Managing Cyber Threat: UAE Cybersecurity Strategy, Information Assurance Regulation and ISO 27001, part 2/2

---------------------------------------------------------------------------------------------

An overview of ISO 27001

---------------------------------------------------------------------------------------------------------------

Contents:

• Introduction
• ISO 27001 Objectives
• Relevance to the Quality Management System -QMS
• Who is entitled to use this standard anyone can
• ISO 27001 Relationships to ISO 27002 and other family members
• Overview of ISO 27001 controls
• Cornerstone
• Summary of Steps required to implement ISO 27001 and conducting an internal audit
• Obtaining a copy of the standards
• How much would it cost to get certified with ISO 27001? 

Introduction:

Family of Information Security standards has been developed by the Joint effort of the International Organization for Standardization (ISO) and International Electrotechnical Commission -IEC had also collaborated in the development of this series. It is called the 27K series and family.

The internationally recognized and well-established ISO/IEC 27001, thecurrent edition of 2013-11(Second edition 2013-10-01), is an information security set of standards that lays out the requirements for designing, implementing, and maintaining an ISMS, -Information Security Information System in an organization.

The ISO standard titled ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements, currently is the last reviewed and confirmed in 2019, therefore the last version is the 2013 edition remains CURRENT, as per ISO portal -

ISO 27001 is a well-accepted standard because it doesn’t just cover protecting electronic information and information assets; it also includes guidelines for securing physical aspects that relate to information assets, like intellectual property and trade secrets. For example, the standard obliges compliance with intellectual property rights, enforces physical access measures like limiting access, it also enforces practices of Segregation of duties.

ISO 27001 ISMS is a coherent and comprehensive system that guarantees continuous Information systems risk threat monitoring and treatment, against the continuously changing and challenging information systems threats that various organizations will experience during its operation.

As ISO 27001 is not required to be adopted by law (Not obligatory just yet), but it is widely considered to be essential to any company handling sensitive information, in addition to the fact that many global organizations request’s for ISO 27001 “Certification“ before getting involved in business engagements and interactions. This standard

ISO 27001 Objectives:

The essential goal of ISO 27001 is to preserve 3 sides of security triad –C.I.A., this protection provides confidence that IS risks are adequately managed :

1.      Confidentiality: To control access and to ensure that only authorized individuals are given access rights, logical and/or physical.

2.      Integrity: To ensure that data and information cannot be changed except by authorized individuals.

3.      Availability: to ensure that information is available when required and when needed.

Relevance to the Quality Management System:

Having ISO certification indicates that your organization has a distinction. To external parties, this certification shows that the implementing organization has implemented ISO guidelines, best practices, and generally accepted principles for initiating, implementing, maintaining, and improving the management of information security, the ISMS.

The drivers and benefits of conformance to standardization and compliance with regulations are prevalent. Also, Standards are complementary to each other. Any organization can have the utmost-benefit if it implements a quality management system similar to ISO 9001 –Quality Management System before implementing ISO 27001. ISO 9001-QMS facilitates continuous improvement of efficiency and fosters increased profitability and productivity, it simply ensures that you are fulfilling best-practices.

In case if your organization has undergone ISO 9001 certification already, then the steps to implement ISO27001 would also leverage the already existing strong QMS infrastructure, and pave the way for smooth and quick adoption. Financially, this is also one efficient scenario to be followed.

Who is entitled to use this standard – anyone can:

An organization can choose to pursue ISO 27001 Compliance process by consulting with an Accredited Auditing firm/consultancy or accredited registrars. However, accreditation here is a term that means nationally or internationally accepted competence and reputation or might be specified by the compliance requesting party. ISO does not provide compliance certification; rather, they develop international standards. The standard is generic and can be implemented to any organization of any size, and with any business domain and activity.

Internally, an organization can utilize the standard as a guideline to improve and assess its Information security posture and security requirements.

ISO 27001 Relationships to ISO 27002:

ISO 27001 is the certified management standard specifications. The Auditor will assess and examine the organization's security posture against each Control of ISO 27001. 

ISO 27002 is the “How-to” and code of practice and guidelines to implement the standard and framework, ISO 27002 is a reference of controls with additional guidelines paragraph that would help to filter down to a list that matches an organization’s controls requirements based on a risk assessment.

It’s worth mentioning at this point that; while ISO 27K is a family of standards that has 74 individual standards, Technical (Report & Specifications) and clauses, with some of these are in the draft stage. Let me introduce you to a few family members:

1-ISO/IEC 27000, is an overview and vocabulary of the whole ISO27K family and provides definitions of ISMS terms.

