IS0 27001 is a Model for information security management systems. It is an information security system registration scheme where a company’s information security procedures and processes are assessed to an information security management Standard. This Standard has been agreed in this country, the European Union and Internationally.

27001 is the working standard and it contains 7 main sections:

  1. Scope
  2. Normative References
  3. Terms and definitions
  4. Context of the Organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

Put very simply, ISO 27001 is a declaration of an organisations ability to demonstrate its capability to consistently protect information security and to satisfy its customers’ information security needs.

27002 is the code of practice and it is normal to use this to set up a comprehensive Information Security Management System (ISMS). There are 15 main sections 4.0 to 18.0:

ISO 27002 BY SECTION

Section 0: Introduction

Starting from ‘What is information security?’, the introduction explains about information and how to make use of the standard.

Section 1: Scope

The Standard gives information on the extent of cover for an ISMS.

Section 2: Normative References.

Reference is made to documents that are referenced within 27002 and are indispensable for operation of the Information Security Management System.

Section 3: Terms and Definitions

Including ISO 27000, which is a set of terms and definitions

Section 4: Structure of the Standard

This page simply explains that the standard contains 14 security control clauses containing a total of 35 main security categories and 113 controls.

Section 5: Information Security Policies

A set of policies for information security defined, approved by management, published and communicated to employees and relevant external parties.

Management should define a policy to clarify their direction and support for information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organisation.

Normally it will spell out the three main criteria
CIA

C – Confidentiality
I – Integrity
A – Availability

This is normally supported by a comprehensive set of more detailed corporate information security policies, typically in the form of an information security policy manual. The policy manual in turn is supported by a set of information security procedures and guidelines.

This policy is normally signed by the most senior person and displayed.

Section 6: Organisation of Information Security

A management framework should be designed and implemented to initiate and control the implementation of information security within the organisation. Responsibilities for information security risk management and in particular for acceptance of residual risks.

A Forum, made up of a cross section of people in the organisation should meet regularly.

6.1 Information Security Roles and Responsibilities

The organisation should have a management structure for information security. Senior management should provide direction and commit their support, for example by approving information security policies. Roles and responsibilities should be defined for the information security function. Other relevant functions should cooperate and coordinate their activities.

IT facilities should be authorised.

Confidentiality agreements should reflect the organisation’s needs. Contacts should be established with relevant authorities (e.g. law enforcement) and special interest groups. Information security should be independently reviewed.

6.2 Mobile Devices and Teleworking

Mobile devices are being used extensively within organisations and it is vital that the security of business information is protected. This is particularly important when working outside the organisation in unprotected environments.

Mobile devices should be protected from theft and where possible should have the ability to be remotely wiped of information when needed.

Section 7: Human Resources Security

The organisation should manage system access rights etc. for ‘new starters, promotion and leavers’, and should undertake suitable security awareness, training and educational activities.

7.1 Prior to Employment

Background verification checks should be carried out in accordance with relevant laws, regulations and ethics and should be proportionate to the business requirements, the classification of the information to be accessed and the perceived risks.

Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff through adequate job descriptions, pre-employment screening and included in contracts (e.g. terms and conditions of employment and other signed agreements on security roles and responsibilities).

7.2 During Employment

The organisation should ensure that employees, contractors and third party users are properly briefed about information security threats and concerns and their responsibilities regarding information security should be defined. Employees and (if relevant) third party IT users should be made aware, educated and trained in security procedures. A formal disciplinary process is necessary to handle security breaches.

7.3 Termination and Change of Employment

Security aspects of a person’s exit from the organisation are managed (e.g. the return of company assets and removal of access rights, change of access codes or passwords). Clearly some of the controls are different if the person has been dismissed and must leave the premises immediately.

Changes in roles should be managed and the termination of current responsibility or employment combined with the start of new responsibility or employment.

Section 8: Asset Management

Assets associated with information and information processing should be identified and appropriate protection responsibilities defined.

8.1 Responsibility for Assets

The organisation should identify assets relevant in the lifecycle of information and document their importance. The lifecycle information should include creation, processing, storage, transmission, deletion and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate.

The Asset inventory should be accurate, up to date, and consistent and aligned with other inventories.

Ownership of assets and their classification should be defined

8.2 Information Classification

Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

It is usual to apply the test of analysis of the effect on Confidentiality, Integrity and Availability.

Examples can be based on four levels:

  • Disclosure causes no harm – Public domain
  • Disclosure causes minor embarrassment or minor operational inconvenience – Restricted
  • Disclosure has a significant short term impact on operational or tactical objectives – Confidential
  • Disclosure has a serious impact on long term strategic objectives or puts the survival of the organisation at risk – Secret

Section 8.3 Media

To prevent unauthorised disclosure, modification, removal or destruction of information stored on media

Removable media should be protected and stored in accordance with the organisation’s security classifications.

