A new series of blog posts is going to be released in the coming weeks on ISO 27001:2013. The purpose of these posts is not to provide a “how-to guide” to getting compliant. The purpose is to discuss each of the 114 controls to help decide how best they fit your organization.
What is it?
ISO 27001:2013 is a management standard that details how to setup an Information Security Management System(ISMS) for an organization. What this is, is establishing a blueprint of policies, standards, baselines and procedures for information governance, risk, and compliance. It lists controls that we must follow as requirements for establishing, implementing, operating, monitoring, reviewing, managing, and continually improving the ISMS. These controls that are listed in the annex of the 27001:2013 standard, and discussed in greater detail in ISO 27002, are tailored to your organization and some may be removed if not relevant. For example, if your organization does not develop software, you can remove controls related to software development. This allows the 27001 standards to be a good fit for any organization looking to improve their security.
Before we begin we must understand some things. Firstly, there is a lot of overlap between 27001 and 27002 ISO standards. ISO 27001 tells us what we need to do to gain certification. ISO 27002 explains exactly how to implement the ISO 27002 controls. ISO 27001 can be split into two parts. The first part is the initial 10 clauses outlining the standard and are:
- Scope of the standard
- How the document is referenced
- Reuse of the terms and definitions in ISO/IEC 27000
- Organizational context and stakeholders
- Information security leadership and high-level support for policy
- Planning an information security management system; risk assessment; risk treatment
- Supporting an information security management system
- Making an information security management system operational
- Reviewing the system’s performance
- Corrective action
The second portion is the Annex, which contains the list of controls required. It is these controls that this blog series will discuss.
The way this document came into existence should also be considered when deciding if it will be of use to you. I recently passed my CISSP exam and decided to study the individual frameworks covered by the CISSP in depth to improve my own understanding. The first framework I wished to tackle was the ISO 27001 as it is one of the best and had been referenced in my CISSP studies several times. I wanted to write about what I was learning about to assist my own understanding, and to act as something I could read over in the future. When I was reading through the framework I found the first 10 clauses to be very much a repeat of what I covered in the CISSP and didn’t feel a need to write about them but the controls contained in the Appendix captured my imagination.
This blog series is to act as a bridge between ISO 27001 and ISO 27002. It explains what each of the controls specified in the appendix are for, and the security concepts underpinning them. It does not go into sufficient detail to allow an organization to become certified, but can help with understanding the requirements prior to taking on such an undertaking.
At the very least I hope this helps InfoSec students start understanding what the standard entails, before moving on to more formal souces.
The format of the blog posts
The blog posts will be based on the security categories of the controls;
- Information security policies
- Management direction for information security
- Organization of information security
- Internal organization
- Mobile devices and teleworking
- Human resource security
- Prior to employment
- During employment
- Termination and change of employment
- Asset management
- Responsibility for assets
- Information classification
- Media handling
- Access control
- Business requirements for access control
- User access management
- User responsibilities
- System and application access control
- Cryptographic controls
- Physical and environmental security
- Secure areas
- Operations security
- Operational procedures and responsibilities
- Protection from malware
- Logging and monitoring
- Control of operational software
- Technical vulnerability management
- Information systems audit consideration
- Communications security
- Network security management
- Information transfer
- System acquisition, development and maintenance
- Security requirements of information systems
- Security in development and support processes
- Test data
- Supplier relationships
- Information security in supplier relationships
- Supplier service delivery management
- Information security incident management
- Management of information security incidents and improvements
- Information security aspects of business continuity management
- Information security continuity
- Compliance with legal and contractual requirements
- Information security reviews
I will add hyperlinks to the above as the posts become available.