White papers

Introduction

“International standard ISO/IEC 27002:2005 - Information technology - Security techniques - Code of practice for information security management”, to give it its full title, is the most influential and widely adopted information security standard in the world. This web page explains how NoticeBored conforms with, and supports the implementation of, ISO/IEC 27002 and related standards.

A brief history of BS 7799, ISO/IEC 17799 and the new ISO/IEC 27000 series information security standards

BS 7799-1 -> ISO/IEC 17799 -> ISO/IEC 27002

The history of ISO/IEC 27002 traces back to a code of practice published by the UK Department of Trade and Industry, itself based heavily on an internal security standard used by an oil company. It was formally released by the British Standard Institute (BSI) as BS 7799 in 1995 and became an ISO/IEC standard ISO/IEC 17799 in 2000. ISO/IEC 17799 was revised and reissued in June 2005 and in APril 2007 was renamed ISO/IEC 27002 to bring it into line with the new family of Information Security Management System standards.

ISO/IEC 27002 is a generic, advisory document, not a formal specification standard. It lays out a well structured and reasonably comprehensive set of controls to address information security risks, covering confidentiality, integrity and availability aspects. Organizations that adopt ISO/IEC 27002 must assess their own information security risks and apply suitable controls, using the standard for guidance. Strictly speaking, none of the controls are mandatory but if an organization chooses not to adopt something as common as, say, antivirus controls, they should be able to demonstrate that this decision was reached through a rational process, not just an oversight.

Like governance, information security is a broad topic with ramifications in all parts of the modern organization. It is relevant to all types of organization including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, universities, government departments and quasi-autonomous bodies - in fact any organization that handles and depends on information. The specific information security requirements may be different in each case but the point of ISO/IEC 27002 is that there is a lot of common ground.

ISO/IEC 27001 (formerly known as BS 7799 Part 2)

BS 7799 spawned a second part during 1999, and that became an ISO/IEC standard ISO/IEC 27001 in 2005. ISO/IEC 27001 is the formal standard against which organizations may seek independent certification. A number of certification bodies are accredited by national standards bodies to review compliance with the standard and issue recognized certificates. Certification is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are concerned about information security.

Certification against ISO/IEC 27001 brings a number of benefits above and beyond simple compliance, in much the same way that an ISO 9000-series certificate says more than “We are a quality organization”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires management approval (which is an advantage in security awareness terms, at least!). The certificate has marketing potential and should help assure most business partners of the organization’s status with respect to information security without the necessity of conducting their own security reviews.

BS 7799-3

“BS 7799-3:2005 - information security management systems - guidelines for information security risk management” is a recent British Standard. It offers guidance on the risk management aspects of ISO/IEC 27001, namely:

• Assessing/evaluating risks;
• Implementing appropriate controls;
• Monitoring and reviewing risks on an ongoing or periodic basis; and
• Maintaining and continuously improving the system of controls.

BS 7799-3 seeks to address information security risks within the wider context of business risks. Linking information security with commercial objectives is a good way to counter the traditional rather negative view of security controls: controls reduce risk and thereby not only reduce potential losses but also gives management the confidence to expand in ways that otherwise might be avoided.

Other ISO/IEC 27000 standards

Details are sketchy at present but it looks as if there will be at least a dozen information security management standards in the ISO/IEC 27000-series by 2010 (standards with dates in this list have been issued, the rest are in draft):

• ISO/IEC 27000 - an overview of the ISO/IEC 27000 series and definitions of the specific technical vocabulary used in these standards;
• ISO/IEC 27001:2005 - the ISMS (information security management system) certification standard;
• ISO/IEC 27002:2005 - the ‘code of practice’ giving good practice advice on information security controls;
• ISO/IEC 27003 - guidance for those implementing the ISO/IEC 27000-series standards;
• ISO/IEC 27004 - information security management metrics and measurement;
• ISO/IEC 27005 - an overall approach (if not specific tools or methods) for information security risk management;
• ISO/IEC 27006:2007 - the accreditation process for organizations that certify others compliant with ISO/IEC 2700;
• ISO/IEC 27007 - guidance on auditing ISMSs;
• ISO/IEC 27031 - a business continuity standard;
• ISO/IEC 27032 - guidelines for cybersecurity;
• ISO/IEC 27033 - the proposed new name for ISO/IEC 18028 on IT network security.
• ISO/IEC 27034 - guidelines for application security.
• ISO/IEC 27799 - health sector-specific implementation guidance for ISO/IEC 27002.