Media contents no longer required should be made unrecoverable.
If data confidentiality or integrity are important considerations then cryptography techniques should be considered.

Registration of removable media should be considered to limit the opportunity for data loss.

Removable media drives should only be enabled if there is a business case for doing so.

Media that is no longer required should be disposed of securely. Audit trails of these media should be maintained.

Section 9: Access Control

Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorised use.

9.1 Business Requirement for Access Control

The organisation’s requirements to control access to information assets should be clearly documented in an access control policy, including for example job-related access profiles (role based access control). [This is an important obligation for information asset owners.]

9.2 User Access Management

Formal procedures for the allocation of access rights to users should be controlled through user registration and administration procedures (from initial user registration through to removal of access rights when no longer required), including special restrictions over the allocation of privileges and management of passwords, and regular access rights reviews.

9.3 User Responsibilities

Users should be made accountable for safeguarding their authentication information. e.g. keeping their secret authentication confidential and not divulging to any other parties, including those in authority. SSO (Single Sign On and other secret authentication information management tools reduce the amount of secret authentication information that users are required to protect and this can increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of secret authentication information.

9.4 System and Application Access Control

Access to information and application system functions should be restricted in accordance with the access control policy.

The following may be considered:

  • Providing menus to control access to application systems function;
  • Controlling which data can be accessed by a particular user;
  • Controlling read, write, delete and execute functions;
  • Controlling the access rights of other applications;
  • Limiting information contained in outputs;
  • Providing physical or logical access controls for the isolation of sensitive applications or applications data or systems.

Password management systems should be employed to ensure that secure log-on procedures are followed, including the use of strong passwords and regular changing of these passwords.

Section 10: Cryptography

A cryptography policy should be developed and implemented. This should include:

  • The required level of protection required;
  • The type, strength, and quality of the encryption algorithm to be used;
  • Key management;
  • Integrity/authenticity of using digital signature or message authentication codes;

Section 11: Physical and Environmental Security

Critical or sensitive information processing facilities should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc. It should also be sited to prevent unauthorised viewing of confidential matter.

There is a need for concentric layers of physical controls including barriers, walls, card controlled entry gates or manned reception desks (rather like an onion) to protect sensitive IT facilities from unauthorised access.

A secure area may be a lockable office, a computer room or several rooms surrounded by a continuous internal physical security barrier.

Critical IT equipment, cabling and other assets should be protected against physical damage, fire, flood, theft, and interception etc., both on and off-site.
Power supplies and cabling should be secured. IT equipment should be maintained properly and disposed of securely.

Access to and within application systems should be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.

The application of physical controls should be adapted to the technical and economic circumstances of the organisation.

11.2 Equipment

To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.

This includes the siting of equipment to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.

Supporting utilities should be inspected regularly to detect damage and malfunction.

Cabling should be protected and checked for unauthorised interception.

Clear desk and clear screen policies should be in use.

Section 12: Operations Security

This is a big clause and it covers all aspects of operations security.

To ensure correct and secure operations of information processing facilities.

Documented operating procedures should be available to all users who need them.

Change control procedures should be used to record and authorise changes to the organisation, business processes, information processing facilities and systems that can affect information security.

Capacity management should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance,

12.2 Protection from malware

To ensure that information and information processing facilities are protected from Viruses and other malware.

12.3 Backup

Systems should be backed up to protect against data loss.

12.4 Logging and monitoring

To record events and generate evidence.

12.5 Control of operational software

To ensure the integrity of operational systems.

12.6 Technical vulnerability management

To prevent exploitation of technical vulnerabilities.

12.7 Information systems audit considerations

To minimise the impact of audit activities on operational systems.

Section 13: Communications security

This is a big clause and covers all aspects of communications security

To ensure the protection of information in networks and its supporting information processing facilities.

Section 14: Information Systems acquisitions, development and Maintenance

To ensure that information security must take into account the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

14.1 Information Security Requirements analysis and specifications

Automated and manual security control requirements should be analysed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases.

Purchased software should be formally tested for security, and any issues risk-assessed.

14.2 Security in development and support processes

To ensure that information security is designed within the development lifecycle of information systems.

14.3 Test data

To ensure the protection of data used for testing.

Section 15: Supplier relationships

This new section deals with the protection provided in supplier agreements.

Section 16: Information Security Incident Management

Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.

16.1 Reporting Information Security Events and Weaknesses

A formal incident/weakness reporting procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities. Feedback to the person reporting an incident should take place.

