define how to measure the effectiveness of the selected controls or groups of controls and specify how these
measurements are to be used to assess control effectiveness to produce comparable and reproducible results
e) Implement training and awareness programs
f) Manage operations of the ISMS.
g) Manage resources for the ISMS
h) Implement procedures and other controls capable of enabling prompt detection of and response to security incidents
Monitor and review the ISMS
The organization shall do the following.
a) Execute monitoring and review procedures and other controls to:
1) promptly detect errors in the results of processing;
2) promptly identify attempted and successful security breaches and incidents;
3) enable management to determine whether the security activities delegated to people or implemented
by information technology are performing as expected;
4) help detect security events and thereby prevent security incidents by the use of indicators; and
5) determine whether the actions taken to resolve a breach of security were effective.
b) Undertake regular reviews of the effectiveness of the ISMS (including meeting ISMS policy and objectives, and review
of security controls) taking into account results of security audits, incidents, effectiveness measurements, suggestions and
feedback from all interested parties.
c) Measure the effectiveness of controls to verify that security requirements have been met.
d) Review risk assessments at planned intervals and review the level of residual risk and identified acceptable risk, taking
into account changes to:
1) the organization;
3) business objectives and processes;
4) identified threats; 5) effectiveness of the implemented controls; and 6) external events, such as changes to the legal or
regulatory environment, changed contractual obligations, and changes in social climate. e) Conduct internal ISMS audits
at planned intervalsf) Undertake a management review of the ISMS on a regular basis to ensure that the scope remains
adequate and improvements in the ISMS process are identifiedg) Update security plans to take into account the findings
of monitoring and reviewing activities. h) Record actions and events that could have an impact on the effectiveness or
performance of the ISMS
Maintain and improve the ISMS
The organization shall regularly do the following.
a) Implement the identified improvements in the ISMS.
b) Take appropriate corrective and preventive actions Apply the lessons learnt from the security experiences of other
organizations and those of the organization itself.
c) Communicate the actions and improvements to all interested parties with a level of detail appropriate to
the circumstances and, as relevant, agree on how to proceed.
d) Ensure that the improvements achieve their intended objectives.
Documentation shall include records of management decisions, ensure that actions are traceable to management decisions
and policies, and the recorded results are reproducible. It is important to be able to demonstrate the relationship from the
selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS
policy and objectives.
The ISMS documentation shall include:
a) documented statements of the ISMS policy and objectives;
b) the scope of the ISMS
c) procedures and controls in support of the ISMS;
d) a description of the risk assessment methodology
e) the risk assessment report
g) documented procedures needed by the organization to ensure the effective planning, operation and control of its
information security processes and describe how to measure the effectiveness of controls
h) records required by this International Standard and
i) the Statement of Applicability.
Control of documents
Documents required by the ISMS shall be protected and controlled. A documented procedure shall be established to define
the management actions needed to:
a) approve documents for adequacy prior to issue;
b) review and update documents as necessary and re-approve documents;
c) ensure that changes and the current revision status of documents are identified;
d) ensure that relevant versions of applicable documents are available at points of use;
e) ensure that documents remain legible and readily identifiable;
f) ensure that documents are available to those who need them, and are transferred, stored and ultimately
disposed of in accordance with the procedures applicable to their classification;
g) ensure that documents of external origin are identified;
h) ensure that the distribution of documents is controlled;
i) prevent the unintended use of obsolete documents; and
j) apply suitable identification to them if they are retained for any purpose.
Control of records
Records shall be established and maintained to provide evidence of conformity to requirements and the effective
operation of the ISMS. They shall be protected and controlled. The ISMS shall take account of any relevant legal or
regulatory requirements and contractual obligations. Records shall remain legible, readily identifiable and retrievable. The
controls needed for the identification, storage, protection, retrieval, retention time and disposition of records shall be
documented and implemented.
Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review,
maintenance and improvement of the ISMS by:
a) establishing an ISMS policy;
b) ensuring that ISMS objectives and plans are established;
c) establishing roles and responsibilities for information security;
d) communicating to the organization the importance of meeting information security objectives and conforming to
the information security policy, its responsibilities under the law and the need for continual improvement;
e) providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS
f) deciding the criteria for accepting risks and for acceptable risk levels;
g) ensuring that internal ISMS audits are conducted and
h) conducting management reviews of the ISMS
Provision of resources
The organization shall determine and provide the resources needed to:
a) establish, implement, operate, monitor, review, maintain and improve an ISMS;
b) ensure that information security procedures support the business requirements;
c) identify and address legal and regulatory requirements and contractual security obligations;
d) maintain adequate security by correct application of all implemented controls;
e) carry out reviews when necessary, and to react appropriately to the results of these reviews; and
f) where required, improve the effectiveness of the ISMS.
Training, awareness and competence
The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to
perform the required tasks by:
a) determining the necessary competencies for personnel performing work effecting the ISMS;
b) providing training or taking other actions (e.g. employing competent personnel) to satisfy these needs;
c) evaluating the effectiveness of the actions taken; and
d) maintaining records of education, training, skills, experience and qualifications
The organization shall also ensure that all relevant personnel are aware of the relevance and importance of
their information security activities and how they contribute to the achievement of the ISMS objectives.
•Internal ISMS Audits
Internal ISMS audits
The organization shall conduct internal ISMS audits at planned intervals to determine whether the control
objectives, controls, processes and procedures of its ISMS:
a) conform to the requirements of this International Standard and relevant legislation or regulations;
b) conform to the identified information security requirements;
c) are effectively implemented and maintained; and
d) perform as expected.
•Management Review of the ISMS
Management shall review the organizations ISMS at planned intervals (at least once a year) to ensure its continuing
suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for
changes to the ISMS, including the information security policy and information security objectives. The results of the reviews
shall be clearly documented and records shall be maintained
Review input The output from the management review shall include any
The input to a management review shall include: decisions and actions related to the following.
a) results of ISMS audits and reviews; a) Improvement of the effectiveness of the ISMS.
b) feedback from interested parties; b) Update of the risk assessment and risk treatment plan.
c) techniques, products or procedures, which could be c) Modification of procedures and controls that effect
used in the organization to improve the ISMS information security, as necessary, to respond to internal or
performance and effectiveness; external events that may impact on the ISMS, including changes
d) status of preventive and corrective actions; to:
e) vulnerabilities or threats not adequately addressed 1) business requirements;
in the previous risk assessment; 2) security requirements;
f) results from effectiveness measurements; 3) business processes effecting the existing business
g) follow-up actions from previous management requirements;
reviews; 4) regulatory or legal requirements;
h) any changes that could affect the ISMS; and 5) contractual obligations; and
i) recommendations for improvement. 6) levels of risk and/or risk acceptance criteria.
d) Resource needs.
e) Improvement to how the effectiveness of controls is being
The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy,
information security objectives, audit results, analysis of monitored events, corrective and preventive actions and
a) identifying non-conformities;
b) determining the causes of non-conformities;
c) evaluating the need for actions to ensure that non-conformities do not recur;
d) determining and implementing the corrective action needed;
e) recording results of action taken and
f) reviewing of corrective action taken.
a) identifying potential non-conformities and their causes;
b) evaluating the need for action to prevent occurrence of non-conformities;
c) determining and implementing preventive action needed;
d) recording results of action taken and
e) reviewing of preventive action taken.
Document CheckList of ISO 27001
ISMS Implementation project documents
• ISMS Scope Definition
• ISO/IEC 27002 Questionnaire/Gap Analysis Report
• ISMS Implementation Proposal/Business Case
• ISMS Implementation Plan
• Risk Treatment Plan
• Statement of Applicability
• Information Security Forum approvals/minutes/initiatives
• Risk Assessment Methodology/Approach/Risk Management Strategy
• ISMS Organization (structure chart showing key responsibilities, reporting lines etc.)
Baseline technical security standards for …
• Application and other servers
• Databases (e.g. Oracle, DB2, Sybase, Access ...)
• Desktops, laptops, PDAs
• Development systems
• DMZ (devices installed in the De-Militarized Zone) including Web servers, email servers and other Internet-
• Operating systems (e.g. Windows XP, Windows 2003, Windows CE, various UNIX, MVS etc.)
• Routers and switches
• Test systems
• Third party systems used or installed on-site/on the LAN
• Wired and wireless networks (LAN and WAN, WiFi etc.)
