"0","Copyright",1,"ISO/IEC 27001 & 27002 implementation guidance and metrics" ,,,"Prepared by the international community of ISO27k implementers at ISO27001security.com Version 1.1 19th November 2007" ,,, ,,,"Introduction" ,,,"This is a collaborative document created by ISO/IEC 27001 and 27002 implementers belonging to the ISO27k implementers' forum. We wanted to document and share some pragmatic tips for implementing the information security management standards, plus potential metrics for measuring and reporting the status of information security, both referenced against the ISO/IEC standards." ,,, ,,,"Scope" ,,,"This guidance covers all 39 control objectives listed in sections 5 through 15 of ISO/IEC 27002 plus, for completeness, the preceding section 4 on risk assessment and treatment." ,,, ,,,"Purpose" ,,,"This document is meant to help others who are implementing or planning to implement the ISO/IEC information security management standards. Like the ISO/IEC standards, it is generic and needs to be tailored to your specific requirements." ,,, ,,,"Copyright" ,,,"This work is copyright © 2007, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons AttributionNoncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers’ forum (www.ISO27001security.com), and (c) derivative works are shared under the same terms as this." ,,,"Adapted for verinice 2010-02-22 by Alexander Koderman CISA, BSI (Germany) Licensed Auditor, ISO 27001 Lead Auditor " ,,,"Copyright © 2007, ISO27k implementers’ forum www.ISO27001security.com" ,,,"Original author Dr. Gary Hinson MBA CISSP CISA CISM" "4","4. Risk assessment and treatment ",0, "4.1","4.1 Assessing security risks",0,"Implementation Tips" ,,,"Can use any information security risk management method, with a preference for documented, structured and generally accepted methods such as OCTAVE, MEHARI, ISO TR 13335 or BS 7799 Part 3 (and in due course ISO/IEC 27005)." ,,,"Potential Metrics" ,,,"Percentage of risks identified assessed as high, medium or low significance, plus un-assessed." ,,, ,,, ,,, ,,, ,,, "4.2","4.2 Treating security risks",0, ,,,"Management (specifically, the information asset owners) need to assess risks and decide what (if anything) to do about them. Such decisions must be documented as a Risk Treatment Plan (RTP).  It is acceptable for management to decide explicitly to do nothing about certain information security risks deemed to be within the organization's "risk appetite", but not for this to be the default approach!" "5","5. Security policy ",0, "5.1","5.1 Information security policy",0, ,,,"Think in terms of an information security policy manual or wiki containing a coherent and internally consistent suite of policies, standards, procedures and guidelines. Identify review frequency of the information security policy and methods to disseminate it organization-wide. Review of suitability and adequacy of the information security policy may be included in management reviews." "6","6. Organizing information security ",0, "6.1","6.1 Internal organization",0, ,,,"Mirror the structure and size of other specialist corporate functions such as Legal, Risk and Compliance." "6.2","6.2 External parties",0, ,,,"Inventory network connections and significant information flows to third parties, then risk assess them and review the information security controls in place against the requirements. This is bound to be scary, but it's 100% necessary! Consider requiring ISO/IEC 27001 certificates of critical business partners such as IT outsourcers, providers of security-related IT services etc." ,,0, "7","7. Asset management ",0, "7.1","7.1 Responsibility for assets",0, ,,,"Build and maintain an information asset registry (similar in nature to that prepared for Y2k), showing information asset owners (managers who are accountable for protecting their assets) and relevant asset details (e.g.locations, serial numbers, version numbers, dev/test/production status etc.). Use bar-codes to facilitate easy stock-takes/inventory checks and to associate IT equipment moving off- and on-site with employees. " "7.2","7.2 Information classification",0, ,,0,"Keep it simple! Aim to distinguish baseline (across-the-board) from enhanced security requirements according to risk. Start with confidentiality, perhaps, but don't neglect integrity and availability requirements. " ,,0, ,,0, ,,0, ,,0, "8","8. Human resources security ",0, "8.1","8.1 Prior to employment",0, ,,,"In conjunction with HR, ensure a screening process is in-place that is commensurate with the security classification of the information to be accessed by the incoming employee. Simply put, the process of hiring should be a lot different for a clerk or an IT system administrator. Look into background checks, verification of claimed educational attainment and skill sets etc. " "8.2","8.2 During employment",0, ,,,"Responsibility towards protection of information does not end when an employee leaves for home or leaves the organization. Ensure that this is clearly documented in awareness materials, employment contracts etc. Consider an annual employment contract review by HR department with employees to refresh expectations stated in the terms and conditions of employment including their commitment to information security. " ,,0, ,,0, "8.3","8.3 Termination or change of employment",0, ,,,"Refer to Section 7.1. Return of organization's assets when an employee leaves would be much easier to verify ifyour asset inventory was regularly updated and verified. Look at which accesses you need to revoke first when an employee files his/her resignation letter: which are the most critical or vulnerable systems? Track use of email by resignees prior to leaving in case they start sending confidential information out (subject to applicable policies and, perhaps, legal obligations re privacy). " "9","9. Physical and environmental security ",0, "9.1","9.1 Secure areas",0, ,,,"The standard seems to focus on the computer suite but there are many other vulnerable areas to consider e.g. wiring closets, "departmental servers", and filing cabinets everywhere (remember: the standards are about securing information not just IT). Look into the ingress and egress of people into and from your organization. How far could the pizza or FedEx delivery person go without being challenged, authenticated and accompanied? What could they see or pick-up or hear while they are inside? Some organizations use color-coded identification tags to signify accessible areas by visitors. (e.g. Blue for 1st floor, Green for 3rd floor etc...). Now if you see a green ID on the 4th level, frag 'em! Be sure to retrieve staff and visitor passes when they leave. Have card-access systems disallow and alarm on attempted access. Have visitor passes turn opaque or otherwise appear invalidafter so many hours from issue. " "9.2","9.2 Equipment security",0, ,,,"Have site security stop anyone (employees, visitors, IT support people, couriers and office removals people etc.) from removing IT equipment from site without written authority. Make this a visible deterrent with random stop-checks (if not airport-style metal detectors!). Be especially vigilant at back doors, loading ramps, smoking exits etc. Consider bar-coding equipment to make stop-checks and stock-checks more efficient. " ,,0, "10","10. Communications and operations management ",0, "10.1","10.1 Operational procedures and responsibilities",0, ,,,"Document information security procedures, standards and guidelines, plus roles and responsibilities, identified in the organization's information security policy manual. " "10.2","10.2 Third party service delivery management",0, ,,,"Are you getting your money's worth?Answer this question and support it with facts by establishing a monitoring system for 3rd-party service providers and their respective service deliveries. Look at periodic of review of service-level agreements (SLA) and compare it with monitoring records. A reward and penalty system may work in some cases. Watch out for changes that impact security. " "10.3","10.3 System planning and acceptance",0, ,,,"Adopt structured processes for IT capacity planning, secure development, security testing etc., using accepted standards such as ISO 20000 (ITIL) wherever possible. Define and mandate baseline (minimal acceptable) security standards for all operating system platforms, using security advice from CIS, NIST, NSA and operating system vendors and of course your own information security policies. " "10.4","10.4 Protection against malicious and mobile code",0, ,,,"Combine technological controls (e.g.anti-virus software) with non-technical measures (education, awareness and training). It is not much help having top of the line anti-virus software if employees keep on opening emails from unknown senders or downloading files from untrusted sites! " "10.5","10.5 Back-up",0, ,,,"Implement back-up and restore procedures that satisfy not only contractual requirements but also the "internal" business requirements of the organization. Take inputs from the Risk Assessment exercise on what information assets are more significant and use this information in creating your back-up and restore strategy. Choice of storage, media to be used, back-up appliance, frequency of back-up and testing of back-up media needs to be decided upon and established. Encrypt backups and archives containing sensitive or valuable data (in practice, that's virtually all of them, otherwise why take backups?). " "10.6","10.6 Network security management",0, ,,,"Prepare and implement technical security standards, guidelines and procedures for network platforms and network security tools such as IDS/IPS, vulnerability management etc. " "10.7","10.7 Media handling",0, ,,,"Secure media and information in transit not only physically but also electronically (via the networks). Encrypt all sensitive/valuable data prior to being moved. " "10.8","10.8 Exchange of information",0, ,,,"Look into alternate and pre-approved communications channels particularly secondary email addresses should the primary email address or mail server fail, and offline communications in case the networks are down. Verifying alternate comms channels would reduce stress in an actual incident. " "10.9","10.9 Electronic commerce services",0, ,,,"Work closely with the business functions to develop secure eBusiness, by incorporating information security requirements into the projects and hence eCommerce systems from the outset (also any changes/upgrades thereafter). Emphasize the added value of security in reducing the commercial, legal and operational risks involved in entering into online business. Work on all three core aspects of security i.e. confidentiality, integrity and availability. " "10.10","10.10 Monitoring",0, ,,,"The old quality assurance axiom "you cant' control what you can't measure or monitor", holds true for information security. The necessity of implementing monitoring processes is now more evident as measurement of the effectiveness of controls is made an explicit requirement. Look at the criticality and significance of data that you are going to monitor and how this affects the overall business objectives of the organization in relation to information security. " "11","11. Access control ",0, "11.1","11.1 Business requirement for access control",0, ,,,"Information asset owners who are held accountable by management for protecting their assets should have the ability to define and/or approve the access control rules and other information security controls. Make sure they are held to account for breaches, non-compliances and other incidents. " "11.2","11.2 User access management",0, ,,,"Set up a discrete "security admin" function with operational responsibilities for applying the access control rules defined by application owners and Information Security Management. Invest in providing security admin with the tools to do their jobs as efficiently as possible. " "11.3","11.3 User responsibilities",0, ,,,"Ensure security responsibilities are established and understood by the incumbent personnel. A good strategy is to clearly define and document responsibilities for information security in job descriptions or job profiles. Periodic review is a must to keep track of changes. Disseminate job profiles periodically to the employees(e.g. at annual performance appraisal time) to remind them of their responsibilities and