16.2 Management of Information Security Incidents and Improvements

Responsibilities and procedures are required to manage incidents and weaknesses effectively, to implement continuous improvement (learning the lessons), and to collect evidence in accordance with legal requirements.

Section 17: Information Security Aspects of Business Continuity Management

This section describes the objective to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process should be implemented to minimise the impact on the organisation and recover from the loss of information assets.

The relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 18: Compliance

18.1 Compliance with Legal and Contractual Requirements

The organisation must comply with applicable legislation such as copyright, data protection, protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.

18.2 Information Systems Reviews

System audits should be carefully planned to minimise disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorised use.

We are sure that you are as fed up as we are with the daily, and sometimes more frequent, telephone calls that are either silent and short-lived or are from someone claiming to be from BT, Virgin, Microsoft etc offering to help with virus removal or warning that interment connection is about to be disconnected.

Recently the same Indian sounding woman called our office claiming to be from BT, then again from Virgin and later the same day from TalkTalk.

When I said I recognised her voice she rang off only to call again later claiming to be from O2. I usually try to be polite but on this occasion I was pretty rude. I know they are only doing their job and for a very low wage but it is very irritating.

The good news is that the Indian Police have raided a number of call centres where these scam calls originate and have arrested people, seized computer equipment and closed down a good number of these call centres.

We think that stopping these scam calls should be treated as a priority as well as outlawing the cloning of UK telephone numbers to make it look as though the call is coming from the UK.

Our ICO (Information Commissioners Office) is looking at ways to stop calls originating from within the UK but is powerless to stop calls from the rest of the world.

This unnecessary drain on time and resources that businesses are having to expend is placing a strain on already difficult times.

There is an increasing interest in this standard as cyber crime is on the increase with unauthorised data access hitting an all time high.

IS0 27001:2013 is a Model for information security management systems. It is an information security system certification scheme where a company’s information security procedures and processes are assessed to an information security management Standard. This Standard has been agreed in this country, the European Union and Internationally.

ISO 27001 is the working standard and it contains 7 main sections:

  1. Scope
  2. Normative References
  3. Terms and definitions
  4. Context of the Organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

ISO 27001 is a declaration of an organisations ability to demonstrate its capability to consistently protect information security and to satisfy its customers’ information security needs.

On the surface it looks simple enough but there is a lot going on behind the text.

27002:2013 is the code of practice and it is normal to use this to set up a comprehensive Information Security Management System (ISMS). There are 15 main sections 4.0 to 18.0:

Section 0: Introduction

Starting from ‘What is information security?’, the introduction explains about information and how to make use of the standard.

Section 4: Structure of the Standard

This page simply explains that the standard contains 14 security control clauses containing a total of 35 main security categories and 113 controls.

Section 5: Information Security Policies

A set of policies for information security defined, approved by management, published and communicated to employees and relevant external parties.

Management should define a policy to clarify their direction and support for information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organisation.

Normally it will spell out the three main criteria

CIA

C – Confidentiality
I – Integrity
A – Availability

This is normally supported by a comprehensive set of more detailed corporate information security policies, typically in the form of an information security policy manual. The policy manual in turn is supported by a set of information security procedures and guidelines.

This policy is normally signed by the most senior person and displayed.

Section 6: Organisation of Information Security

A management framework should be designed and implemented to initiate and control the implementation of information security within the organisation. Responsibilities for information security risk management and in particular for acceptance of residual risks.

A Forum, made up of a cross section of people in the organisation should meet regularly.

6.1 Information Security Roles and Responsibilities

The organisation should have a management structure for information security. Senior management should provide direction and commit their support, for example by approving information security policies. Roles and responsibilities should be defined for the information security function. Other relevant functions should cooperate and coordinate their activities. IT facilities should be authorised.

Confidentiality agreements should reflect the organisation’s needs. Contacts should be established with relevant authorities (e.g. law enforcement) and special interest groups. Information security should be independently reviewed.

6.2 Mobile Devices and Teleworking

Mobile devices are being used extensively within organisations and it is vital that the security of business information is protected. This is particularly important when working outside the organisation in unprotected environments.

Mobile devices should be protected from theft and where possible should have the ability to be remotely wiped of information when needed.

Section 7: Human Resources Security

The organisation should manage system access rights etc. for ‘new starters, promotion and leavers’, and should undertake suitable security awareness, training and educational activities.

7.1 Prior to Employment

Background verification checks should be carried out in accordance with relevant laws, regulations and ethics and should be proportionate to the business requirements, the classification of the information to be accessed and the perceived risks.

Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff through adequate job descriptions, pre-employment screening and included in contracts (e.g. terms and conditions of employment and other signed agreements on security roles and responsibilities).

