ISO/IEC 27008 Information technology -- Security techniques -- Guidance for auditors on ISMS controls (draft)
ISO/IEC JTC1/SC27 is producing a second guideline on ISMS auditing to complement ISO/IEC 27007.
Scope
This standard will provide guidance for all auditors regarding “ISMS controls” selected through a risk-based approach (e.g. as presented in a statement of applicability) for information security management. It will support the information security risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It will provide guidance on how to verify the extent to which required “ISMS controls” are implemented. Furthermore, it will support any organization using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for Information Security Governance.
Note: the term “ISMS controls” is confusing.
This standard will be applicable to all organizations, including public and private companies, government entities and not-for-profit organizations and organizations of all sizes regardless to the extent of their reliance on information.
Publication is anticipated around November 2011.
The scope may yet be revised to clarify the distinction from both ’27007 and ’27006.
Purpose and justification
The standard will:
-
Support planning and execution of ISMS audits and the information security risk management process;
-
Further add value and enhance the quality and benefit of the ISO27k standards to the end-user by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls ( e.g. in the end-users organization, business processes and system environment);
-
Provide guidance for auditing controls based on the guidance provided by ISO/IEC 27002;
-
Improve ISMS audits by optimizing the relationships between the ISMS processes and required controls (e.g. mechanisms to limit harm caused by failures in the protection of information - erroneous financial statements, incorrect documents issued by an organization and intangibles such as reputation and image of the organization and privacy, skills and experience of people);
-
Support an ISMS based assurance and information security governance approach and audit thereof;
-
Ensure effective and efficient use of audit resources.
Discussion on ‘27008 at ISO/IEC JTC1/SC27 meetings
Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001, ISO/IEC 27008 seems to focus on the information security controls themselves, such as those as described in ISO/IEC 27002 and outlined in Annex A of ISO/IEC 27001.
There has been intense discussion within SC27 regarding the need for guidance on ‘technical audit’. The term ‘technical’ caused much confusion: would this mean just auditing the technical information security controls from ISO/IEC 27002 (such as antivirus software), or would it also include the non-technical controls from ISO/IEC 27002 (such as antivirus policies, management reviews etc.) or something else? For some, the term ‘technical auditing’ means the use of technical audit tools such as Computer Aided Audit Techniques (CAATs) and vulnerability assessment software. Any use of the term “technical” in the standard is likely to be closely scrutinized.
While the intended audience for this standard is not purely limited to accredited certification bodies, the potential impact on ISO/IEC 27001 certification audits is also of concern. At present, certification against ISO/IEC 27001 requires certification auditors to assess the organization’s ISMS as a whole but not necessarily to delve into the information security controls themselves. They typically review the management system in much the same way that ISO 9000 auditors review an organization’s management system for quality assurance. Some feel that this leaves an assurance gap: it is conceivable for an organization to implement an ISMS ‘on paper’ but to ignore significant elements of its policies, standards, procedures and guidelines in practice. Others insist that certification auditors do normally substantiate the existence of information security controls as well as the management system controls, at least to some extent (... just how much is the key issue!). While the ISMS compliance activities should address this, competently auditing the information security controls would provide greater confidence that theory matches reality, and would lend more credibility to the ISO/IEC 27001 certificates. Unfortunately, such an approach would also cause problems for any certification bodies with a shortage of competent IT auditors. At present, there is no intent to change the certification audits, and ISO/IEC 27008 is explicitly not intended to cover certification audits.
ISO/IEC 27008 may perhaps be published as a “Type 2” Technical Report ISO/IEC TR 27008 rather than an International Standard since some feel this field of practice is still evolving, but SC27 has not decided yet. There are strong arguments to make it an International Standard like all the rest of ISO27k.
 While SC27 continues to shy away from developing too explicit and narrow a guide to information security auditing, it has gratefully accepted a detailed contribution from Italy based on an Italian standard.
|