2-ISO/IEC 27003, provides a “process-oriented approach” to the successful implementation of the ISMS following ISO 27001.

3-ISO/IEC 27004, provides guidelines for the assessment of the implemented ISMS effectiveness and how its performance in monitoring information security under ISO 27001.

4-ISO/IEC 27005, provides details on process-oriented risk management ( assessment and treatment) approaches.

5-ISO/IEC 27007, provides guidance on internal or external Auditing requirements for ISMS against the requirements specified in ISO 27001.

6-ISO/IEC TR 27008, a technical report that provides guidance on reviewing the established IS standard against the implementation, operation of technical controls.

7-ISO/IEC 27009, provides guidance about Sector-specific application of ISO 27001.

8-ISO/IEC 27010, provides guidance for Information security management (inter-organizational inter-sector) communication protocols.

9-ISO/IEC 27011 provides a guide to the Code of the practice of controls for Telecommunications organizations following ISO 27001.

10-ISO/IEC 27013, provides a better understanding (on a situational basis) related to the simultaneous implementation of ISO 27001 and ISO 20000 (IT Service Management System, -SMS).

11-ISO/IEC 27014, provide guidance on principles and processes for the Governance of information security.

===============================================================

Cornerstone:

An Organization cannot prevent Cyber threats, it can take place at any time, but -certainly can reduce impacts of Risks and reduce vulnerabilities by designing and implementing proper controls. Control selection should follow and should be tailored on the risk assessment results.

===============================================================

Overview of ISO 27001:

First Part: Requirements Clauses: Contains one or more Main Security category,

They are listed in an order that makes it easy to understand, rather based on its importance. The following are the 7 Clauses -from Clause 4 to Clause 10. with a short description of each:

Clause 4 Context of the organization: emphasizes identifying and understanding of the context ( activity ) of the organization, its needs and expectations of interested parties, and determination of boundaries that will guide the implementation of the ISMS.

Clause 5 Leadership: clarifies the importance of leadership and their role in achieving success in deploying ISMS. It also requests and explains Leadership important role in creating a high level IS policy and the organizational roles of IS team members.

Clause 6 Planning: identifies general risk management activities, including Risk Assessment, Risk Analysis, Risk treatment, in addition to information security objectives and its related documentation.

Clause 7 Support defines supporting roles related to building and maintaining the ISMS. This clause also requests the identification of competences, training, communication protocol, and control of documents.

Clause 8 Operation: details the operational part of ISMS deployment, adding more points on risk management during implementation.

Clause 9: Performance evaluation: identifies methods to evaluate and monitor the effectiveness IS performance of the ISMS and general description of Auditing and Management review.

Clause 10 Improvement: identifies how to react to nonconformities and corrective actions, and requests continual improvement of the ISMS.

Besides conformance to Controls, organizations must fulfill clauses 4 to 10, as part of the certification process. Ignoring or excluding these sections would trigger in conformity.

Second Part: Annex A (normative) - Refrence control objectives and controls:

The 2013 edition of the ISO 27001 standard contains 14 Main security control clauses, these 14 clauses branches 35 Main Security Categories, which collectively cover the 114 controls. The controls are aligned with ISO 27002 and with requirements identified in 7 clauses as explained First Part.

Each control has a descriptive paragraph that belongs to that sub-family. Contains Main Security Control Objective; Control Name.

Controls: Control details are in tables in the following format:

Control Ref. Number; Control Name; Objective.

as the following excerpt from the standard:

"A.8.1.3; Acceptable use of assets ; (Control)Rules for the acceptable use of information and assets associated with information and information processing facilities shall be identified, documented, and implemented. "

( While, in the set of ISO 27002 document, more details have been added as follows: Control Name; Statement; Implementation Guidance; Other Information.)

Reference control Objectives and Controls tables start from section A.5 on page 10 and end on page 22 with the end of section A.18 controls. The analysis list of controls is attached below.

Summary of Steps required to implement ISO 27001 and conducting an internal Audit:

Below is a generic summary of Audit engagement and does not provide specific guidance to perform a full compliance Audit, however, it outlines high-level activities:

Planning & Identification phase :

• Secure Senior Management approval lto build and develop competent team members that will support audit project engagement.
• Conducted Gap Analysis to identify high impact Threats and Vulnerabilities, by meeting with various identified stakeholders of the organization. Discussions would detail and document existing policies and procedures.
• Set the scope of ISMS and secure management approval. A High-level budget can be proposed at this stage, taking into consideration the difference between current status and the future aspired status.
• Department heads, managers, IT, Security Officers shall develop and agree on a high level IS Security Policy.