7.2 During Employment

The organisation should ensure that employees, contractors and third party users are properly briefed about information security threats and concerns and their responsibilities regarding information security should be defined. Employees and (if relevant) third party IT users should be made aware, educated and trained in security procedures. A formal disciplinary process is necessary to handle security breaches.

7.3 Termination and Change of Employment

Security aspects of a person’s exit from the organisation are managed (e.g. the return of company assets and removal of access rights, change of access codes or passwords). Clearly some of the controls are different if the person has been dismissed and must leave the premises immediately.

Changes in roles should be managed and the termination of current responsibility or employment combined with the start of new responsibility or employment.

Section 8: Asset Management

Assets associated with information and information processing should be identified and appropriate protection responsibilities defined.

8.1 Responsibility for Assets

The organisation should identify assets relevant in the lifecycle of information and document their importance. The lifecycle information should include creation, processing, storage, transmission, deletion and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate.

The Asset inventory should be accurate, up to date, and consistent and aligned with other inventories.

Ownership of assets and their classification should be defined

8.2 Information Classification

Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

It is usual to apply the test of analysis of the effect on Confidentiality, Integrity and Availability.

Examples can be based on four levels:

  • Disclosure causes no harm – Public domain
  • Disclosure causes minor embarrassment or minor operational inconvenience – Official
  • Disclosure has a significant short term impact on operational or tactical objectives – Official Sensitive
  • Disclosure has a serious impact on long term strategic objectives or puts the survival of the organisation at risk – Secret

Section 8.3 Media

To prevent unauthorised disclosure, modification, removal or destruction of information stored on media.

Removable media should be protected and stored in accordance with the organisation’s security classifications.

Media contents no longer required should be made unrecoverable.

If data confidentiality or integrity are important considerations then cryptography techniques should be considered.

Registration of removable media should be considered to limit the opportunity for data loss.

Removable media drives should only be enabled if there is a business case for doing so.

Media that is no longer required should be disposed of securely. Audit trails of these media should be maintained.

Section 9: Access Control

Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorised use.

9.1 Business Requirement for Access Control

The organisation’s requirements to control access to information assets should be clearly documented in an access control policy, including for example job-related access profiles (role based access control). [This is an important obligation for information asset owners.]

9.2 User Access Management

Formal procedures for the allocation of access rights to users should be controlled through user registration and administration procedures (from initial user registration through to removal of access rights when no longer required), including special restrictions over the allocation of privileges and management of passwords, and regular access rights reviews.

9.3 User Responsibilities

Users should be made accountable for safeguarding their authentication information. e.g. keeping their secret authentication confidential and not divulging to any other parties, including those in authority.

SSO (Single Sign On and other secret authentication information management tools reduce the amount of secret authentication information that users are required to protect and this can increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of secret authentication information.

9.4 System and Application Access Control

Access to information and application system functions should be restricted in accordance with the access control policy.

The following may be considered:

  • Providing menus to control access to application systems function;
  • Controlling which data can be accessed by a particular user;
  • Controlling read, write, delete and execute functions;
  • Controlling the access rights of other applications;
  • Limiting information contained in outputs;
  • Providing physical or logical access controls for the isolation of sensitive applications or applications data or systems.

Password management systems should be employed to ensure that secure log-on procedures are followed, including the use of strong passwords and regular changing of these passwords.

Section 10: Cryptography

A cryptography policy should be developed and implemented. This should include:

  • The required level of protection required;
  • The type, strength, and quality of the encryption algorithm to be used;
  • Key management;
  • Integrity/authenticity of using digital signature or message authentication codes;

Section 11: Physical and Environmental Security

Critical or sensitive information processing facilities should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc. It should also be sited to prevent unauthorised viewing of confidential matter.

There is a need for concentric layers of physical controls including barriers, walls, card controlled entry gates or manned reception desks (rather like an onion) to protect sensitive IT facilities from unauthorised access.

A secure area may be a lockable office, a computer room or several rooms surrounded by a continuous internal physical security barrier.

Critical IT equipment, cabling and other assets should be protected against physical damage, fire, flood, theft, and interception etc., both on and off-site.

Power supplies and cabling should be secured. IT equipment should be maintained properly and disposed of securely.

Access to and within application systems should be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.

The application of physical controls should be adapted to the technical and economic circumstances of the organisation.

11.2 Equipment

To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.

This includes the siting of equipment to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.

Supporting utilities should be inspected regularly to detect damage and malfunction.

Cabling should be protected and checked for unauthorised interception.

Clear desk and clear screen policies should be in use.

Section 12: Operations Security

This is a big clause and it covers all aspects of operations security.

To ensure correct and secure operations of information processing facilities.

