Mark Bernard is the Security & Privacy Officer at Credit Union Central of British Columbia. Today, Mark's credit union is the first financial institution to achieve ISO 27001 certification. Mark discusses ISO 27001 certification and its benefits with BankInfoSecurity.com.
Background: ISO 27001 is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO). The certification ensures that effective security controls and policies are in place. The certification process is a measurement of the performance of best security practices and identification of opportunities to improve those practices. It basically involves testing the existence and effectiveness of the information security controls at any given institution.
Benefits/ Payoffs of ISO 27001 Certification
The Credit Union Central of British Columbia has changed remarkably in its level of security awareness, and the credit union system has gone up substantially. People now recognize the value of, or they are realizing the value of having an information security credential such as this, and it is helping the institution to identify information security issues and address them more effectively.
As an institution in general, the culture has benefited as well. It's more focused on information security now and the identification of assets and how the credit union treats assets, threats, risk, and the vulnerability associated to those assets have been very positive.
Such involvement also boosts the team culture that remains, and this team effort can be effectively channelized into other business areas.
The ISO framework provides many of opportunities for improvement and to draw new sets of controls and to manage those more effectively likely than they have been in the past. Also, because the ISO framework already exists the credit union is looking at other standards such as the BS 25999, which is Business Continuity Standard, and integrating those controls within the ISMS.
Becoming ISO certified also made a big difference to the institution economically by reducing the number of external consulting engagements that were necessary, costing hundreds of thousands of dollars. And now the credit union has a bonafide external audit group that comes by twice a year to monitor their activity and provide a list of opportunities for improvement.
Tuesday, December 23, 2008
Thursday, December 18, 2008
Promoting accountability through ISO/IEC 27001 & 27002
As organisations go, there are those that welcome internationally recognised standards with open arms, and those that shy away citing cost or even applicability.
However, there is a need for standards within all organisations, regardless of size or market. It is in defining the Statements of Applicability (SoA) that the project becomes both relevant and cost-effective.
There is "information" within every organisation that is relied upon, so a system is required to manage its security. At the least, we need to ensure that the information is viable for its purpose.
Combined, these provide best practice guidance and a framework for an information security management system (ISMS) - ISO/IEC 27001 - and the management thereof - ISO/IEC 27002 - for the protection, confidentiality, integrity and availability of the information assets upon which an organisation depends.
Code of practice
ISO/IEC 27002 is merely a code of practice, so organisations are free to implement controls as they see fit, and the ISO/IEC 27001 standard incorporates only a simple summary of such controls and does not mandate any.
An important element is the definition of the SoA, among other scoping documents.
Through the SoA you are free to broaden or narrow the scope of certification, as you see fit, limiting the focus of any analysis. Understanding the SoA is crucial to attaching meaning to the certificate.
If you only define "the HR department", the associated certificate says nothing about the state of information security in "procurement", "manufacturing", "the IT department" or even the organisation as a whole. You set the scope.
Similarly, if the SoA asserts that some technical controls are not necessary for specified reasons, the assessing body will check that assertion but will not otherwise certify or fail those controls or the lack of them. In fact, no technical controls may be assessed at all as part of the assessment as ISO/IEC 27001 is primarily a management standard and compliance requires only that the organisation has a suite of management controls in place. If you feel a control is not necessary, giving a valid reason should suffice.
Start small
Look towards the information assets you currently manage or those you feel you can easily manage within the reduced scope, define a narrow SoA focused on what is already known and document your process to define, design, implement and manage these controls, including those "few" controls that may be missing.
Beyond certification or having marketing potential the process of assessment should confirm or improve accountability internally for information asset interfaces with wider business functions and third parties, confirming the scope for use of information assets with those partners.
Certification is optional, but is increasingly being mandated from suppliers and business partners concerned about their information security and the security of shared or common information.
Bodies such as the British Standards Institution, the National Institute of Science and Technology and various national bodies are issuing approximately 1,000 certificates per year - and the trend is growing.
By concentrating on the known information assets of a small business function, defining your ISMS to manage these will get you on the ladder and act as a springboard to widen your certification later.
ISO/IEC 27001
ISO/IEC 27001 is a formal standard towards which your organisation can attain independent certification of its frameworks to systematically and consistently design, implement, manage, maintain and enforce information security processes and controls - an information security management system (ISMS).