ISMS Information Security Policies
• Access Control Policy
• Clear Desk and Clear Screen Policy
• Data Archive And Retention Policy
• Data Classification and Control Policy
• Disposal of Information/Media/Equipment Policy
• e-Commerce Security Policy
• Email Security/Acceptable Use Policy
• Information Security Risk Assessment Policy
• IT Outsourcing Security Policy
• Laptop Security Policy
• Mobile Computing and Teleworking Policy
• Overarching ISMS Policy (suggest 1-4 sides maximum i.e. a high level management overview
and endorsement of the ISMS, a ‘superset’ of the information security policies)
• Password Policy
• Penetration Testing Policy
• Personnel Security Policy
• Physical Security Policy
• Software Copyright Policy
• Spam Policy
• System/data Backup and Recovery Policy
• System Usage Monitoring Policy
• Third Party Access Policy
• Virus/malware Policy
Information security-related procedures (process guides)
• Backup Procedure
• Compliance Assessment and Audit Procedures e.g. CISCO router security audit procedure
• Incident Reporting Procedure
• Logical Access Review Procedure
• Patch Management Procedure
• Security Admin Procedures (adding user IDs, changing access rights, changing passwords etc.)
• System Hardening Procedure
• System Security Testing Procedure
• User Maintenance Procedure
Management system procedures
• Corrective/Preventive Action Procedure
• Document and Record Control Procedure (doc reviews, ownership, management authorization, change controls,
• Internal ISMS Audit Procedure
• Information Security Awareness Materials (posters, briefings, presentations etc. aimed at identified audience groups and
Information security-related job descriptions/rôles and responsibilities
• Information Asset Owner
• Information Security Analyst
• Information Security Architect
• Information Security Manager
• Information Security Officer
• Information Security Tester
• IT Auditor
• Security Administrator
ISMS operational artifacts/records
• Business Continuity Plans (business continuity focused) and Test/Exercise Reports
• Business Impact Assessment Checklist and Reports
• IT Disaster Recovery Plans (IT service restoration focused) and Test/Exercise Reports
• Information Asset Inventory/Database
• Information Security Incident Report Forms and Reports on Significant Incidents
• Review of Solution Design and Architecture Checklist (for software development)
• Threat and Vulnerability Checklists/Questionnaires and Reports
• Backup and Archive Register (details of tapes/disks, dates, types of backup, scope of backup - possibly automated)
• Business Continuity Plan Register (details of all BCPs showing status, ownership, scope, when last tested etc.)
• Standard Desktop Software List (catalog of approved desktop software)
• Information Security Incident Register (may be derived from the IT Help/Service Desk call logging system)
• Privilege/Administrator Access and Authorization List
• Risk Register (risk title, risk owner, nature of risk, management decisions re reduce/transfer/avoid etc.)
• Software License Register (supplier, type of license, license conditions/restrictions, owner/manager of vendor relationship)
• System Patch and Antivirus Status Register (likely to be largely automated)
• Third Party Access and Connection Register (showing security information about the links, 3rd parties, contractual
information security terms etc.)
How to Measuring the Effectiveness of Security in ISO 27001
Objective of Measurement
• To show ongoing improvement;
• To show compliance (with Standards, contracts, SLAs, OLAs, etc);
• To justify any future expenditure (new security software, training, people, etc);
• ISO 27001 requires it. Other Management Systems also require it – ISO 9001, ISO 20000;
• To identify where implemented controls are not effective in meeting their objectives;
• To provide confidence to senior management and stakeholders that implemented controls are effective.
So, which of the 133 potentially applicable controls (within ISO 27001) can be used to measure security?
Well, arguably, all of them. In practice, though, this would invariably be too onerous a task and would cause an already
overworked IT Department to crumble under the weight of bureaucracy.
Before we attempt to answer this question, then, we should always understand the requirement for such clarity. Why are
you being asked to provide such information? What is the driver? Where does the requirement come from?
Other drivers may exist, too. It could be that the company has just realized that you can get more from ISO 27001, or
perhaps it’s operational risk management such as BASEL II, SOX, Turn bull (UK Corporate Governance) or simply Regulatory
requirements and Legislation that’s driving your business.
