Tuesday, December 9, 2008

Gary Hinson on ISO/IEC 27000

Few doubt that a major consequence of the current economic meltdown will be more regulations for the private sector to follow. New regulations almost always mean more spending on security and privacy controls. For a glimpse of what to expect, CSO turned to Gary Hinson, a New Zealand-based IT governance specialist and CEO of IsecT Ltd.

Hinson says to expect changes in the coming year, but they won't necessarily be tied to new regulations born of the financial crisis. Instead, his focus is on changes for the ISO/IEC 27000 family of standards. His efforts to help security pros understand the standards include a regularly-updated website: ISO27001security.com. Hinson spoke with CSOonline.com Senior Editor Bill Brenner about the nature and timing of updates to these important standards.

Where do you see the most significant regulatory changes in 2009?
There are a number of planned changes to the ISO/IEC 27000 family of Information Security Management System (ISMS) standards (collectively "ISO27k") over the next year or so, with several additional standards currently under development, several standards about to be released and earlier releases undergoing planned revision.

Let's start with the planned revisions.
Work is under way within JTC1/SC27, the ISO/IEC committee responsible for ISO27k, to review and where necessary adapt ISO/IEC 27001 and 27002. Both standards are being actively used around the world of course, making it likely that changes will be relatively limited in order to avoid disrupting the existing implementations and particularly the certification processes. I believe that in Japan, for instance, ISO/IEC 27002 is specifically recommended if not required to satisfy the Japanese privacy/data protection laws, with organizations being compliance-assessed against the code of practice although it was not originally intended by ISO/IEC to be used in that manner. No one really knows how many organizations have adopted ISO/IEC 27002 globally but I would guess it must be in the hundreds of thousands by now.

In revising ISO/IEC 27002, what are you pressing the committee to focus on?

1. Address and resolve the confusion around "information security policy" versus "ISMS policy" -- the latter being closer to strategy, as far as I can see.
2. Expand on the concept of personal accountability versus responsibility and clarify what is meant by "information asset."
3. Expand on typical computer room controls, for example environmental monitoring with local and remote alarms for fire, water, intrusion, power problems etc.
4. Update section 10.8 "Exchange of information" to improve coverage of mobile code, Web 2.0/Software As A Service etc. Technical advances are a tricky area for ISO27k since publication of the standards is such a long, slow process They try as far as possible to keep the standards technology-neutral but this can result in them lacking guidance in some areas].
5. Expand section 11.2 on "User access management" to include more on identification and especially authentication of remote users.
6. Provide pragmatic guidance on security testing of new/changed application systems in section 12.
7. Expand section 14 on "Business continuity management" to cover resilience as well as disaster recovery. This section would also benefit from more explanation of "contingency."
8. Update section 15 to reflect legal and regulatory changes such as the rise of e-discovery, document/e-mail retention and increasing use of computer data as evidence in court.
9. Emphasize the value of IT auditing processes in section 15.3.

Source: CSO Online

No comments: