Detailed Notes on ISO 27000 Series Standards

Introduction to ISO 27000 Series

• Presented by Budi Arief, Jason Nurse, Virginia Franqueira
• Context provided by Darren Hurley-Smith.

Outline

• The focus is on ISO 27001 and its relation to:
  • ISO 27002 (security controls)
  • ISO 27004 (measurement of ISMS)
  • ISO 27005 (risk management)
• Discussion on potential issues with ISO standards.

Family of ISO Standards

• ISMS Family:
  • ISO 27000: Overview and vocabulary of information security.
  • ISO 27001: Requirements for Information Security Management Systems (ISMS).
  • ISO 27002: Code of practice for information security controls.
  • ISO 27004: Measurement of information security management.
  • ISO 27005: Information security risk management.
  • Additional standards (e.g., ISO 27006 for audit bodies).

Relationship Between ISO Standards

• ISO 27001 establishes ISMS requirements.
• ISO 27002, 27004, 27005 support the implementation and improvement of ISMS:
  • Include security controls, measurement, and risk management processes.

ISO 27002: Selecting Security Controls

• A comprehensive best practices guide structured in 14 security clauses.
• Each clause has its defined objective and controls to meet that objective.

Security Control Clauses

1. A.5: Information Security Policies
2. A.6: Organization of Information Security
3. A.7: Human Resource Security
4. A.8: Asset Management
5. A.9: Access Control
6. A.10: Cryptography
7. A.11: Physical and Environmental Security
8. A.12: Operations Security
9. A.13: Communications Security
10. A.14: System Acquisition, Development and Maintenance
11. A.15: Supplier Relationships
12. A.16: Incident Management
13. A.17: Business Continuity Management
14. A.18: Compliance

Structure of Control Categories

• 35 security categories with a specific control objective for each:
  • Includes 114 detailed controls.

Example: Clause 9 - Access Control

• Objective: Limit access based on business requirements.
• Controls:
  • 9.1.1: Establish documented access control policy.
  • 9.1.2: Authorize user access to networks and services.

Example: Clause 7 - Human Resource Security

• Objective: Ensure understanding of responsibilities by employees.
• Controls:
  • 7.1.1: Background verification checks before employment.
  • 7.2.1: Management responsibilities and awareness training.

Mapping ISO 27001 with Other Standards

• Aligns with frameworks like NIST Cybersecurity Framework.
• Specific functions and categories are comparable.

ISO 27004: Measurement and Improvement

• Assess performance and effectiveness of ISMS.
• Focus on both performance indicators and control effectiveness measures.

Monitoring and Improvement Process

1. Evaluate security performance and ISMS effectiveness.
2. Analyze results and identify needs.
3. Monitor and measure metrics regularly.

Examples of Security Measures

• Monitor logs, conduct surveys, track incident statistics, and perform audits.
  • Include specific metrics like Mean Time to Detect (MTTD) and Others.

ISO 27005: Risk Management Process

• Asset-driven risk assessment is central to ISO 27005:
  • Identify assets before threats/vulnerabilities.
• 5 Phases of Risk Management:
  1. Preparation
  2. Risk Identification
  3. Risk Analysis
  4. Risk Treatment
  5. Risk Evaluation

Risk Management Process Phases

• Establish scope and identify assets.
• Evaluate risks and treat accordingly with options like elimination or mitigation.

Potential Issues with ISO Standards

• Criticisms include:
  • Being merely a compliance exercise.
  • Scoping issues that may limit effectiveness in larger organizations.
  • Vague requirements leading to subjective implementations.

Summary

• An overview of the ISO 27001 standard and its relationship with other ISO standards (27002, 27004, 27005).
• Discussion of the importance of continuous improvement in ISMS and the potential pitfalls in ISO adherence.

References

• Key Standards:
  • ISO 27001:2013
  • ISO 27002:2013
  • ISO 27004:2016
  • ISO 27005:2011