Either way, you’re not alone. Many organizations (but not all) misunderstand the fundamental concepts behind BS 7799 and
ISO 27001 and have treated it as a marketing exercise, as opposed to trying to achieve real business benefit and ROI.
ISO 27001 provides much more clarity and goes further into what should be measured for its effectiveness. As such, the
much anticipated ISO 27004 (guidelines on how to measure effectiveness) in 2007 should finally put an end to this ‘grey’
area and will hopefully shed much needed light onto the types of controls to be measured and what results we should
expect (e.g. Industry Baseline).
Benefits of measuring security?
•Actually eases process of monitoring the effectiveness of the ISMS (e.g. less labour intensive, for example, if using tools,
and provides a means of self checking);
•Proactive tools to measure can prevent problems arising at a later date (e.g. network bottlenecks, disk clutter,
development of poor human practices);
•Reduction of incidents, etc;
•Motivates staff when senior management set targets;
•Tangible evidence to auditors, and assurance to senior management that you are in control – i.e. Corporate Information
Assurance (Corporate Governance), and top down approach to Information Assurance.
What should be measured?
For ease of explanation, the measurements have been broken down into the following categories:
1. Management Controls:
Security Policy, IT Policies, Security Procedures,
Business Continuity Plans, Security Improvement Plans,
Business Objectives, Management Reviews
2. Business Processes:
Risk Assessment & Risk Treatment Management
Process, Human Resource Process, SOA selection
process, Media Handling Process
3. Operational Controls:
Operational Procedures, Change Control, Problem
Management, Capacity Management, Release Management, Back up, Secure Disposal, Equipment off
Well, again arguably the whole ISMS (Clauses 4 – 8) section, or group of controls as suggested earlier. Ultimately the risk
assessment will confirm the relevance of the most applicable controls that should be measured.
•Therefore measurement can be achieved against:
•A particular security control or objective;
•A group of controls;
•Against main controls within a Standard;
•Or the examples given below.
These have been mapped to their nearest ISO 27001 control reference or group of controls (but bear in mind that not all of
the controls map easily).
So what is the process for deciding which of these controls (or groups of controls) should be used.
First, you need to:
•Confirm relevance of controls through risk assessment;
•Define objectives, ensuring they map back to the business;
•Use existing Indicators wherever possible, e.g. in ITIL terms, KPIs:
•A KPI helps a business define and measure progress towards a particular goal;
•KPIs are quantifiable measurements of the improvement in performing the activity that is critical to the success of the
• Within the ISMS audit framework, identify controls which can be continuously monitored, using chosen technique;
• Before using any tools, agree the objectives with senior managers as well as staff. Agree this contractually where
external third parties are concerned, or through SLAs/OLAs where internal third parties are concerned e.g. ISO15000
• Establish a baseline, against which all future measurements can be contrasted/compared;
• Provide periodic reports to appropriate management forum/ISMS owners (show graphs, pictures paint a thousand words);
• Identify Review Input – agreed recommendations, corrective actions, etc;
• Implement improvements within your Integrated Management Systems (IMS) e.g. merged ISO’s 9001, 14000, 27001,
• Establish/agree new baseline, review the output, apply the PDCA approach (Plan – Do – Check – Act).
Measurement for the operation must:
•Reflect your business goals;
•Be critical to the success of the operation;
•Be measurable, reproducible and contrastable;
•Facilitate corrective action;
•Each measurement requires definition and therefore should
•ensure the following list is used for each definition:
• Scope of the metric;
• Purpose and objectives;
• Measurement method;
• Measurement frequency;
• Data source and data collection procedures;
• Chosen Indicators;
• Date of measurement and person responsible;
• Level of effectiveness achieved (or level of maturity, in case of a maturity metric for controls);
• Causes for non-achievement.
As each business will probably have its own measurements already in place (e.g. KPI’s), the challenge is to set a
‘measurement’, which is measurable and contrastable for all respondents.
A.5 Security policy
A.5.1 Information security policy
Objective: To provide management direction and support for information security in accordance with business requirements
and relevant laws and regulations.
A.5.1.1 Information security policy document
A.5.1.2 Review of the information security policy
A.6 Organization of information security
A.6.1 Internal organization
Objective: To manage information security within the organization.
