ISO 27002:2005

Information is an asset that needs to be suitably protected. Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions.

An organization needs to establish an ISMS in order to be able to mange the various aspects of information security. Part of that is the identification of security requirements – these are mainly derived from:

• Assessing risks to the organization
• Legal, statutory, regulatory, and contractual requirements
• The set of principles, objectives and business requirements for information processing that an organization has developed to support its operations

Based on the identified security requirements, an organization then selects the security controls to achieve the desired risk level. What’s left is the residual risk, which is the amount of jeopardy an organization is willing to take (risk appetite).

This is where the ISO 27002 comes into play. It contains 11 security control clauses collectively containing a total of 39 main security categories with a bunch of objectives, controls and executive actions introducing risk assessment and treatment.

Controls considered being essential to an organization from a legislative point of view, due to the fact that most organization must comply with a couple of laws/regulations:

• data protection and privacy
• protection of organizational records
• intellectual property rights

The eleven clauses (accompanied with the number of main security categories included within each clause) are:

a) Security Policy (1)
b) Organizing Information Security (2)
c) Asset Management (2)
d) Human Resources Security (3)
e) Physical and Environmental Security (2)
f) Communications and Operations Management (10)
g) Access Control (7)
h) Information Systems Acquisition, Development and Maintenance (6)
i) Information Security Incident Management (2)
j) Business Continuity Management (1)
k) Compliance (3)

Each main security category consists of:

• a control objective stating what is to be achieved; and
• one or more controls that can be applied to achieve the control objective

Control descriptions are structured as follows:

• Control - the specific control statement to satisfy the control objective
• Implementation guidance - detailed information to support the implementation of the control and meeting the control objective
• Other information - provides further information that may need to be considered

Basic risk management

Risk assessments should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Risk assessments should also be performed periodically to address changes in the security requirements and in the risk situation. The scope of a risk assessment can be either the whole organization, parts of the organization, an individual information system, specific system components, or services.

Treating security risks

Before considering the treatment of a risk, the organization should decide criteria for determining
whether or not risks can be accepted. For each of the risks identified following the risk assessment a risk treatment decision needs to be made. Possible options for risk treatment include:

• Applying appropriate controls to reduce the risks
• Avoiding risks by not allowing actions that would cause the risks to occur
• Transferring the associated risks to other parties, e.g. insurers or suppliers
• Knowingly and objectively accepting risks

Where it has been decided to implement appropriate controls to reduce risks, controls
should be selected and implemented to meet the requirements identified by a risk assessment. Controls should ensure that risks are reduced to an acceptable level taking into account requirements of local and/or international laws and regulations, organizational objectives, requirements and constraints, and of course costs of controls.

Controls can be selected from this standard ISO 27002 or from any other control set, or new controls can be designed to meet the specific needs of the organization. The “Grundschutz” approach from the Bundesamt für Sicherheit in der Informationstechnik (BSI) is generally considered being effective and efficiency. By applying a standard set of controls a general level of information security can be achieved. Special controls are applied to protection objects with elevated security requirements only, as a result of a extended security analysis.

It should be kept in mind that no set of controls can achieve complete security, and that additional management action should be implemented to monitor, evaluate, and improve the efficiency and effectiveness of security controls to support the organization’s aims.

Clauses and security categories

In the following the 11 clauses and 39 main security categories from the ISO 27002 standard. Keep in mind, these are not the controls, it would be beyond the scope of this article to name them all – please refer to the standard for an overview.

Security policy

Information security policy

Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

Organization of information security

Internal organization

Objective: To manage information security within the organization.

External parties

Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

Asset management

Responsibility for assets

Objective: To achieve and maintain appropriate protection of organizational assets.

Information classification

Objective: To ensure that information receives an appropriate level of protection.

Human resources security

Prior to employment

Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

During employment

Objective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.

Termination or change of employment

Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.

Physical and environmental security

Secure areas

Objective: To prevent unauthorized physical access, damage, and interference to the organization’s premises and information.

Equipment security

Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities.

Communications and operations management

Operational procedures and responsibilities

Objective: To ensure the correct and secure operation of information processing facilities.

Third party service delivery management

Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.

System planning and acceptance

Objective: To minimize the risk of systems failures.

Protection against malicious and mobile code

Objective: To protect the integrity of software and information.

Back-up

Objective: To maintain the integrity and availability of information and information processing facilities.

Network security management

Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.

Media handling

Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities.

Exchange of information

Objective: To maintain the security of information and software exchanged within an organization and with any external entity.

Electronic commerce services

Objective: To ensure the security of electronic commerce services, and their secure use.

Monitoring

Objective: To detect unauthorized information processing activities.

Access control

Business requirement for access control

Objective: To control access to information.

User access management

Objective: To ensure authorized user access and to prevent unauthorized access to information systems.

User responsibilities

Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities.

Network access control

Objective: To prevent unauthorized access to networked services.

Operating system access control

Objective: To prevent unauthorized access to operating systems.

Application and information access control

Objective: To prevent unauthorized access to information held in application systems.

Mobile computing and teleworking

Objective: To ensure information security when using mobile computing and teleworking facilities.

Information systems acquisition, development and maintenance

Security requirements of information systems

Objective: To ensure that security is an integral part of information systems.

Correct processing in applications

Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications.

Cryptographic controls

Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.

Security of system files

Objective: To ensure the security of system files.

Security in development and support processes

Objective: To maintain the security of application system software and information.

Technical Vulnerability Management

Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.

Information security incident management

Reporting information security events and weaknesses.

Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.

Management of information security incidents and improvements

Objective: To ensure a consistent and effective approach is applied to the management of information security incidents.

Business continuity management

Information security aspects of business continuity management

Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

Compliance

Compliance with legal requirements

Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.

Compliance with security policies and standards, and technical compliance

Objective: To ensure compliance of systems with organizational security policies and standards.

Information systems audit considerations

Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process.