Information Security Standards

Standards provide us with a common set of reference points that allow us to evaluate whether an organization has processes, procedures, and other controls that fulfill an agreed-upon minimum requirement. Depending on the needs of the business or stakeholders, an organization may build and manage its own procedures in accordance with information security principles. It offers third parties such as customers, suppliers, and partners confidence in an organization’s capacity to deliver to a specific standard if that business is compliant with the standard. This can also be a marketing strategy whereby the company can gain a competitive advantage over other organizations. When customers are evaluating a company’s products or services, for example, an organization that is compliant with a security standard may have the edge over a competitor who is not.

The ISO/IEC 27000 Family of Information Security Standards

The ISO 27000 Family of Information Security Management Standards is a collection of security standards that form the basis of best-practice information security management. ISO 27001, which establishes the requirements for an Information Security Management System (ISMS), is the series’ backbone.
ISO 27001 is a global standard that defines the criteria for an ISMS. The structure of the standard is intended to assist companies in managing their security procedures in a centralized, uniform, and cost-effective manner.

ISO/IEC 27001
This standard is known as Information security, Cybersecurity, and Privacy protection – Information security management systems – Requirements (https://www.iso.org/).
This standard talks about the requirements for implementing an effective information security management system. Using ISO/IEC 27001, an organization can build and operate an ISMS that includes a set of controls for controlling and mitigating risks connected with its information assets. Organizational conformance can be audited and certified.
One further set of criteria and guidelines for a Privacy Information Management System (PIMS) is specified in ISO/IEC 27701, which is an extension of ISO/IEC 27001 (ISMS). All businesses of any kind and size may benefit from the standard since it helps them fulfill legal obligations while also managing privacy concerns associated with Personally Identifiable Information (PII)

ISO/IEC 27002

This standard is known as Information security, Cybersecurity and Privacy protection – Information security controls (https://www.iso.org/).
This standard establishes guidelines and management techniques for corporate information security. Using the standard’s controls and best practice recommendations, implementers can make well informed decisions about which controls to use and how to put them in place to fulfill their information security goals.
The ISO/IEC 27002 guideline is a code of practice for information security controls that outlines the procedures for implementing the security controls established in the ISO 27001 standard.

ISO 27001’s Structure and PDCA

The ISO 27001 standard defines the criteria for creating, implementing, and maintaining an organization’s ISMS. The complete name of the standard is Information security, cybersecurity and privacy protection
— Information security management systems — Requirements (as per the latest version released in 2022) and it consists of two parts:
• The main part: This consists of 11 clauses (0 to 10), in which clauses 0 to 3 describe the standard itself and clauses 4 to 10 describe the requirements your company must meet to be compliant with the standard
• Annex A: This consists of 93 controls that are to be considered while implementing ISMS

For each management discipline, ISO has developed a management system standard. Although the technical content of each standard differs according to the relevant management discipline,
ISO has developed a high-level framework structure (originally called Annex SL, and later, in 2019, renamed as Annex L), which provides the generic clause titles, text, common terms, and core definitions for a management system standard to be developed. Basically, Annex SL is ahigh-level structure for all future development of ISO standards to follow. It applies to every ISO standard, meaning that they will all have the same structure. As per the framework, the high-level structure follows this structure:

1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
 
A prerequisite of ISO 27001 (ISMS) is the PDCA process, which has its origins in quality assurance. PDCA needs to be performed before comprehending ISO 27001’s requirement processes. PDCA analysis of ISO 27001 will provide you with a clearer picture of how governance implementation and alignment with improved business objectives will look.

Let’s look, in detail, at the clauses of ISO 27001 and how they are aligned with PDCA here:

• Clauses 0, 1, 2, and 3 are self-explanatory and act as metadata that gives general information about the standard:

• Clause 0: Introduction gives a general overview of the standard and its purpose and explains the compatibility with other ISO standards.
• Clause 1: Scope defines the scope of the standard and points out that this standard is applicable to all types of organizations.
• Clause 2: Normative References refers to content that is essential to understand and implement a certification standard (ISO 27001 in this case). These references provide additional guidance, requirements, or best practices that organizations should consider when implementing an Information Security Management System (ISMS) based on ISO 27001.
• Clause 3: Terms and Definitions refers to the terms and their definitions given in the ISO 27000 standard and is applicable to ISO 27001 as well. Clause 2 and 3 refer to the ISO 27000 standard where terms and definitions are given

Plan
The Plan phase consists of clauses 4 through 7. It helps to recognize an opportunity and plan a change:
• Clause 4: Context of the organization – Understanding the organization’s context is a prerequisite for successfully implementing an ISMS (how and where it operates). This is done by analyzing the external and internal issues that influence the information security of your organization.
Understanding the legal and regulatory requirements, the economic and political environment in which the company operates, and also the social and cultural norms contributes to knowing the external factors. To understand the internal issues, you need to know the organizational structure, culture, and values of the company. Next, determine the parties that are interested in information security in your company depending on the nature of the business. This can include clients, partners, suppliers, employees, and local authorities. Once the parties are identified, determine their requirements regarding information security. As diverse as the group, the requirements will vary accordingly. For example, some clients may give you sensitive or personal information, which might be bound by legal requirements, in which case they would require you to protect it appropriately. Next, from the obtained requirements from interested parties, plan and agree on the requirements that will be addressed through the ISMS that is to be implemented. Only with a thorough understanding of these factors can an effective ISMS be established in any organization.