Risk Assessment phase :

• Refer to ISO 27005, utilize qualitative and quantitative assessment methods, your target is the SoA Conduct Risk assessment, based on risks that can be referenced from Annex A, to generate Statement of Applicability.
• Categorize and shortlist the Risk treatment controls based on controls of the previous step.
• Implement and apply controls. At the same time, efforts shall be performed to prepare and secure conformance to clauses 4 to 10.
• Perform training sessions to end users on approved IS policy and controls.

Auditing Phase :

• Perform an independent IS Audit, gather evidence, document.
• Perform Audit Analysis on findings, draft recommendations.
• Review and report NCRs and outline Opportunities for improvement.
• Perform clean-up work and closing

Obtaining a copy of the standards

ISO 27001 series is Protected by international copyrights laws, it is not free for download, except for ISO 27000 -Fifth edition, 2018-02 which is Free to download. The certifying body may provide a licensed copy or in the annual subscription, or the standard can be purchased from ISO portal directly in .pdf format, individually or in packages along with other standards. 

Link:

Free download ISO 27000 -Fifth edition 2018-02 in English:

https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_2018_E.zip

ISO 27000 -Fifth edition 2018-02

How much would it cost to get your organization compliant and certified with ISO 27001?

You may have noticed that the preparation for the certification process demands:

(1) internal resources efforts. Nevertheless, efforts cost money. At the same time, it involves (2) External auditing firm as Auditing consultancy or certification body / Registrar. (3) The cost of updating existing technologies and procuring additional technologies or services to fulfill a control’s compliance. Efforts are also directly associated with time and scope. Controls will be applied under the 14 domains, categorized under Technical, Organizational, Legal controls, Physical, and Human resource controls.

Answer to Fundamental question: do we proceed or not with implementing information security standards or ISMS?

Please be reminded that the investment of adopting standards is considered and proven to bring financial benefits in the long term. The reader should not get confused at this point about the question of “Go or not go” with implementing Information Security or Assurance standards. These decisions are not only Strategic for the survival of the organization and would be embraced to assure business continuity -and must be taken by the highest authority in the organization-, it is considered as a requirement to avoid losses, and it’s as investing in a goalkeeper. You need a goalkeeper –it's indisputable- to protect your team from losing.

 Let’s have these three costs listed and detailed for clarity:

(1)     Costs of internal resources efforts to design and build an ISMS:

This category depends on the size of the organization, extent of deployment, the experience of the team, capabilities, and maturity of the organization, existing control structure, examples:

A-    Resources to be dedicated to this implementation, for example, Experienced and competent lead auditor, team members, document controller(s), coordinators.

B-    Training for the resources ( who would-be champions of the implementation project )

C-    Efforts in regards of involvement of other resources from other departments, efforts and time are required to enable these teams and cooperate with them to bring mutually accepted policies, (IT, HR, legal, procurement and purchasing, accounting, core business, engineering and contracting, Sales, HSE and other functions).

 (2)     External auditing firm:

External Auditor's role also depends on organization information security posture.

Consultant would analyze and assess the existing security infrastructure and would provide their commercial proposals, examples:

A-    Applications fees.

B-    Costs for providing Training.

C-    Auditing fees.

D-    Certification fees, Re-Audit Cert. Maintenance fees.

 (3)     The cost of updating and additional hardware or service to fulfill control requirements:

As stated up, this cost is related to any additional Harare or service that fulfills compliant to a control. This might be low to considerable investment, based on the result of risk assessment and gap analysis, Examples:

A-    Licenses and Upgrade of existing software, Swapping an old application that cannot be patched, to new anti-virus or another protection application

B-    New device/System: Firewalls, NG Router, AV, WAF, IPS/IDS, SIEM, VPN

C-    Additional Telecom–Backup link, to ISP, Additional VSAT link, new Fiber optic link based on an alternate route.

D-    Additional Fire extinguishing system, VESDA, Additional Air conditioning, additional Cabinets Access control, Additional beam lighting, additional CCTV, additional power electric protection system, UPS, Power Generators.

E-     Remote DR sites, Backup hardware, local storage, remote storage, cloud storage constructing new disaster recovery remote site,

F-     Procuring insurance against Flooding Fire and Earthquake, Insuring against Theft, sabotage, and arson.

G-    Manned Security, security guard services,

H-    Dismantling and scraping fees.

I-       Purchasing, Preventive and corrective maintenance fees

link to part 1 of this article :

Managing Cyber Threat: UAE Cybersecurity Strategy, Information Assurance Regulation and ISO 27001, part 1/2

Saleh Omeir / www.dhirubhai.net/in/saleho