20th January 2020
IS0 27001 is a Model for information security management systems. It is an information security system registration scheme where a company’s information security procedures and processes are assessed to an information security management Standard. This Standard has been agreed in this country, the European Union and Internationally.
27001 is the working standard and it contains 7 main sections:
Put very simply, ISO 27001 is a declaration of an organisations ability to demonstrate its capability to consistently protect information security and to satisfy its customers’ information security needs.
27002 is the code of practice and it is normal to use this to set up a comprehensive Information Security Management System (ISMS). There are 15 main sections 4.0 to 18.0:
Starting from ‘What is information security?’, the introduction explains about information and how to make use of the standard.
The Standard gives information on the extent of cover for an ISMS.
Reference is made to documents that are referenced within 27002 and are indispensable for operation of the Information Security Management System.
Including ISO 27000, which is a set of terms and definitions
This page simply explains that the standard contains 14 security control clauses containing a total of 35 main security categories and 113 controls.
A set of policies for information security defined, approved by management, published and communicated to employees and relevant external parties.
Management should define a policy to clarify their direction and support for information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organisation.
Normally it will spell out the three main criteria
C – Confidentiality
I – Integrity
A – Availability
This is normally supported by a comprehensive set of more detailed corporate information security policies, typically in the form of an information security policy manual. The policy manual in turn is supported by a set of information security procedures and guidelines.
This policy is normally signed by the most senior person and displayed.
A management framework should be designed and implemented to initiate and control the implementation of information security within the organisation. Responsibilities for information security risk management and in particular for acceptance of residual risks.
A Forum, made up of a cross section of people in the organisation should meet regularly.
The organisation should have a management structure for information security. Senior management should provide direction and commit their support, for example by approving information security policies. Roles and responsibilities should be defined for the information security function. Other relevant functions should cooperate and coordinate their activities.
IT facilities should be authorised.
Confidentiality agreements should reflect the organisation’s needs. Contacts should be established with relevant authorities (e.g. law enforcement) and special interest groups. Information security should be independently reviewed.
Mobile devices are being used extensively within organisations and it is vital that the security of business information is protected. This is particularly important when working outside the organisation in unprotected environments.
Mobile devices should be protected from theft and where possible should have the ability to be remotely wiped of information when needed.
The organisation should manage system access rights etc. for ‘new starters, promotion and leavers’, and should undertake suitable security awareness, training and educational activities.
Background verification checks should be carried out in accordance with relevant laws, regulations and ethics and should be proportionate to the business requirements, the classification of the information to be accessed and the perceived risks.
Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff through adequate job descriptions, pre-employment screening and included in contracts (e.g. terms and conditions of employment and other signed agreements on security roles and responsibilities).
The organisation should ensure that employees, contractors and third party users are properly briefed about information security threats and concerns and their responsibilities regarding information security should be defined. Employees and (if relevant) third party IT users should be made aware, educated and trained in security procedures. A formal disciplinary process is necessary to handle security breaches.
Security aspects of a person’s exit from the organisation are managed (e.g. the return of company assets and removal of access rights, change of access codes or passwords). Clearly some of the controls are different if the person has been dismissed and must leave the premises immediately.
Changes in roles should be managed and the termination of current responsibility or employment combined with the start of new responsibility or employment.
Assets associated with information and information processing should be identified and appropriate protection responsibilities defined.
The organisation should identify assets relevant in the lifecycle of information and document their importance. The lifecycle information should include creation, processing, storage, transmission, deletion and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate.
The Asset inventory should be accurate, up to date, and consistent and aligned with other inventories.
Ownership of assets and their classification should be defined
Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
It is usual to apply the test of analysis of the effect on Confidentiality, Integrity and Availability.
Examples can be based on four levels:
To prevent unauthorised disclosure, modification, removal or destruction of information stored on media
Removable media should be protected and stored in accordance with the organisation’s security classifications.
Media contents no longer required should be made unrecoverable.
If data confidentiality or integrity are important considerations then cryptography techniques should be considered.
Registration of removable media should be considered to limit the opportunity for data loss.
Removable media drives should only be enabled if there is a business case for doing so.
Media that is no longer required should be disposed of securely. Audit trails of these media should be maintained.
Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorised use.
The organisation’s requirements to control access to information assets should be clearly documented in an access control policy, including for example job-related access profiles (role based access control). [This is an important obligation for information asset owners.]
Formal procedures for the allocation of access rights to users should be controlled through user registration and administration procedures (from initial user registration through to removal of access rights when no longer required), including special restrictions over the allocation of privileges and management of passwords, and regular access rights reviews.
Users should be made accountable for safeguarding their authentication information. e.g. keeping their secret authentication confidential and not divulging to any other parties, including those in authority. SSO (Single Sign On and other secret authentication information management tools reduce the amount of secret authentication information that users are required to protect and this can increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of secret authentication information.
Access to information and application system functions should be restricted in accordance with the access control policy.
The following may be considered:
Password management systems should be employed to ensure that secure log-on procedures are followed, including the use of strong passwords and regular changing of these passwords.
A cryptography policy should be developed and implemented. This should include:
Critical or sensitive information processing facilities should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc. It should also be sited to prevent unauthorised viewing of confidential matter.
There is a need for concentric layers of physical controls including barriers, walls, card controlled entry gates or manned reception desks (rather like an onion) to protect sensitive IT facilities from unauthorised access.
A secure area may be a lockable office, a computer room or several rooms surrounded by a continuous internal physical security barrier.
Critical IT equipment, cabling and other assets should be protected against physical damage, fire, flood, theft, and interception etc., both on and off-site.
Power supplies and cabling should be secured. IT equipment should be maintained properly and disposed of securely.
Access to and within application systems should be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.
The application of physical controls should be adapted to the technical and economic circumstances of the organisation.
To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.
This includes the siting of equipment to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.
Supporting utilities should be inspected regularly to detect damage and malfunction.
Cabling should be protected and checked for unauthorised interception.
Clear desk and clear screen policies should be in use.
This is a big clause and it covers all aspects of operations security.
To ensure correct and secure operations of information processing facilities.
Documented operating procedures should be available to all users who need them.
Change control procedures should be used to record and authorise changes to the organisation, business processes, information processing facilities and systems that can affect information security.
Capacity management should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance,
To ensure that information and information processing facilities are protected from Viruses and other malware.
Systems should be backed up to protect against data loss.
To record events and generate evidence.
To ensure the integrity of operational systems.
To prevent exploitation of technical vulnerabilities.
To minimise the impact of audit activities on operational systems.
This is a big clause and covers all aspects of communications security
To ensure the protection of information in networks and its supporting information processing facilities.
To ensure that information security must take into account the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.
Automated and manual security control requirements should be analysed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases.
Purchased software should be formally tested for security, and any issues risk-assessed.
To ensure that information security is designed within the development lifecycle of information systems.
To ensure the protection of data used for testing.
This new section deals with the protection provided in supplier agreements.
Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.
A formal incident/weakness reporting procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities. Feedback to the person reporting an incident should take place.
Responsibilities and procedures are required to manage incidents and weaknesses effectively, to implement continuous improvement (learning the lessons), and to collect evidence in accordance with legal requirements.
This section describes the objective to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process should be implemented to minimise the impact on the organisation and recover from the loss of information assets.
The relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.
The organisation must comply with applicable legislation such as copyright, data protection, protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.
System audits should be carefully planned to minimise disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorised use.
Heybridge Business Centre
110 The Causeway, Heybridge
Essex CM9 4ND
T: 01621 857841
M: 07702 193788
© 2020 Quality Matters Ltd. All rights reserved. Responsive Design