< Previous standard ^ Up a level ^ Next standard >
ISO/IEC TS 27008:2019 — Information technology — Security techniques — Guidelines for the assessment of information security controls (second edition)
“This document provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organisation's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organisation. This document offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organisations, including public and private companies, government entities, and not-for-profit organisations conducting information security reviews and technical compliance checks.”
[Source: ISO/IEC TS 27008:2019]
This standard (strictly speaking a Technical Specification) on “technical auditing” complements ISO/IEC 27007. It concentrates on auditing the information security controls - or rather the “technical controls” (as in IT security or cybersecurity controls), whereas ’27007 concentrates on auditing the management system elements of the ISMS.
This standard provides guidance for all auditors regarding “information security management systems controls” [sic] selected through a risk-based approach (e.g. as presented in a Statement of Applicability) for information security management. It supports the information risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It provides guidance on how to verify the extent to which the organisation’s required “ISMS controls” are implemented. Furthermore, it supports any organisation using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for information security governance.
Purpose and justification
The intended purpose of this standard is apparently to give auditors background knowledge on the information security controls that organisations may be managing through their Information Security Management Systems. It is NOT a mandatory part of ISO/IEC 27001 conformity assessments (certification).
- Is applicable to organisations of all types and sizes;
- Supports planning and execution of ISMS audits and the information risk management process;
- Further adds value and enhances the quality and benefit of the ISO27k standards by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls (e.g. in the ISO27k user organisations, assessing security elements of business processes, IT systems and IT operating environments);
- Provides guidance for auditing information security controls based on the controls guidance in ISO/IEC 27002:2013;
- Improves ISMS audits by optimizing the relationships between the ISMS processes and required controls (e.g. mechanisms to limit the harm caused by failures in the protection of information - erroneous financial statements, incorrect documents issued by an organisation and intangibles such as reputation and image of the organisation and privacy, skills and experience of people);
- Supports an ISMS-based assurance and information security governance approach and audit thereof [?? That would appear to stray into the area of management systems auditing rather than information security controls or technical auditing];
- Supports effective and efficient use of audit resources.
Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001, ISO/IEC TR 27008 focuses on checking some of the information security controls themselves, such as (for example) those as described in ISO/IEC 27002:2013 and outlined in Annex A of ISO/IEC 27001:2013.
’27008 “focuses on reviews of information security controls, including checking of technical compliance, against an information security implementation standard, which is established by the organisation. It does not intend to provide any specific guidance on compliance checking regarding measurement, risk assessment or audit of an ISMS as specified in ISO/IEC 27004, 27005 or 27007 respectively.”
Technical compliance checking/auditing is explained as a process of examining ‘technical’ security controls, interviewing those associated with the controls (managers, technicians, users etc.), and testing the controls. The methods should be familiar to experienced IT auditors.
‘Technical’ controls, while not explicitly defined in the standard, appear to be what are commonly known as IT security or cybersecurity controls, in other words a subset of the information security controls described in ISO/IEC 27001 and especially 27002.
Furthermore, the correct term here is conformity, not compliance, since it is discretionary.
Status of the standard
The first edition was published in 2011 as ISO/IEC TR 27008:2011, a ‘Type 2 Technical Report’.
The second edition was published in 2019 as ISO/IEC TS 27008:2019, a ‘Technical Specification’ reflecting the 2013 versions of ISO/IEC 27001 and 27002.
The third edition is currently in preparation, to reflect ISO/IEC 27002:2022. It may revert to a TR with a revised title “Information security, cybersecurity and privacy protection - Guidelines for the assessment of information security controls” and a new abstract:
“This Technical Report provides guidance for assessing the implementation of ISMS controls determined through a risk-based approach for information security management. It supports the information security risk management process and assessment of ISMS controls by explaining the relationship between the ISMS and its supporting controls.”
[Source: SC 27 Standing Document 11 (July 2022)]
The third edition is at 1st Working Draft stage and is expected to be published in 2024.
The standard uses the phrase “technical compliance checking of information system controls” without explaining what that means: the standard appears to be myopically focused on ‘technical controls’. Unless the organisation understands and accepts the need to protect its valuable information in all forms against the huge variety of information risks, for business reasons, the ISMS and hence the specific technical (technological or technology-based?) information security controls will remain largely irrelevant, and yet the standard does not address broader issues of that nature.
While this standard is not intended to be used by accredited ISMS certification bodies, concern has been expressed about its potential impact on ISO/IEC 27001 certification audits. Certification against ISO/IEC 27001 requires certification auditors to assess the organisation’s ISMS as a whole for conformity with the standard, but not necessarily to delve into the information security controls themselves. They review the management system for conformity in much the same way that ISO 9000 auditors review an organisation’s management system for conformity.
An organisation may conceivably implement an ISMS ‘on paper’ but ignore significant elements of its security policies, standards, procedures and guidelines in practice, perhaps arbitrarily declaring a narrow ISMS scope and a minimalist Statement of Applicability, and declaring an unreasonably high risk tolerance simply to avoid making changes that any sane person would think appropriate. Certification auditors generally do substantiate the existence of information security controls as well as the management system controls, at least to some extent (how much being a moot point - the auditors determine which controls to sample and audit), primarily in accordance with ISO/IEC 27001 clause 4.4 that formally requires the ISMS to be ‘established, implemented, maintained and continually improved’.
< Previous standard ^ Up a level ^ Next standard >