ISO/IEC 27000 series
ISO/IEC 27000 series
The ISO and International Electrotechnical Commission (IEC) jointly publish a set of standards describing organizational ISMS and the security controls such systems contain. In the ISMS context, the word system denotes a set of explicit, standard, repeatable processes and activities for security management, not a type of technol- ogy solution. Originally created in 1995 as British Standard 17799, this framework was revised in 1998 and adopted by the International Standards Organization in 1999 as ISO 17799. After being significantly revised again in 2005, the 17799 stand- ard was formally converted to two related ISO/IEC standards, 27001 and 27002, and became the cornerstone of a broader set of information security management stand- ards collectively known as the 27000 series. ISO/IEC 27001 specifies requirements for an information security management system, while ISO/IEC 27002 provides the security control framework. ISO/IEC 27001 incorporates the PDCA process flow introduced in Chapter 2, adapted to become an ISMS life cycle [25] :
● Plan → Establish the ISMS ● Do → Implement and operating the ISMS ● Check → Monitor and review the ISMS ● Act → Maintain and improve the ISMS
ISO/IEC 27002 specifies a security control hierarchy comprising 11 main secu- rity “clauses,” 39 security categories, and 133 distinct security controls. Table 9.10 lists the security categories in the framework, grouped by clause.
From an auditing perspective, the ISO/IEC security management standards have a role in both internal and external audits. In internal audits, organizations that implement ISMS conforming to the ISO/IEC standards can use the standards as a baseline for evaluating security controls as implemented in the organization. Some organizations choose to seek ISO/IEC 27001 certification of their ISMS—essentially an objective determination that their ISMS satisfies the requirements in ISO/IEC 27001. To achieve such certification, an organization needs to have its ISMS evalu- ated (i.e., audited for compliance) by an external organization with the authority to award certification. These certifying bodies must be accredited by ISO, a prerequisite that invokes compliance with other standards, including ISO/IEC 27006 and ISO/ IEC 17021, both of which specify requirements for organizational entities perform- ing audit and certification of management systems [27,28] . ISO/IEC 17021 is more general, covering all types of management systems (quality, environmental, etc.), while ISO/IEC 27006 explicitly covers ISMS.
190 CHAPTER 9 Methodologies and Frameworks
Table 9.10 ISO/IEC 27002 Security Clauses and Categories [26] Security Clause
Security Categories
Security Policy
Management Direction
Organizing Information
Internal Organization
Security
External Parties
Asset Management
Responsibility for Assets
Information Classification
Human Resources
Prior to Employment
Security
During Employment
Termination of Employment
Physical and
Secure Areas
Environmental Security
Equipment Security
Communications
Operational Procedures and Responsibilities and Operations
Third Party Service Delivery Management Management
System Planning and Acceptance
Protection Against Malicious and Mobile Code
Back-up
Network Security Management
Media Handling
Exchange of Information
Electronic Commerce Services
Monitoring
Access Control
Business Requirement for Access Control
User Access Management
User Responsibilities
Network Access Control
Operating System Access Control
Application and Information Access Control
Mobile Computing and Teleworking Information Systems
Security Requirements of Information Systems Acquisition,
Correct Processing in Applications Development and
Cryptographic Controls
Maintenance
Security of System Files
Security in Development and Support Processes
Technical Vulnerability Management Information Security
Reporting Information Security Events and Weaknesses Incident Management
Management of Information Security Events and Improvements
Business Continuity
Information Security Aspects of Business Continuity Management
Management
Compliance
Compliance with Legal Requirements
Compliance with Security Policies and Standards, and Technical Compliance
Information Systems Audit Considerations
Security Control Assessment Frameworks 191
When discussing ISO/IEC 27001 certification, it is important to distinguish the subject of the certification to avoid potential confusion. Organizations can seek ISO/IEC 27001 certification for their ISMS through an evaluation process conducted by a certifying body accredited by ISO. Separate from any organizational designation, individuals can obtain professional certifications related to the standard, such as ISO/IEC 27001 Lead Auditor or ISO/IEC 27001 Lead Implementer, which attest, respectively, to knowledge and qualifica- tions related to auditing organizations for compliance against the standard or implement- ing ISMS in conformance with the standard.