• Clause 5: Leadership – Leadership commitment, information security policies, and organizational roles and responsibilities are the key components in this clause. Commitment by top management is mandatory for a management system. It is the foundation for establishing an information security policy and objectives. Other examples of obligations to meet include providing resources for the ISMS, including allocating people, time, and financial resources. This policy should be documented and communicated to all relevant parties, both within and outside of the organization. The ISMS should be integrated into the organizational processes and applied to the day-to-day activities. This sets a good example for the employees, and as a result, the ISMS will not be viewed as a separate entity but as a part of company operations. Implementation of the ISMS should be followed by steps for continual improvement. Management can enable employees of the organization to give feedback and propose improvements. Without proper management support, ISMS implementation in an organization would probably fail.

The information security policy should include the intentions of the company regarding information security and should clearly show management’s commitment to satisfying security requirements and continually improving the ISMS. It should also enable the establishment of information security objectives. The information security policy is the basis of the ISMS in any organization and gives it direction. As a top-level policy document, it will not include details of security controls.

Clause 5 also refers to the process of clearly defining and assigning specific roles and responsibilities within an organization. Defining and assigning roles and responsibilities for information security and communicating those to everyone in the organization lets the employees understand what is expected of them, what their impact is on information protection, and how they can contribute. The two types of responsibilities that top management assigns here are responsibilities that ensure that the ISMS is fully implemented and responsibilities for monitoring the performance of the ISMS and reporting to top management.

• Clause 6: Planning – Risks and opportunities should constantly be considered while making plans in an ISMS setting. Risks refer to unwanted events that can have a negative impact on the company. Opportunities refer to actions that the company can take in order to improve its information security. Identifying, documenting, and managing risks and opportunities are key to a successful ISMS because they help organizations see what the strengths and weaknesses of their business operations are and use them to build effective information security. The organization’s risk assessment should be taken into account while establishing information security objectives. What an acceptable risk for the company is should be clear. Finally, a risk treatment plan is derived. Any update required for the ISMS is carried out in a planned manner.

• Clause 7: Support – A sufficient amount of competent resources, expertise, communication, and control over recorded information is crucial to supporting the cause. Without appropriate resources (including financial and human), it wouldn’t be possible to run an ISMS. This is management’s responsibility. The company should define the necessary skills to perform information security activities and ensure that employees have the required training and experience. External or in-house training and mentorships can help in upskilling the employees in this regard. Even if there are perfect documentation and controls in place, if people don’t know how to put them into practice, then security will fail. It is also required that employees know what to do and why. Emails, newsletters, discussion groups, and online courses can help employees understand organizational security goals better.

Communicating information is the essence of understanding, and understanding what is happening with security is key to ISMS success. Here, what type of information is to be communicated inside and outside of the company and who is allowed/responsible for this should be determined. Rules for communication are framed based on the information security objectives of the organization.

Information must be documented, developed, updated, and controlled in accordance with ISO 27001 requirements. Information can range from providing guidance on how processes are conducted (policies, procedures, and so on) to evidence of activities conducted (records). It is essential that this information is protected and can be accessed when needed in a form suitable to use. There should also be clear identifiers, such as the reference number, title, date of creation, and author, for the information.

Do

Clause 8 is the Do phase. It aims to test the change:

Clause 8: Operation – The ISMS needs to be operated on a daily basis. The company implements numerous information security controls, processes, and actions for addressing risks and opportunities and makes sure everyone is complying with them. The implementation includes defining the criteria for processes and implementing the required controls as per the criteria. The information security policies and procedures need to be periodically reviewed so as to ensure changes in the company are reflected and accommodated in them. A change in the company can be intentional or unintentional. There should also be an owner for the process. Outsourced operations for an organization need to be identified and appropriately controlled with regard to information security. Also, the information security risk assessment should be conducted regularly and at planned intervals.

A first-time risk assessment activity can seem far more complex compared to the follow-up reviews. Once the assessment is done, the more strategic and costly task of risk treatment takes place. A thorough Statement of Applicability (SoA), along with a comprehensive risk assessment and treatment methodology, will lay the groundwork for figuring out what to do about your security.

Check

Clause 9 is the Check phase. It reviews the test, analyzes the results, and identifies what you have learned.