It covers any organisation (commercial business, government body or non-profit organisation), specifying the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a well-documented ISMS, within the context of the organisation's overall risk management processes.
It defines the requirements for custom security controls that meet the specific needs of the organisation or, importantly, any specified part or department thereof.
Source: http://www.computerweekly.com
David Gregg is an infrastructure and security consultant at The Logic Group
However, there is a need for standards within all organisations, regardless of size or market. It is in defining the Statements of Applicability (SoA) that the project becomes both relevant and cost-effective.
There is "information" within every organisation that is relied upon, so a system is required to manage its security. At the least, we need to ensure that the information is viable for its purpose.
Combined, these provide best practice guidance and a framework for an information security management system (ISMS) - ISO/IEC 27001 - and the management thereof - ISO/IEC 27002 - for the protection, confidentiality, integrity and availability of the information assets upon which an organisation depends.
Code of practice
ISO/IEC 27002 is merely a code of practice, so organisations are free to implement controls as they see fit, and the ISO/IEC 27001 standard incorporates only a simple summary of such controls and does not mandate any.
An important element is the definition of the SoA, among other scoping documents.
Through the SoA you are free to broaden or narrow the scope of certification, as you see fit, limiting the focus of any analysis. Understanding the SoA is crucial to attaching meaning to the certificate.
If you only define "the HR department", the associated certificate says nothing about the state of information security in "procurement", "manufacturing", "the IT department" or even the organisation as a whole. You set the scope.
Similarly, if the SoA asserts that some technical controls are not necessary for specified reasons, the assessing body will check that assertion but will not otherwise certify or fail those controls or the lack of them. In fact, no technical controls may be assessed at all as part of the assessment as ISO/IEC 27001 is primarily a management standard and compliance requires only that the organisation has a suite of management controls in place. If you feel a control is not necessary, giving a valid reason should suffice.
Start small
Look towards the information assets you currently manage or those you feel you can easily manage within the reduced scope, define a narrow SoA focused on what is already known and document your process to define, design, implement and manage these controls, including those "few" controls that may be missing.
Beyond certification or having marketing potential the process of assessment should confirm or improve accountability internally for information asset interfaces with wider business functions and third parties, confirming the scope for use of information assets with those partners.
Certification is optional, but is increasingly being mandated from suppliers and business partners concerned about their information security and the security of shared or common information.
Bodies such as the British Standards Institution, the National Institute of Science and Technology and various national bodies are issuing approximately 1,000 certificates per year - and the trend is growing.
By concentrating on the known information assets of a small business function, defining your ISMS to manage these will get you on the ladder and act as a springboard to widen your certification later.
ISO/IEC 27001
ISO/IEC 27001 is a formal standard towards which your organisation can attain independent certification of its frameworks to systematically and consistently design, implement, manage, maintain and enforce information security processes and controls - an information security management system (ISMS).
It covers any organisation (commercial business, government body or non-profit organisation), specifying the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a well-documented ISMS, within the context of the organisation's overall risk management processes.
It defines the requirements for custom security controls that meet the specific needs of the organisation or, importantly, any specified part or department thereof.
Source: http://www.computerweekly.com
David Gregg is an infrastructure and security consultant at The Logic Group
The growing accreditation of IT security tools and processes
Vincent Villers, Partner at PwC Luxembourg and Marc Sel, Director at PwC Belgium
Business review, December 2008
For a long time, Information Security has had many technical standards but has been lacking a minimal consensus in the area of management and responsibilities. The BSI (British Standards Institute) put forward their 7799 standards, which were well accepted and evolved into the ISO (International Standards Organisation) world. Fundamental to the ISMS (Information Security Management System) standard is the typical management organisation model ‘Plan-Do-Check-Act’:
ISO 27001 is commonly used as a term to refer to a family of interrelated standards:
• 27000 ISMS fundamentals and vocabulary
• 27001 ISMS requirements (absorbing parts of ISO 13335)
• 27002 Code of practice (based on the BSI 7799)
• 27003 ISMS implementation guidelines
• 27004 Information security management measurements
• 27005 ISMS risk management (absorbing parts of ISO 13335)
Structure of ISO 27001
The main standard document ISO 27001 addresses requirements for the Information Security Management System, as well as how to establish, manage and monitor the ISMS. It continues by addressing ISMS responsibilities, as well as audit and management review aspects.