A.6.1.1 Management commitment to information security
A.6.1.2 Information security coordination
A.6.1.3 Allocation of information security responsibilities
A.6.1.4 Authorization process for information processing facilities
A.6.1.5 Confidentiality agreements
A.6.1.6 Contact with authorities
A.6.1.7 Contact with special interest groups
A.6.1.8 Independent review of information security
A.6.2 External parties
Objective: To maintain the security of the organizations information and information processing facilities that are accessed,
processed, communicated to, or managed by external parties.
A.6.2.1 Identification of risks related to external parties
A.6.2.2 Addressing security when dealing with customers
A.6.2.3 Addressing security in third party agreements
A.7 Asset management
A.7.1 Responsibility for assets
Objective: To achieve and maintain appropriate protection of organizational assets.
A.7.1.1 Inventory of assets Control
A.7.1.2 Ownership of assets
A.7.1.3 Acceptable use of assets
A.7.2 Information classification
Objective: To ensure that information receives an appropriate level of protection.
A.7.2.1 Classification guidelines
A.7.2.2 Information labeling and handling
A.8 Human resources security
A.8.1 Prior to employment
Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are
suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
A.8.1.1 Roles and responsibilities
A.8.1.3 Terms and conditions of employment
A.8.2 During employment Objective: To ensure that all employees, contractors and third party users are aware of
information security threats and concerns, their responsibilities and liabilities, and are equipped to support
organizational security policy in the course of their normal work, and to reduce the risk of human error. A.8.2.1
A.8.2.2 Information security awareness, education and training
A.8.2.3 Disciplinary process
A.8.3 Termination or change of employment Objective: To ensure that employees, contractors and third party
users exit an organization or change employment in an orderly manner. A.8.3.1 Termination responsibilities
A.8.3.2 Return of assets
A.8.3.3 Removal of access rights
A.9 Physical and environmental security
A.9.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organizations premises and
A.9.1.1 Physical security perimeter
A.9.1.2 Physical entry controls
A.9.1.3 Securing offices, rooms and facilities
A.9.1.4 Protecting against external and environmental threats
A.9.1.5 Working in secure areas
A.9.1.6 Public access, delivery and loading areas
A.9.2 Equipment security Objective: To prevent loss, damage, theft or compromise of assets and interruption to
the organizations activities. A.9.2.1 Equipment siting and protection A.9.2.2 Supporting utilities A.9.2.3 Cabling
A.9.2.4 Equipment maintenance A.9.2.5 Security of equipment off- premises A.9.2.6 Secure disposal or re-use of
equipment A.9.2.7 Removal of property
A.10 Communications and operations management
A.10.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of information processing facilities.
A.10.1.1 Documented operating procedures
A.10.1.2 Change management
A.10.1.3 Segregation of duties
A.10.1.4 Separation of development, test and operational facilities
A.10.2 Third party service delivery management Objective: To implement and maintain the appropriate level of
information security and service delivery in line with third party service delivery agreements. A.10.2.1 Service delivery
A.10.2.2 Monitoring and review of third party services
A.10.2.3 Managing changes to third party services
A.10.3 System planning and acceptance Objective: To minimize the risk of systems failures. A.10.3.1 Capacity
management A.10.3.2 System acceptance
A.10.4 Protection against malicious and mobile code
Objective: To protect the integrity of software and information.
A.10.4.1 Controls against malicious code
A.10.4.2 Controls against mobile code
Objective: To maintain the integrity and availability of information and information processing facilities.
A.10.5.1 Information back-up
A.10.6 Network security management
Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.
A.10.6.1 Network controls
A.10.6.2 Security of network service
A.10.7 Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business
A.10.7.1 Management of removable media
A.10.7.2 Disposal of media
A.10.7.3 Information handling procedures
A.10.7.4 Security of system documentation
A.10.8 Exchange of information
Objective: To maintain the security of information and software exchanged within an organization and with any
A.10.8.1 Information exchange policies and procedures
A.10.8.2 Exchange agreements
A.10.8.3 Physical media in transit
A.10.8.4 Electronic messaging A.10.8.5 Business information systems
A.10.9 Electronic commerce services
Objective: To ensure the security of electronic commerce services, and their secure use.