gather any updates. " "11.4","11.4 Network access control",0, ,,,"Balance network perimeter (LAN/WAN) and internal (LAN/LAN) security controls against application security controls (defense in depth). " "11.5","11.5 Operating system access control",0, ,,,"Implement baseline security standards for all the main computing and telecoms platforms, reflecting best practice advice from CIS, NIST, system vendors etc. " "11.6","11.6 Application and information access control",0, ,,,"Implement baseline security standards for all the main application systems and middleware, reflecting best practice advice and checklists from CIS, NIST, software vendors etc. " "11.7","11.7 Mobile computing and teleworking",0, ,,,"Have clearly defined policies for the protection of not only mobile computing facilities themselves (i.e. laptops, PDAs etc.) but more importantly the information stored on them. As a rule, the information value far exceeds that of the hardware. Ensure the level of protection of information processing facilities being used inside the organization's premises "matches" the level of protection of your mobile computing facilities such as anti-virus software, patches, fixes, firewall software etc. " ,,0, ,,0, ,,0, "12","12. Information systems acquisition, development and maintenance ",0, "12.1","12.1 Security requirements of information systems",0, ,,,"Get "information asset owners" involved in high-level risk assessments and get their sign-off on security requirements arising. If they are truly accountable for protecting their assets, it is in their interest to get it right! Keep track of news on common or current vulnerabilities in applications and identify and implement appropriate protective or defensive measures. Implementation guidance can be obtained from several references, for example OWASP. " "12.2","12.3 Cryptographic controls",0, ,,,"Use standard libraries and functions wherever possible for common requirements such as data entry validation, range and type constraints, referential integrity etc. Build and incorporate additional validation and cross-checking functions for greater confidence with vital data (e.g. control totals). Build and use automated and manual testing facilities and competencies to check for common issues such as buffer overflows, SQL injection etc. " "12.3","12.4 Security of system files",0, ,,,"Use current formal standards such as AES rather than home-grown algorithms. Implementation is crucial! " "12.4","12.5 Security in development and support processes",0, ,,,"Apply baseline security standards consistently, ensuring that best practice advice from CIS, NIST, system vendors etc. is followed. " "12.5","12.6 Technical vulnerability management",0, ,,,"Embed information security into the system development lifecycle at all stages from conception to death of a system, by including security "hooks" in development and operations/change management procedures and methods. Treat software development and implementation as a change process. Integrate security improvements into change management activities (e.g. procedural documentation and training for users and administrators). " "12.6","12.6 Technical vulnerability management",0, ,,,"Track security patches constantly using vulnerability management and/or automated update tools where available (e.g.Microsoft Update or Secunia Software Inspector). Assess the relevance and criticality/urgency of patches in YOUR technical environment. Test and apply critical patches, or take other remedial actions, as quickly and as widely as possible for security vulnerabilities that affect your systems and are being actively exploited in the wild. Avoid falling so far behind on the version update treadmill that your systems fall out of support. " ,,0, ,,0, ,,0, ,,0, ,,0, "13","13. Information security incident management ",0, "13.1","13.1 Reporting information security events and weaknesses",0, ,,,"Set up and publicise a hotline (generally the standard IT Help/Service Desk) for people to report security-related incidents, near misses and concerns. " "13.2","13.2 Management of information security incidents and improvements",0, ,,,"Post-incident reviews and case studies on serious incidents such as frauds illustrate control weaknesses, identify improvement opportunities and also form an effective security awareness-raising mechanism in themselves. " ,,0, ,,0, "14","14. Business continuity management",0, "14.1","14.1 Information security aspects of business continuity management",0, ,,,"Treat business continuity management as a "management" process with inputs coming from various functions (top management, IT, operations, HR etc.) and activities (risk assessment etc.). Ensure consistency and awareness by relevant people and organizational units in the business continuity plans. Relevant exercises (such as desktop testing, simulation, full failover testing etc.) should be conducted (a) to keep the plans updated, (b) to improve management confidence in the plans, and (c) to make relevant employees familiar with their roles and responsibilities under disaster conditions. Get implementation guidance from BS 25999 - Business Continuity Management. " ,,0, ,,0, "15","15. Compliance ",0, "15.1","15.1 Compliance with legal requirements",0, ,,,"Get qualified legal advice, especially if the organization operates or has customers in multiple jurisdictions. " "15.2","15.2 Compliance with security policies and standards and technical compliance",0, ,,,"Align security controls self assessment processes with self assessments for corporate governance, legal/regulatory compliance etc., supplemented by management reviews and independent sanity checks. " "15.3","15.3 Information systems audit considerations",0, ,,,"Invest in a qualified IT audit function that uses the ISO27k, COBIT, ITIL, CMM and similar best practice standards/methods as benchmarks for comparison. Look into ISO 19011 Guidelines for quality and/or environmental management systems auditing as a valuable source for the conduct of internal ISMS audits. ISO 19011 provides an excellent framework for creating an internal audit programme and also contains qualifications of the internal audit team. " ,,0, ,,0, ,,0, ,,0, ,,0, ,,0, ,,0,