The ISO 27001 certification process
In many countries, certification bodies have been established under the umbrella of accreditation bodies. For example, one of the authors, Marc Sel, is accredited Lead Auditor for PwC’s Certification Body ‘PwCC B.V.’ which is on a peer level with the BSI, TÜV and KEMA1 . PwCC B.V. is in turn accredited by the Dutch Accreditation Body (‘Raad voor Accreditatie’).
The International Register of ISMS accredited certificates lists those certificates that have been awarded to organisations that have gone through an accredited certification process in line with the ISMS standard BS 7799 Part 2:2002 and ISO/IEC 27001:2005 (i.e. the revised version of BS 7799 Part 2:2002).
This register has been produced in cooperation with the international network of certification bodies and is managed and maintained by the ISMS International User Group (IUG). It is updated on a regular basis in co-operation with the certification bodies. The entries in this register have been supplied by those certification bodies that have carried out the ISMS certification.
The increasing interest in ISO 27001 certification
In November 2008, almost 5.000 ISMS certificates have been issued (4.987 to be precise2) . The top five countries with the highest number of certificates today are Japan, India, the UK, Taiwan and China. They are followed by Germany and the USA.
The best advice to follow is to centralise core IT services in larger data centres. For example, the data centres of PwC Yemen, UK, Hong Kong, China, and USA have been secured by ourselves and accredited by the BSI against ISO 27001:2005. This gives us a strong background when helping customers prepare for such certification or improve their security posture.
In Luxembourg, only one company is registered as being accredited against the standard so far. However, considering the current trend of financial institutions to focus on their core business by considering outsourcing of several functions, coupled with the increasing need to embed trust in business relationship, all conditions are fulfilled to lead to a growing interest for this certification. Indeed, unlike current perception of other standards, the ISO 27001:2005 relies upon clear requirements and implementation guidelines that provides sufficient transparency to bring the required level comfort that an accredited company meets adequate level of security to build trust with its stakeholders. The implementation of an ISO 27001 ISMS is clearly becoming an optimal approach to help organisations tackle the current regulatory requirements with regards to Information Technology controls.
Finally, rather than individually answering each request for compliance, it is advised to look at the requirements holistically, and build a framework that allows demonstrating compliance against a broad set of regulations, re-using the same set of well-defined controls. The implementation of such a control framework makes demonstrating compliance significantly less expensive.
1 BSI British Standards is the National Standards Body of the UK, TÜV Rheinland Group is a leading provider of technical services worldwide, KEMA is a commercial enterprise, specializing in high-grade business and technical consultancy, inspections and measurement, testing and certification.
2 The status of the official ISO 27001 certificates is available at www.iso27001certificates.com
Source: PwC
Business review, December 2008
For a long time, Information Security has had many technical standards but has been lacking a minimal consensus in the area of management and responsibilities. The BSI (British Standards Institute) put forward their 7799 standards, which were well accepted and evolved into the ISO (International Standards Organisation) world. Fundamental to the ISMS (Information Security Management System) standard is the typical management organisation model ‘Plan-Do-Check-Act’:
ISO 27001 is commonly used as a term to refer to a family of interrelated standards:
• 27000 ISMS fundamentals and vocabulary
• 27001 ISMS requirements (absorbing parts of ISO 13335)
• 27002 Code of practice (based on the BSI 7799)
• 27003 ISMS implementation guidelines
• 27004 Information security management measurements
• 27005 ISMS risk management (absorbing parts of ISO 13335)
Structure of ISO 27001
The main standard document ISO 27001 addresses requirements for the Information Security Management System, as well as how to establish, manage and monitor the ISMS. It continues by addressing ISMS responsibilities, as well as audit and management review aspects.
The ISO 27001 certification process
In many countries, certification bodies have been established under the umbrella of accreditation bodies. For example, one of the authors, Marc Sel, is accredited Lead Auditor for PwC’s Certification Body ‘PwCC B.V.’ which is on a peer level with the BSI, TÜV and KEMA1 . PwCC B.V. is in turn accredited by the Dutch Accreditation Body (‘Raad voor Accreditatie’).