Please visit www.ISO27001security.com for further details on the ISO/IEC 27000-series information security standards.

Using ISO/IEC 27002 as a policy framework

The information security policy set

Does your organization have a comprehensive set of information security policies, standards, guidelines and procedures? Is the manual well-written, interesting and engaging, widely understood and proactively supported by managers and staff? Is it up-to-date , covering issues such as phishing, for example? If so, congratulations to you: you have shown an outstanding commitment to information security. Your organization can safely do business that many others would find far too risky. If not, you are missing an opportunity - specifically, you are well advised to build an information security management system and policy manual around ISO/IEC 27002, and supplement it with technical standards, procedures and guidelines.

ISO/IEC 27002 provides a well-engineered structure for information security management. The structure makes sense and is reasonably comprehensive in coverage. Despite the effort that has been made, ISO/IEC 27002 contains numerous internal cross-references reflecting the fact that certain issues span more than one section of the standard. Take IT change control for example: ISO/IEC 27002 section 12.5.1 (“Change control procedures”) is the main focal point for this topic. 12.5.1 explicitly refers to sections 10.1.1 (“Documented operating procedures”), 10.1.2 (“Change management”) and 10.1.4 (“Separation of development, test, and operational facilities”) within section 10 (“Communications and operations management”). It also references section 12.6 (“Technical vulnerability management”) within section 12 (“Information systems acquisition, development and maintenance”). Our policy manual therefore incorporates hyperlinks to make navigation easy.

ISO/IEC 27002 coverage of technical and procedural controls

Information security is not achievable purely by implementing technical security controls. Virus infections, for instance, are still a significant risk even for organizations that have antivirus software in place. Keeping the software up-to-date, configuring the software correctly, and dealing with infections that the software identifies are procedural aspects involving people. Furthermore, antivirus software is not a total solution to the virus risk - additional controls such as backups and contingency plans are generally necessary to reduce the residual risks to an acceptable minimum. ISO/IEC 27002 consistently advises the implementation of appropriate policies and procedures in addition to technical security measures.

ISO/IEC 27002 coverage of information security awareness

Security awareness is very much an integral part of an ISO/IEC 27001-certified information security management system. A recurring theme throughout the standards is that people in an organization must be made aware of the security policies, procedures and control requirements that they are expected to uphold.

ISO/IEC 27002 section 8.2.2 (Information security awareness, education and training) is the most directly relevant section, recommending that “All employees of the organization and, where relevant, contractors and third parties should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function”. It goes on to recommend “a formal induction process” and “ongoing training”. It suggests the need to educate employees on known threats and who to contact in the event of a security incident.

As with many other important topics, ISO/IEC 27002’s coverage of security awareness is not limited to this one section but is distributed throughout the text:

• Information security awareness, training and education is one of seven common practice controls listed in section 0.6 (Information security starting point);
• In section 0.7 (Critical success factors), “Effective marketing of information security to all managers, employees, and other parties to achieve awareness” and “providing appropriate awareness, training, and education” are two of the ten critical success factors;
• Section 5.1.1 (Information security policy document) acknowledges that raising security awareness and informing employees about management requirements is an important function of policies;
• Section 6.1.1 (Management commitment to information security) tells management to “initiate plans and programs to maintain information security awareness”;
• Section 6.1.2 (Information security co-ordination) says one of the duties of the information security management/co-ordination function is to “effectively promote information security education, training and awareness throughout the organization”;
• Section 6.2.1 (Identification of risks related to external parties) notes “It should be ensured that the external party is aware of their obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating, or managing the organization’s information and information processing facilities”;
• Section 6.2.3 (Addressing security in third party agreements) recommends “ensuring user awareness for information security responsibilities and issues”. It further recommends “user and administrator training in methods, procedures, and security”;
• The control objective stated in section 8.2 ([Human resources security] during employment) is “To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error”. It continues “An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks.”
• Section 8.2.1 (Management responsibilities) advises management to ensure that employees, contractors and third party users “achieve a level of awareness on security relevant to their roles and responsibilities within the organization” [because] “If employees, contractors and third party users are not made aware of their security responsibilities, they can cause considerable damage to an organization. Motivated personnel are likely to be more reliable and cause less information security incidents”;
• Section 9.2.7 (Removal of property) says “Individuals should be made aware if spot checks are carried out”;
• Section 10.4 (Protection against malicious and mobile code) says very directly that “Users should be made aware of the dangers of malicious code. Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented”;
• Section 10.8.1 (Information exchange policies and procedures) warns “Information could be compromised due to lack of awareness, policy or procedures on the use of information exchange facilities”;
• Section 11.3 (User responsibilities) states that “The co-operation of authorized users is essential for effective security. Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment”;
• Section 11.3.2 (Unattended user equipment) recommends “All users should be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection”;
• Section 11.7.1 (Mobile computing and communications) says “Training should be arranged for personnel using mobile computing to raise their awareness on the additional risks resulting from this way of working and the controls that should be implemented”;
• Section 12.6.1 (Control of technical vulnerabilities) states “if no patch is available, other controls should be considered, such as ... raising awareness of the vulnerability”
• The control objective in section 13.1 (Reporting information security events and weaknesses) mentions that “All employees, contractors and third party users should be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of organizational assets”.
• Section 13.1.1 (Reporting information security events) continues “All employees, contractors and third party users should be made aware of their responsibility to report any information security events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact”. It also notes that “information security incidents can be used in user awareness training”;
• “Appropriate education of staff in the agreed procedures and processes, including crisis management” is one of the purposes of continuity plans listed in section 14.1.3 (Developing and implementing continuity plans including information security);
• Section 14.1.4 (Business continuity planning framework) advises that a BCP framework should include, amongst other things, “awareness, education, and training activities which are designed to create understanding of the business continuity processes and ensure that the processes continue to be effective”;
• Section 15.1.2 (Intellectual property rights) includes the guideline “maintaining awareness of policies to protect intellectual property rights”;
• Section 15.1.4 (Data protection and privacy of personal information) notes “Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations”;
• Section 15.1.5 (Prevention of misuse of information processing facilities) advises that “All users should be aware of the precise scope of their permitted access and of the monitoring in place to detect unauthorized use”.

However you look at it, information security awareness is an essential component of an ISO/IEC 27002-compliant and ISO/IEC 27001-certified information security management system.

ISO/IEC 27001/2 and NoticeBored

Both NoticeBored Plus and NoticeBored Classic reflect ISO/IEC 27001 and 27002 and support implementation of the standards.

NoticeBored Plus for ISO/IEC 27002 policy management

NoticeBored Plus incorporates a complete set of best-practice template information security policies and standards based directly on ISO/IEC 27002. This therefore provides an efficient way of implementing the ISO/IEC standard, much quicker than writing your own materials from scratch. You can select and customize the generic policies at any time to suit your own specific requirements and publish them on your intranet. Because of the tightly integrated policy management system, the associated standards, training modules, awareness tests etc. are automatically updated as you update the policy rules.

We have confidence in the suitability of NoticeBored Plus for ISO/IEC 27002 compliance since our software partner that supplies the intranet system for NoticeBored Plus is ISO/IEC 27001 certified.

NoticeBored Classic for awareness of information security risks and controls

NoticeBored Classic awareness materials reflect ISO/IEC 27002 in general and, where applicable, specifically reference the standard.

NoticeBored Classic is slightly broader in scope than ISO/IEC 27002 in some areas (such as IT governance and change management) but centers on exactly the same core issues of risks and controls relating to confidentiality, integrity and availability. 

We have been firm supporters of the standard for more than a decade, have contributed to the development of the standard, and have helped numerous clients implement it. We have also used other standards (such as the Information Security Forum’s Standard of Good Practice) and guidelines over the years and bring a broad experience of information security to the task of writing awareness materials that are topical, practical and relevant.

Some NoticeBored Classic module modules directly correspond to sections of ISO/IEC 27002 whereas others pick up on several different sections in the interest of pragmatism and usefulness. The Classic module on user authentication and access control, for example, relates most obviously to ISO/IEC 27002 section 11 “Access control” but also mentions controls from section 9 “Physical and environmental security” and section 10 “Communications and operations management”. 

The relationship between NoticeBored Classic awareness modules and sections of ISO/IEC 27002 is explained further in our cross-reference paper (the paper refers to an older version of the standard that was current when it was written but NoticeBored materials immediately began referencing the latest version ever since it was released - another advantage of our monthly delivery schedule).