Documented operating procedures should be available to all users who need them.

Change control procedures should be used to record and authorise changes to the organisation, business processes, information processing facilities and systems that can affect information security.

Capacity management should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance,

12.2 Protection from malware

To ensure that information and information processing facilities are protected from Viruses and other malware.

12.3 Backup

Systems should be backed up to protect against data loss.

12.4 Logging and monitoring

To record events and generate evidence.

12.5 Control of operational software

To ensure the integrity of operational systems.

12.6 Technical vulnerability management

To prevent exploitation of technical vulnerabilities.

12.7 Information systems audit considerations

To minimise the impact of audit activities on operational systems.

Section 13: Communications security

This is a big clause and covers all aspects of communications security

To ensure the protection of information in networks and its supporting information processing facilities.

Section 14: Information Systems acquisitions, development and Maintenance

To ensure that information security must take into account the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

14.1 Information Security Requirements analysis and specifications

Automated and manual security control requirements should be analysed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases.

Purchased software should be formally tested for security, and any issues risk-assessed.

14.2 Security in development and support processes

To ensure that information security is designed within the development lifecycle of information systems.

14.3 Test data

To ensure the protection of data used for testing.

Section 15: Supplier relationships

This new section deals with the protection provided in supplier agreements.

Section 16: Information Security Incident Management

Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.

16.1 Reporting Information Security Events and Weaknesses

A formal incident/weakness reporting procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities. Feedback to the person reporting an incident should take place.

16.2 Management of Information Security Incidents and Improvements

Responsibilities and procedures are required to manage incidents and weaknesses effectively, to implement continuous improvement (learning the lessons), and to collect evidence in accordance with legal requirements.

Section 17: Information Security Aspects of Business Continuity Management

This section describes the objective to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process should be implemented to minimise the impact on the organisation and recover from the loss of information assets.

The relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 18: Compliance

18.1 Compliance with Legal and Contractual Requirements

The organisation must comply with applicable legislation such as copyright, data protection, protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.

18.2 Information Systems Reviews

System audits should be carefully planned to minimise disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorised use.

The scammers are getting really creative.

The latest type is again from an Indian sounding woman saying that she understands that businesses have been getting scam calls about withdrawal of internet services or cessation of computer systems and this is an information call to warn users to be aware.

She kindly suggests that she has a system which will block these calls and all that is needed is a credit card number and authorisation code or details to set up a direct debit.

There has been a huge increase in these types of calls and clearly, they must have been successful or it simply wouldn’t pay.

We can’t wait to see what the next iteration will sound like.

If in doubt put the phone down. A genuine caller will call again.

All the new management standards which address the Annex SL format (10 identically numbered sections   1- 10) require risks and opportunities to be determined.

At first this looks complicated as risk assessment is a vast subject, but in reality, risks and opportunities can be addressed very simply.

The first part is to carry out a SWOT analysis of the organisation:

  • Strengths- what does the organisation do really well or makes it stand out amongst its competitors?
  • Weaknesses- what areas does the organisation identify as weak?
  • Opportunities – where can the organisation look for new challenges or new areas of operation or sales?
  • Threats- what does the organisation identify as threats to the business?

Then a PESTLE analysis:

  • Political – what are the political factors that are likely to affect the organisation?
  • Economic – what are the economic factors that will affect the organisation?
  • Sociological – what cultural or social aspects likely to affect the organisation?
  • Technological – what technological issues or advancements that may affect the organisation?
  • Legal – what current and impending legislation or regulation that will affect the organisation?
  • Environmental – what are the environmental issues that may affect the organisation?

Once these elements have been identified, a plan can be made to address the negative parts while emphasising the positive parts.

Simple really.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

IS0 27001 is a Model for information security management systems. It is an information security system registration scheme where a company’s information security procedures and processes are assessed to an information security management Standard.  This Standard has been agreed in this country, the European Union and Internationally

27001 is the working standard and it contains 7 main sections

  1. Scope
  2. Normative References
  3. Terms and definitions
  4. Context of the Organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

Put very simply, ISO 27001 is a declaration of an organisations ability to demonstrate its capability to consistently protect information security and to satisfy its customers’ information security needs.

27002 is the code of practice and it is normal to use this to set up a comprehensive Information Security Management System (ISMS).  There are 15 main sections 4.0 to 18.0:

ISO 27002 BY SECTION

Section 0:  Introduction

Starting from ‘What is information security?’, the introduction explains about information and how to make use of the standard.

Section 1: Scope

The Standard gives information on the extent of cover for an ISMS.

Section 2:  Normative References.

Reference is made to documents that are referenced within 27002 and are indispensable for operation of the Information Security Management System.