The International Register of ISMS accredited certificates lists those certificates that have been awarded to organisations that have gone through an accredited certification process in line with the ISMS standard BS 7799 Part 2:2002 and ISO/IEC 27001:2005 (i.e. the revised version of BS 7799 Part 2:2002).
This register has been produced in cooperation with the international network of certification bodies and is managed and maintained by the ISMS International User Group (IUG). It is updated on a regular basis in co-operation with the certification bodies. The entries in this register have been supplied by those certification bodies that have carried out the ISMS certification.
The increasing interest in ISO 27001 certification
In November 2008, almost 5.000 ISMS certificates have been issued (4.987 to be precise2) . The top five countries with the highest number of certificates today are Japan, India, the UK, Taiwan and China. They are followed by Germany and the USA.
The best advice to follow is to centralise core IT services in larger data centres. For example, the data centres of PwC Yemen, UK, Hong Kong, China, and USA have been secured by ourselves and accredited by the BSI against ISO 27001:2005. This gives us a strong background when helping customers prepare for such certification or improve their security posture.
In Luxembourg, only one company is registered as being accredited against the standard so far. However, considering the current trend of financial institutions to focus on their core business by considering outsourcing of several functions, coupled with the increasing need to embed trust in business relationship, all conditions are fulfilled to lead to a growing interest for this certification. Indeed, unlike current perception of other standards, the ISO 27001:2005 relies upon clear requirements and implementation guidelines that provides sufficient transparency to bring the required level comfort that an accredited company meets adequate level of security to build trust with its stakeholders. The implementation of an ISO 27001 ISMS is clearly becoming an optimal approach to help organisations tackle the current regulatory requirements with regards to Information Technology controls.
Finally, rather than individually answering each request for compliance, it is advised to look at the requirements holistically, and build a framework that allows demonstrating compliance against a broad set of regulations, re-using the same set of well-defined controls. The implementation of such a control framework makes demonstrating compliance significantly less expensive.
1 BSI British Standards is the National Standards Body of the UK, TÜV Rheinland Group is a leading provider of technical services worldwide, KEMA is a commercial enterprise, specializing in high-grade business and technical consultancy, inspections and measurement, testing and certification.
2 The status of the official ISO 27001 certificates is available at www.iso27001certificates.com
Source: PwC
Monday, December 15, 2008
VanceInfo Technologies gets ISO 27001 certification for Shanghai VanceInfo Technologies
VanceInfo Technologies Inc. (VIT: News ) Monday said it achieved the International Organization for Standardization 27001 certification for its subsidiary Shanghai VanceInfo Technologies Limited. VanceInfo's recent certification recognizes the company's adoption of an effective information security system that complies with one of the highest established international standards.
VanceInfo Technologies Inc. is an IT service provider and an offshore software development company in China.
VanceInfo Technologies Inc. is an IT service provider and an offshore software development company in China.
Tuesday, December 9, 2008
Gary Hinson on ISO/IEC 27000
Few doubt that a major consequence of the current economic meltdown will be more regulations for the private sector to follow. New regulations almost always mean more spending on security and privacy controls. For a glimpse of what to expect, CSO turned to Gary Hinson, a New Zealand-based IT governance specialist and CEO of IsecT Ltd.
Hinson says to expect changes in the coming year, but they won't necessarily be tied to new regulations born of the financial crisis. Instead, his focus is on changes for the ISO/IEC 27000 family of standards. His efforts to help security pros understand the standards include a regularly-updated website: ISO27001security.com. Hinson spoke with CSOonline.com Senior Editor Bill Brenner about the nature and timing of updates to these important standards.
Where do you see the most significant regulatory changes in 2009?
There are a number of planned changes to the ISO/IEC 27000 family of Information Security Management System (ISMS) standards (collectively "ISO27k") over the next year or so, with several additional standards currently under development, several standards about to be released and earlier releases undergoing planned revision.
Let's start with the planned revisions.