Clause 9: Performance evaluation – The ISO 27001 standard expects the ISMS to be monitored,, measured, analyzed, and evaluated. The case may be that the company decides “what needs to be measured” and is put in policies, objectives, and documented procedures. Mainly, the controls and security processes’ performance are measured against the policies, objectives, and established procedures. The methods used for measurement and analysis must be defined to get suitable results. The results are to be presented to the top management. Management must review the ISMS of the company at planned intervals, considering the status of action items from past reviews, inputs from internal and external context, interested parties, risk assessment, and so on to ensure its effectiveness. Improvements such as the automation of processes can be adopted by management.

Act

Clause 10 is the Act phase. It is basically acting based on what you have learned in the Check phase.

Clause 10: Improvement – When a requirement is not complied with, it results in nonconformity. Nonconformities are to be addressed by taking corrective actions in a timely manner. ISO 27001 requires companies to keep records as evidence of the nature of the nonconformity, the actions that were taken, and the results of the implemented corrective actions. In addition to that, the company should also ensure that it has really resolved the root cause of the nonconformity. A procedure for corrective actions is to be documented and followed, as a good practice.

Accreditations and Certifications

Obtaining ISO 27001 certification proves a company’s dedication to continuous information asset/ sensitive data enhancement, development, and protection by putting in place suitable risk assessments,, acceptable policies, and appropriate controls.
If an organization receives ISO 27001 certification, it indicates the organization’s ISO 27001 ISMS has been audited and found to be in accordance with the standard by another entity known as a certification body. Organizations with ISO 27001 certification are announcing to the public that they are trustworthy, have implemented an ISMS in accordance with the standard, and have demonstrated compliance with the ISO certification body. Obtaining certification demonstrates to partners, stakeholders, an customers that your company takes information security management seriously.
 
The International Accreditation Forum (IAF) is the core authority that oversees the entire conformity assessment accreditation and related bodies that perform conformity assessment in the fields of management systems, products, services, and so on. It is a global organization comprising certification agencies from various countries. These standard-setting organizations are tasked with the responsibility
of developing, modifying, and designing essential global standards. Membership to the IAF is open to accreditation bodies that conduct and administer validation/verification body accreditation programs and/or accreditation bodies for the certification of management systems and other conformity assessment programs, products, processes, services, employees, and so on.

ISMS Controls

The ISO 27001 standard recommends taking a risk-based approach to information security. Organizationsmust identify and address information security threats by establishing controls as a result of this.
The measures are detailed in Annex A of the standard. In Annex A of the ISO 27001 standard, there are 93 controls separated into 4 groups – A.5 through A.8. The implementation of all 93 controls is not required, and only a small number of them are mandatory to be recorded. It is up to the company to determine what to implement and what not to, based on their risk management methodology. This freedom of choice allows businesses to focus on the controls that are most important to them rather than wasting money on those that aren’t. The applicable controls are defined in the Statement of Applicability (SoA).

ISO 27001’s Annex A simply provides a one-sentence description of each control, giving you a sense of what the goal is or what needs to be accomplished, but not how to execute it. ISO 27002 provides a detailed description.
The following is a high-level breakdown of what each category of control focuses on:
• A.5 – organizational controls
• A.6 – people controls
• A.7 – physical controls
• A.8 – technological controls

ISO 27001 versus 27002

ISO/IEC 27002 provides guidance on how to implement the security controls in Annex A of ISO 27001, the international standard for an Information Security Management System (ISMS). The ISO 27000 series is a collection of documents pertaining to various aspects of information security management. ISO 27001 is the fundamental framework in which the implementation requirements for an ISMS can be found. Basically, this is a list of everything you need to do in order to be compliant. Although ISO 27002 is a more comprehensive standard, no organization can be accredited to it as it is not a management standard. It is a collection of requirements for businesses to manage their policies and processes so that
they can achieve a certain set of outcomes. It essentially lays down the rules for operating a system. In the case of ISO 27001, it defines the ISMS, and therefore certification against ISO 27001 is possible.

Information security must be designed, executed, monitored, reviewed, and enhanced as part of this management system. It entails that the top management of the organization has a specific set of tasks,
such as setting and measuring goals and conducting internal audits. ISO 27001 specifies all of these
aspects, but not ISO 27002.

Finally, ISO 27002 does not distinguish between controls that are appropriate to a specific company and
those that are not, but ISO 27001 does. A risk assessment is required to determine whether or not each control should be implemented, as well as to what extent, in accordance with ISO 27001’s guidelines. So, why are these two standards kept apart rather than combined? Because only then are they usable.
If it were a single standard, it would be far too complex and big to be useful.

ISO 27001 is for laying the foundation and creating a framework for information security in your organization; ISO 27002 is for implementing controls; ISO 27005 is for conducting risk assessments
and risk management; and so on. Each standard in the ISO 27000 series serves a specific purpose in the information security field.

ISO 27001 cannot be implemented without ISO 27002, and ISO 27002 would remain an isolated effort by a few information security enthusiasts without the management framework provided by ISO 27001, and thus would have no real impact on the organization’s security.