Section 3: Terms and Definitions

Including ISO 27000, which is a set of terms and definitions

Section 4:  Structure of the Standard

This page simply explains that the standard contains 14 security control clauses containing a total of 35 main security categories and 113 controls. 

Section 5: Information Security Policies

A set of policies for information security defined, approved by management, published and communicated to employees and relevant external parties.

Management should define a policy to clarify their direction and support for information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organisation.

Normally it will spell out the three main criteria

CIA

C –  Confidentiality
I  –  Integrity
A –  Availability

This is normally supported by a comprehensive set of more detailed corporate information security policies, typically in the form of an information security policy manual. The policy manual in turn is supported by a set of information security procedures and guidelines.

This policy is normally signed by the most senior person and displayed.

Section 6: Organisation of Information Security

A management framework should be designed and implemented to initiate and control the implementation of information security within the organisation. Responsibilities for information security risk management and in particular for acceptance of residual risks.

A Forum, made up of a cross section of people in the organisation should meet regularly.

6.1 Information Security Roles and Responsibilities

The organisation should have a management structure for information security. Senior management should provide direction and commit their support, for example by approving information security policies. Roles and responsibilities should be defined for the information security function. Other relevant functions should cooperate and coordinate their activities. IT facilities should be authorised.

Confidentiality agreements should reflect the organisation’s needs. Contacts should be established with relevant authorities (e.g. law enforcement) and special interest groups. Information security should be independently reviewed.

6.2 Mobile Devices and Teleworking

Mobile devices are being used extensively within organisations and it is vital that the security of business information is protected. This is particularly important when working outside the organisation in unprotected environments.

Mobile devices should be protected from theft and where possible should have the ability to be remotely wiped of information when needed.

Section 7:  Human Resources Security

The organisation should manage system access rights etc. for ‘new starters, promotion and leavers’, and should undertake suitable security awareness, training and educational activities.

7.1 Prior to Employment

Background verification checks should be carried out  in accordance with relevant laws, regulations and ethics and should be proportionate  to the business requirements, the classification of the information to be accessed and the perceived risks. 

Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff through adequate job descriptions, pre-employment screening and included in contracts (e.g. terms and conditions of employment and other signed agreements on security roles and responsibilities).

7.2  During Employment

The organisation should ensure that employees, contractors and third party users are properly briefed about information security threats and concerns and their responsibilities regarding information security should be defined. Employees and (if relevant) third party IT users should be made aware, educated and trained in security procedures. A formal disciplinary process is necessary to handle security breaches.

7.3 Termination  and Change of Employment

Security aspects of a person’s exit from the organisation are managed (e.g. the return of company assets and removal of access rights, change of access codes or passwords). Clearly some of the controls are different if the person has been dismissed and must leave the premises immediately.

Changes in roles should be managed and the termination of current responsibility or employment combined with the start of new responsibility or employment.

Section 8:  Asset Management

Assets associated with information and information processing should be identified and appropriate protection responsibilities defined.

8.1  Responsibility for Assets

The organisation should identify assets relevant in the lifecycle of information and document their importance.  The lifecycle information should include creation, processing, storage, transmission, deletion and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate.

The Asset inventory should be accurate, up to date, and consistent and aligned with other inventories.
Ownership of assets and their classification should be defined

8.2 Information Classification

Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

It is usual to apply the test of analysis of the effect on Confidentiality, Integrity and Availability.
Examples can be based on four levels:

  • Disclosure causes no harm   –   Public domain
  • Disclosure causes minor embarrassment or minor operational inconvenience  – Restricted
  • Disclosure has a significant short term impact on operational or tactical objectives – Confidential
  • Disclosure has a serious impact on long term strategic objectives or puts the survival of the organisation at risk – Secret

 

Section 8.3 Media

To prevent unauthorised disclosure, modification, removal or destruction of information stored on media.

Removable media should be protected and stored in accordance with the organisation’s security classifications/.

Media contents no longer required should be made unrecoverable.

If data confidentiality or integrity are important considerations then cryptography techniques should be considered.

Registration of removable media should be considered to limit the opportunity for data loss.

Removable media drives should only be enabled if there is a business case for doing so.

Media that is no longer required should be disposed of securely. Audit trails of these media should be maintained.

Section 9: Access Control

Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorised use.

9.1 Business Requirement for Access Control

The organisation’s requirements to control access to information assets should be clearly documented in an access control policy, including for example job-related access profiles (role based access control). [This is an important obligation for information asset owners.]

9.2  User Access Management

Formal procedures for the allocation of access rights to users should be controlled through user registration and administration procedures (from initial user registration through to removal of access rights when no longer required), including special restrictions over the allocation of privileges and management of passwords, and regular access rights reviews.

