|
Sources of the ISO27k standards themselves
Several national standards bodies release translated versions of the ISO/IEC standards in their local languages. They all go to great lengths to ensure that the translations remain true to the original, causing some delay while the English language versions are translated, reviewed and released.
Further info on the ISO27k standards & their implementation
 The Government Chief Information Office, part of the New South Wales Department of Commerce, published and maintains a useful 111-page manual to guide Australian government agencies implementing ISO27k. The guidelines explain how to structure the ISMS, analyze risks to identify suitable information security controls, and measure and improve the ISMS thereafter. It doesn’t go into detail on implementing specific controls but provides general guidance by reference to the standards. If you are actively implementing the ISO27k standards, you are welcome to join the ISO27k Implementers’ Forum to discuss the practicalities with others doing the same thing. The community of forum members will be pleased to advise you in relation to implementation, giving you the benefit of their collective experience in this field. Your own thoughts and inputs are most welcome, including contentious points for discussion. The latest annual AC Nielson survey conducted on behalf of ISO on the ISO management systems standards includes the ISMS standards. It gives a breakdown of ISO/IEC 27001 certificates issued per country as at the end of 2006. [The total number is higher than usually reported so it is possible that they are double-counting organizations with multiple certificates]. Ismael Valenzuela in [IN]SECURE eZine explains how information security can and indeed should be integrated with the systems development lifecycle (SDLC), using ISO/IEC 17799 (now ISO/IEC 27002). The piece includes a useful table linking specific clauses in the ISO/IEC standard to SDLC phases starting from the risk assessment stage, prior to drawing up security requirements, and continuing right through development, testing and operations to eventual retirement of the system at the end of its life. British Standards Institute has published a number of useful little ISMS guidance booklets over the years including BSI/DISC PD 005 (?) which contained a very handy overview diagram showing the typical lifecycle of an organization’s ISMS project. It would be good to see the parts of this older material recycled into the new. A security metrics booklet BIP 0074 is available from BSI: Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001. “With increasing International interest in the field of ISMS metrics and measurements, this publication brings together the different methods that are currently in use to measure controls and/or processes. In addition it gives further information and guidance about these various methods to measure the success of security arrangements in place.” Price ~£40 ($75). [Another, cheaper, BSI booklet covers metrics for ISO 20000 (ITIL).] www.ISO27000.es is “el portal de ISO 27000 en Espagñol” - a Spanish language ISO27k site. Praxiom sells ‘plain English’ guides and gap analysis/audit tools for ISO/IEC 27001 & ISO/IEC 27002. Their site includes a useful summary of the controls from the standards.
General information security management sources
The German Government’s IT Baseline Protection Manual (also available as a single 25Mb PDF) contains standard security safeguards, implementation advice ( e.g. “differential analysis” to identify changes in information security risks), technical security measures for several operating systems and threat catalogues. While not directly aligned, the content is relevant to ISO27k implementations. You'll need some time to read all 2,377 pages though! A French government website dedicated to information systems security in English, French, Spanish and German, includes the risk assessment methodology EBIOS and associated tool for Windows, Linux ... IT security guidance from the Canadian Government has some interesting documents on risk assessment etc. “Risk” is one of the more confusing terms in this field. I personally favor the definition “risk is the chance that a threat will act on a vulnerability to cause a business impact” but there are other interpretations e.g. some people equate risk with vulnerability, some with probability of an incident. The Wikipedia definitions of risk (“risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood”) and risk management are well worth reading and considering. Bear in mind that risk is about much more than just information security. The IT Compliance Institute (ITCi) has produced a useful cross-reference matrix showing the points of contact/overlap between a whole bunch of US/international laws, standards and regulations relating to information security (free access requires registration on the ITCi site - there are other useful resources too so it's probably worth doing). Some of the main ones are: ISO/IEC 27001 and ISO/IEC 27002, COBIT, COSO ERM, NIST SP 800-14/26/53, FISMA, Mastercard SDP, HIPAA, various FFIEC, SAS 70, PCAOB and SOX. They are listed along one axis with control objectives on the other axis and the page or section references in the body note the coverage. Here are three ways you might use the matrix:
ISMS coverage by control objective: check down the list to confirm that your ISMS covers most of the control objectives, and if there are any you do not recognize or you know are weak, look across the rows to find references from the standards that will explain the requirements; ISMS coverage of applicable laws/standards/regs: highlight the vertical columns for all those laws/stds/regs which which your organization has to comply, then highlight the horizontal rows where there are any entries in a marked column. Rows with multiple entries are common controls so you probably already have them but implementation should integrate the multiple requirements. Be careful about the rows with single entries: do you have them all covered in your ISMS? If not, there's a noncompliance risk to consider. Linking standards to laws & regs: management are strangely concerned about compliance to laws and regs if not standards, presumably because they fear the personal accountability and business impact of non-compliance. The cross-reference matrix can help the information security manager who is promoting best practice ISMS standards by identifying the legal and regulatory requirements that coincide with best practice controls.
A lot of work must have gone into compiling the matrix. Make the most of it. The ITCi’s Unified Compliance Project is definitely one to look out for if your organization is subject to the usual mesh of overlapping laws, standards and regs.
Find out about books on ISO27k and related standards here
Suppliers of ISO27k-related services and products
Veridion offers week-long courses in ISO27k implementation and auditing in places such as Seattle, LA, Prague, Detroit and Washington DC.  Consult2Comply offers consultancy support for governance, risk and compliance, and sells a range of British and international standards. Warrior Networks specialises in digital information security, offering general ISMS and governance consultancy, ISO/IEC 27001 auditing and implementation support. Information Standards Limited specialises in ISO27k including healthchecks, risk assessment, ISMS implementation project management and related business consultancy services. They understand the difference between IT and information security.
Miscellany
SANS commissioned a 47-page checklist (PDF file) to guide a review of information security management controls against ISO/IEC 17799:2000 using BS 7799-2. It’s rather out of date now. ISO is not an acronym but the official name of the Swiss organization responsible for coordinating the world’s national standards bodies. Joint Technical Committee 1 ( JTC1) is responsible for all ISO’s IT standards and JTC1 Sub Committee 27 ( JTC1/SC27) is specifically responsible for the standards covering “IT security techniques”. JTC1/SC27 is busy, judging by the number of security papers currently under consideration, many of which relate to encryption and privacy. The UK’s BERR (Department for Business, Enterprise and Regulatory Reform), formerly the DTI (Department of Trade and Industry, the originator of BS 7799), offers general information security information and guidelines. The department continues to promote BS 7799-3 and the ISO27k standards. The 2-part information security healthcheck questionnaire is a simple way to determine how far from compliance with ISO/IEC 27001/2 your organization might be - the first part asks 10 overview questions for a quick estimation while the follow-up detailed questionnaire asks more than 100. ISSEA (the International Systems Security Engineering Association) is a non-profit professional organization dedicated to the adoption of systems security engineering as a defined and measurable discipline. IsecT Ltd. owns and manages this website. We have our own corporate website and another promoting NoticeBored, our innovative ISO27k-aligned information security awareness service.
Disclosure of interest:
We own the IsecT and NoticeBored websites, and have at various times contributed materials to some of the other sites and organizations noted above.
|