Work is under way within JTC1/SC27, the ISO/IEC committee responsible for ISO27k, to review and where necessary adapt ISO/IEC 27001 and 27002. Both standards are being actively used around the world of course, making it likely that changes will be relatively limited in order to avoid disrupting the existing implementations and particularly the certification processes. I believe that in Japan, for instance, ISO/IEC 27002 is specifically recommended if not required to satisfy the Japanese privacy/data protection laws, with organizations being compliance-assessed against the code of practice although it was not originally intended by ISO/IEC to be used in that manner. No one really knows how many organizations have adopted ISO/IEC 27002 globally but I would guess it must be in the hundreds of thousands by now.
In revising ISO/IEC 27002, what are you pressing the committee to focus on?
1. Address and resolve the confusion around "information security policy" versus "ISMS policy" -- the latter being closer to strategy, as far as I can see.
2. Expand on the concept of personal accountability versus responsibility and clarify what is meant by "information asset."
3. Expand on typical computer room controls, for example environmental monitoring with local and remote alarms for fire, water, intrusion, power problems etc.
4. Update section 10.8 "Exchange of information" to improve coverage of mobile code, Web 2.0/Software As A Service etc. Technical advances are a tricky area for ISO27k since publication of the standards is such a long, slow process They try as far as possible to keep the standards technology-neutral but this can result in them lacking guidance in some areas].
5. Expand section 11.2 on "User access management" to include more on identification and especially authentication of remote users.
6. Provide pragmatic guidance on security testing of new/changed application systems in section 12.
7. Expand section 14 on "Business continuity management" to cover resilience as well as disaster recovery. This section would also benefit from more explanation of "contingency."
8. Update section 15 to reflect legal and regulatory changes such as the rise of e-discovery, document/e-mail retention and increasing use of computer data as evidence in court.
9. Emphasize the value of IT auditing processes in section 15.3.
Source: CSO Online
Hinson says to expect changes in the coming year, but they won't necessarily be tied to new regulations born of the financial crisis. Instead, his focus is on changes for the ISO/IEC 27000 family of standards. His efforts to help security pros understand the standards include a regularly-updated website: ISO27001security.com. Hinson spoke with CSOonline.com Senior Editor Bill Brenner about the nature and timing of updates to these important standards.
Where do you see the most significant regulatory changes in 2009?
There are a number of planned changes to the ISO/IEC 27000 family of Information Security Management System (ISMS) standards (collectively "ISO27k") over the next year or so, with several additional standards currently under development, several standards about to be released and earlier releases undergoing planned revision.
Let's start with the planned revisions.
Work is under way within JTC1/SC27, the ISO/IEC committee responsible for ISO27k, to review and where necessary adapt ISO/IEC 27001 and 27002. Both standards are being actively used around the world of course, making it likely that changes will be relatively limited in order to avoid disrupting the existing implementations and particularly the certification processes. I believe that in Japan, for instance, ISO/IEC 27002 is specifically recommended if not required to satisfy the Japanese privacy/data protection laws, with organizations being compliance-assessed against the code of practice although it was not originally intended by ISO/IEC to be used in that manner. No one really knows how many organizations have adopted ISO/IEC 27002 globally but I would guess it must be in the hundreds of thousands by now.
In revising ISO/IEC 27002, what are you pressing the committee to focus on?
1. Address and resolve the confusion around "information security policy" versus "ISMS policy" -- the latter being closer to strategy, as far as I can see.
2. Expand on the concept of personal accountability versus responsibility and clarify what is meant by "information asset."
3. Expand on typical computer room controls, for example environmental monitoring with local and remote alarms for fire, water, intrusion, power problems etc.
4. Update section 10.8 "Exchange of information" to improve coverage of mobile code, Web 2.0/Software As A Service etc. Technical advances are a tricky area for ISO27k since publication of the standards is such a long, slow process They try as far as possible to keep the standards technology-neutral but this can result in them lacking guidance in some areas].
5. Expand section 11.2 on "User access management" to include more on identification and especially authentication of remote users.
6. Provide pragmatic guidance on security testing of new/changed application systems in section 12.
7. Expand section 14 on "Business continuity management" to cover resilience as well as disaster recovery. This section would also benefit from more explanation of "contingency."
8. Update section 15 to reflect legal and regulatory changes such as the rise of e-discovery, document/e-mail retention and increasing use of computer data as evidence in court.
9. Emphasize the value of IT auditing processes in section 15.3.
Source: CSO Online
Subscribe to:
Posts (Atom)