9.3 User Responsibilities

Users should be made accountable for safeguarding their authentication information. e.g. keeping their secret authentication confidential and not divulging to any other parties, including those in authority. SSO (Single Sign On and other secret authentication information management tools reduce the amount of secret authentication information that users are required to protect and this can increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of secret authentication information.

9.4  System and Application Access Control

Access to information and application system functions should be restricted in accordance with the access control policy.

The following may be considered:

  • Providing menus to control access to application systems function;
  • Controlling which data can be accessed by a particular user;
  • Controlling read, write, delete and execute functions;
  • Controlling the access rights of other applications;
  • Limiting information contained in outputs;
  • Providing physical or logical access controls for the isolation of sensitive applications or applications data or systems.

Password management systems should be employed to ensure that secure log-on procedures are followed, including the use of strong passwords and regular changing of these passwords.

Section 10:  Cryptography

A cryptography policy should be developed and implemented.  This should include:

  • The required level of protection required;
  • The type, strength, and quality of the encryption algorithm to be used;
  • Key management;
  • Integrity/authenticity of using digital signature or message authentication codes;

Section 11:  Physical and Environmental Security

Critical or sensitive information processing facilities should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.  It should also be sited to prevent unauthorised viewing of confidential matter.

There is a need for concentric layers of physical controls including barriers, walls, card controlled entry gates or manned reception desks (rather like  an onion) to protect sensitive IT facilities from unauthorised access.

A secure area may be a lockable office, a computer room or several rooms surrounded by a continuous internal physical security barrier.

Critical IT equipment, cabling and other assets should be protected against physical damage, fire, flood, theft, and interception etc., both on and off-site.

Power supplies and cabling should be secured. IT equipment should be maintained properly and disposed of securely.

Access to and within application systems should be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.

The application of physical controls should be adapted to the technical and economic circumstances of the organisation.

11.2 Equipment

To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.

This includes the siting of equipment to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.

Supporting utilities should be inspected regularly to detect damage and malfunction.

Cabling should be protected and checked for unauthorised interception.

Clear desk and clear screen policies should be in use.

Section  12:  Operations Security

This is a big clause and it covers all aspects of operations security.

To ensure correct and secure operations of information processing facilities.

Documented operating procedures should be available to all users who need them.

Change control procedures should be used to record and authorise changes to the organisation, business processes, information processing facilities and systems that can affect information security.

Capacity management should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance,

12.2 Protection from malware

To ensure that information and information processing facilities are protected from Viruses and other malware.

12.3  Backup

Systems  should be backed up to protect against data loss.

12.4    Logging and monitoring

To record events and generate evidence.

12.5    Control of operational software

To ensure the integrity of operational systems.

12.6  Technical vulnerability management

To prevent exploitation of technical vulnerabilities.

12.7   Information systems audit considerations

To minimise the impact of audit activities on operational systems.

Section 13: Communications security

This is a big clause and covers all aspects of communications security

To ensure the protection of information in networks and its supporting information processing facilities.

Section 14: Information Systems acquisitions, development and Maintenance

To ensure that information security must take into account the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

14.1 Information Security Requirements analysis and specifications

Automated and manual security control requirements should be analysed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases. Purchased software should be formally tested for security, and any issues risk-assessed.

14.2 Security in development and support processes

To ensure that information security is designed within the development lifecycle of information systems.

14.3 Test data

To ensure the protection of data used for testing.

Section  15:  Supplier relationships

This new section deals with the protection provided in supplier agreements.

Section 16: Information Security Incident Management

Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.

16.1 Reporting Information Security Events and Weaknesses

A formal incident/weakness reporting procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities.  Feedback to the person reporting an incident should take place.

16.2 Management of Information Security Incidents and Improvements

Responsibilities and procedures are required to manage incidents and weaknesses effectively, to implement continuous improvement (learning the lessons), and to collect evidence in accordance with legal requirements.

Section 17: Information Security Aspects of Business Continuity Management                                            

This section describes the objective to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process should be implemented to minimise the impact on the organisation and recover from the loss of information assets.

The relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 18: Compliance

18.1 Compliance with Legal and Contractual Requirements

The organisation must comply with applicable legislation such as copyright, data protection, protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.

18.2  Information Systems Reviews

System audits should be carefully planned to minimise disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorised use.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

There is increasing pressure from customers to show that any supplier (external provider) has a robust information security management system is in place to ensure that data is kept confidential, integrity is assured and is available when required.  This C I A is the cornerstone of the information security management standard ISO 27001.