A.10.9.1 Electronic commerce
A.10.9.2 On-line transactions
A.10.9.3 Publicly available information
A.10.10 Monitoring Objective: To detect unauthorized information processing activities. A.10.10.1 Audit logging
A.10.10.2 Monitoring system use A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs
A.10.10.6 Clock synchronization
A.11 Access control
A.11.1 Business requirement for access control
Objective: To control access to information.
A.11.1.1 Access control policy
A.11.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to information systems.
A.11.2.1 User registration
A.11.2.2 Privilege management
A.11.2.3 User password management
A.11.2.4 Review of user access rights
A.11.3 User responsibilities Objective: To prevent unauthorized user access, and compromise or theft of information
and information processing facilities.
A.11.3.1 Password use A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policy
A.11.4 Network access control
Objective: To prevent unauthorized access to networked services.
A.11.4.1 Policy on use of network services
A.11.4.2 User authentication for external connections
A.11.4.3 Equipment identification in networks
A.11.4.4 Remote diagnostic and configuration port protection
A.11.4.5 Segregation in networks
A.11.4.6 Network connection control
A.11.4.7 Network routing control
A.11.5 Operating system access control Objective: To prevent unauthorized access to operating systems.
A.11.5.1 Secure log-on procedures A.11.5.2 User identification and authentication A.11.5.3 Password
A.11.5.4 Use of system utilities A.11.5.5 Session time-out A.11.5.6 Limitation of connection time
A.11.6 Application and information access control
Objective: To prevent unauthorized access to information held in application systems.
A.11.6.1 Information access restriction
A.11.6.2 Sensitive system isolation
A.11.7 Mobile computing and teleworking
Objective: To ensure information security when using mobile computing and teleworking facilities.
A.11.7.1 Mobile computing and communications
A.12 Information systems acquisition, development and maintenance
A.12.1 Security requirements of information systems
Objective: To ensure that security is an integral part of information systems.
A.12.1.1 Security requirements analysis and specification
A.12.2 Correct processing in applications
Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications. A.12.2.1 Input
A.12.2.2 Control of internal processing
A.12.2.3 Message integrity
A.12.2.4 Output data validation
A.12.3 Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.
A.12.3.1 Policy on the use of cryptographic controls
A.12.3.2 Key management
A.12.4 Security of system files
Objective: To ensure the security of system files.
A.12.4.1 Control of operational software
A.12.4.2 Protection of system test data
A.12.4.3 Access control to program source code
A.12.5 Security in development and support processes Objective: To maintain the security of application
system software and information. A.12.5.1 Change control procedures A.12.5.2 Technical review of applications
after operating system changes A.12.5.3 Restrictions on changes to software packages A.12.5.4 Information
leakage A.12.5.5 Outsourced software development A.12.6 Technical Vulnerability Management Objective:
To reduce risks resulting from exploitation of published technical vulnerabilities. A.12.6.1 Control of technical
A.13 Information security incident management
A.13.1 Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses associated with information systems are communicated in
a manner allowing timely corrective action to be taken.
A.13.1.1 Reporting information security events
A.13.1.2 Reporting security weaknesses
A.13.2 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach is applied to the management of information security incidents.
A.13.2.1 Responsibilities and procedures
A.13.2.2 Learning from information security incidents
A.13.2.3 Collection of evidence
A.14 Business continuity management
A.14.1 Information security aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of
major failures of information systems or disasters and to ensure their timely resumption.
A.14.1.1 Including information security in the business continuity management process
A.14.1.2 Business continuity and risk assessment
A.14.1.3 Developing and implementing continuity plans including information security
A.14.1.4 Business continuity planning framework
A.14.1.5 Testing, maintaining and re- assessing business continuity plans
A.15.1 Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security
A.15.1.1 Identification of applicable legislation
A.15.1.2 Intellectual property rights (IPR)
A.15.1.3 Protection of organizational records
A.15.1.4 Data protection and privacy of personal information
A.15.1.5 Prevention of misuse of information processing facilities
A.15.1.6 Regulation of cryptographic controls
A.15.2 Compliance with security policies and standards, and technical compliance
Objective: To ensure compliance of systems with organizational security policies and standards.
A.15.2.1 Compliance with security policies and standards
A.15.2.2 Technical compliance checking
A.15.3 Information systems audit considerations
Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process.
A.15.3.1 Information systems audit controls
A.15.3.2 Protection of information systems audit tools