ISO/IEC TR 27008:2011 Information technology — Security techniques — Guidelines for auditors on information security management systems controls
This standard on ISMS “technical auditing” complements ISO/IEC 27007. It concentrates on auditing the information security controls, whereas ’27007 concentrates on auditing the management system.
Scope
This standard provides guidance for all auditors regarding “information security management systems controls” [sic] selected through a risk-based approach (e.g. as presented in a statement of applicability) for information security management. It supports the information security risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It provides guidance on how to verify the extent to which required “ISMS controls” are implemented. Furthermore, it supports any organization using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for Information Security Governance.
Purpose and justification
The standard:
-
Is applicable to all organizations, including public and private companies, government entities and not-for-profit organizations and organizations of all sizes regardless of the extent of their reliance on information;
-
Supports planning and execution of ISMS audits and the information security risk management process;
-
Further adds value and enhances the quality and benefit of the ISO27k standards by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls ( e.g. in the ISO27k user organizations, assessing security elements of business processes, IT systems and IT operating environments);
-
Provides guidance for auditing information security controls based on the controls guidance in ISO/IEC 27002;
-
Improves ISMS audits by optimizing the relationships between the ISMS processes and required controls (e.g. mechanisms to limit the harm caused by failures in the protection of information - erroneous financial statements, incorrect documents issued by an organization and intangibles such as reputation and image of the organization and privacy, skills and experience of people);
-
Supports an ISMS-based assurance and information security governance approach and audit thereof [?? This appears to stray into the area of management systems auditing rather than information security auditing];
-
Ensures effective and efficient use of audit resources.
Scope
Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001, ISO/IEC TR 27008 focuses on checking some of the information security controls themselves, such as (for example) those as described in ISO/IEC 27002 and outlined in Annex A of ISO/IEC 27001.
’27008 “focuses on reviews of information security controls, including checking of technical compliance, against an information security implementation standard, which is established by the organization. It does not intend to provide any specific guidance on compliance checking regarding measurement, risk assessment or audit of an ISMS as specified in ISO/IEC 27004, 27005 or 27007 respectively.”
Technical compliance checking/auditing is explained as a process of examining “technical” security controls, interviewing those associated with the controls (managers, technicians, users etc.), and testing the controls. The methods should be familiar to experienced IT auditors.
“Technical controls”, while not explicitly defined in the standard, appear to be what are commonly known as IT security controls, in other words a subset of the information security controls described in ISO/IEC 27001 and especially 27002.
Discussion
While this standard is not intended to be used by accredited ISMS certification bodies, there has been some concern about its potential impact on ISO/IEC 27001 certification audits. Certification against ISO/IEC 27001 requires certification auditors to assess the organization’s ISMS as a whole for compliance with the standard, but not necessarily to delve into the information security controls themselves. They review the management system in much the same way that ISO 9000 auditors review an organization’s management system for quality assurance. Some of us feel that this leaves an assurance gap: it is conceivable for an organization to implement an ISMS ‘on paper’ but to ignore significant elements of its security policies, standards, procedures and guidelines in practice. Others insist that certification auditors do normally substantiate the existence of information security controls as well as the management system controls, at least to some extent (how much being a moot point). While compliance activities operating within a certified ISMS should address this, competently auditing the information security controls can provide greater confidence that theory matches reality, and might boost the credibility of ISO/IEC 27001 certificates. Unfortunately, such an approach would cause problems for any certification bodies with a shortage of competent IT auditors.
Minor but numerous grammatical and technical errors in the standard, as well as its limited scope, do not bode well for its widespread adoption. Frankly, there are much better guides to IT auditing than ISO/IEC TR 27008. [OK, given that I wrote an IT audit FAQ, perhaps I’m a little biased! ISACA’s COBIT and other materials are also good, whereas ‘27008 is distinctly underwhelming.]
Latest available status info
The standard was published in November 2011 as ISO/IEC TR 27008:2011, a “Type 2” Technical Report, rather than a full International Standard.
|
