ISO/IEC TR 27008
Go home

ISO/IEC TR 27008 Information technology -- Security techniques -- Guidance for auditors on ISMS controls (draft - title uncertain)

 

At its April 2008 meeting in Kyoto, ISO/IEC JTC1/SC27 approved a new project in Working Group 1 to produce a second guideline on ISMS auditing to complement ISO/IEC 27007:

Scope

This Technical Report will provide guidance for all auditors regarding ISMS controls selected through a risk-based approach (e.g. as presented in a statement of applicability) for information security management. It will support the information security risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It will provide guidance on how to verify the extent to which required ISMS controls are implemented. Furthermore, it will support any organization using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for Information Security Governance.

This Technical Report will be applicable to all organizations, including public and private companies, government entities and not-for-profit organizations and organizations of all sizes regardless to the extent of their reliance on information.

Publication is anticipated for November 2011.

Purpose and justification

The Technical Report will:

  • Support planning and execution of ISMS audits and the information security risk management process;
  • Further add value and enhance the quality and benefit of the ISO/IEC 27000 family of standards to the end-user by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls (e.g. in the end-users organization, business processes and system environment);
  • Provide guidance for auditing controls based on the guidance provided by ISO/IEC 27002;
  • Improve ISMS audits by optimizing the relationships between the ISMS processes and required controls (e.g. mechanisms to limit harm caused by failures in the protection of information - erroneous financial statements, incorrect documents issued by an organization and intangibles such as reputation and image of the organization and privacy, skills and experience of people);
  • Support an ISMS based assurance and Information Security Governance approach and audit thereof;
  • Ensure effective and efficient use of audit resources.

Discussion at Kyoto

Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001, it appears that ISO/IEC TR 27008 will focus on the information security controls themselves as described in ISO/IEC 27002 and outlined in Annex A of ISO/IEC 27001.

There was intense discussion at the SC27 meeting regarding the need for guidance on ‘technical audit’. The term ‘technical’ caused much confusion: would this mean just auditing the technical information security controls from ISO/IEC 27002 (such as antivirus software), or would it also include the non-technical controls from ISO/IEC 27002 (such as antivirus policies, management reviews etc.)? For some, ‘technical auditing’ means the use of technical audit tools such as Computer Aided Audit Techniques (CAATs) and vulnerability assessment software. Any use of the term “technical” in the Technical Report is likely to be closely scrutinized.

While the intended audience for this Technical Report is not purely limited to accredited certification bodies, the potential impact on ISO/IEC 27001 certification audits was also a bone of contention. At present, certification against ISO/IEC 27001 requires certification auditors to assess the organization’s ISMS as a whole but not necessarily to delve into the information security controls themselves. They typically review the management system in much the same way that ISO 9000 auditors review an organization’s management system for quality assurance. Some feel that this leaves an assurance gap: it is conceivable for an organization to implement an ISMS ‘on paper’ but to ignore significant elements of its policies, standards, procedures and guidelines in practice. While the ISMS compliance activities should address this, competently auditing the information security controls would provide greater confidence that theory matches reality, and would lend more credibility to the ISO/IEC 27001 certificates. Unfortunately, such an approach would also cause problems for any certification bodies with a shortage of competent IT auditors. At present, there is no intent to change the certification audits.

27008 seems likely to become a “Type 2” Technical Report rather than an International Standard since some feel this field of practice is still evolving. Wait and see.

Copyright © 2008 IsecT Ltd.