The standard consists of a number of requirements (using Annex SL)
ISO27001:2013 – Requirements

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organization
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

However the nuts and bolts of the system is contained in ISO 27002 Code of practice
ISO27002:2013 – Code of Practice

  1. Scope
  2. Normative references
  3. Terms and definitions 
  4. Structure of this standard
  5. Information security policies
  6. Organization of information security
  7. Human resource security
  8. Asset management
  9. Access control
  10. Cryptography
  11. Physical and environmental security
  12. Operations security
  13. Communications security
  14. System acquisition, development and maintenance
  15. Supplier relationships
  16. Information security incident management
  17. Information security aspects of business continuity management
  18. Compliance

Once these requirements have been met an independent and Accredited Certification Body will assess the system and if compliant will issue a certificate.

The certificate issued in the UK by a UKAS accredited certification body is recognised world- wide and confirms that the holder takes information security seriously and can be trusted to look after data.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

It may be that people are more gullible at this time of year but it seems that the number of scams is on the rise.  We have had a number of telephone calls where the caller is trying to encourage us to buy bitcoins, transfer pensions or invest in various schemes. They are wasting their time, when we mention what we do as Management Consultants in security.

However, they are getting far smarter in their approach.  Masquerading as police, insurance companies, banks and other organisations. Fear of loss is being played upon to persuade us to transfer our money or other valuables in one form or another.

We have also received a number of bogus invoices and these are followed up with chasing emails.  The emails have a link to query the invoice; this link tries to download a virus which can compromise computer systems.

The GDPR has spawned quite a number of scams where you are being asked for details of customers, suppliers and staff ‘ to validate your compliance with GDPR’

And an old scam has raised its head again where an email from a senior member of staff, who is not in the office and not contactable, directs accounts to remit a payment on an urgent basis.  The email address been cloned or hacked and the payment is being made to the scammer.

This is the time of year when a good review of computer security should take place as well as:

  • A review of  antivirus systems
  • A review of  anti-malware systems
  • Training in the identification of bogus callers and scams
  • A review of the systems for processing payments of invoices
  • Training in GDPR to show what is required and conversely what should not be released.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

ISO 27001:2013 Information Security Management standard calls for controls to be implemented on removable media to stop unauthorised access/ transmission of data.

There have been cases where a disgruntled employee downloads data containing commercial information onto some form of portable memory device just before leaving employment. This can be customer information, product information, designs or drawings.

The compromise of these documents can be very damaging for the employer. It does not matter that the employee has signed a confidentiality agreement because the damage is done. If this data contains sensitive information, then the company can be held liable under the Data Protection Act (GDPR).

Most security minded employers who wish to prevent data downloads can stop any transfer of data from a USB port or other device by incorporating this into the Computer Group Policy, installed from the network during boot up, this disabling of USB ports for this purpose; the ports can still be used for a keyboard or mouse.

I am constantly surprised that companies that are normally careful with computer data have no firm policy on removable or portable memory devices.

A less effective method would be to have a ‘No USB memory stick’ condition in the Employee’s terms and conditions, but this does need to be policed, and is less effective.

I have spoken here about USB sticks but this applies equally to SD cards, i-pods, etc. The relatively large capacity of these devices, often gigabytes in size, does mean that a considerable amount of data can be downloaded.

Security of data must be extended to portable memory devices.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

This standard has been very effective in preventing or mitigating data breaches and the risk of ransomware.

Ransomware is where a virus or other malware is allowed to get onto your server or PC/Laptop/tablet. It searches for any data such as word, excel etc and encrypts them with a large password. The criminal then demands a payment in return for the Password, usually in untraceable Bit Coins.  In some cases the password is not given and you are therefore out of pocket and still faced with systems locked out.   If you don’t have excellent computer backup systems then you are in real trouble.

The recent attacks paralysed the NHS and other organisations around the world.  It was apparent that organisations using Windows XP were particularly vulnerable.

The Information Standard ISO 27001:2013 looks quite easy to achieve on the face of it but the code of practice contained in ISO 27002 shows a different story.   This details how each element of the standard can be achieved.

Having 27001 certificated makes compliance to the new GDPR (General Data Protection Regulation) much easier.

The route to certification to ISO27001 is certainly not cheap but trying to “do it yourself” is fraught with obstacles.

We at Quality Matters have been providing consultancy in ISO27001 for many years and can boast that all our clients moving forward to certification passed the assessment at the first attempt.  We also provide auditing and preparation for GDPR as well.

The risks of data loss or compromise can be very expensive indeed and the costs of putting in a robust system far outweigh the costs of non-compliance.    Damage to reputation can put an organisation out of business, not to mention the GDPR fines which will be up to twenty million Euros or up to 4% of global turnover.

Please contact us if you need any help with ISO27001 and/or GDPR.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.