ISO 27001 & ISO 22301

A few days ago I received the following question from one of our clients: “What is the difference between ISMS Risk Assessment and BCM Risk Assessment?” And, although the answer to this question might seem easy, in actuality it is not.

Here’s the rest of his question: “… Because on your blog I found that if I’ve done ISMS it should be fine for BCM. On the other hand, ISO 22301 recommends to use ISO 31000 standard.”

Why ISO 27001 risk management framework is a good solution

It is true that ISO 22301 refers to ISO 31000 regarding risk assessment, but ISO 31000 is written very generally since it covers all kinds of risks (not only business continuity, but information security, financial, market, credit, and other risks).

On the other hand, risk assessment framework is described much better in ISO 27001, and even more precisely in ISO 27005; the focus of information security risk assessment is on preserving confidentiality, integrity and availability. And availability is the key link between information security and business continuity – when performing ISMS risk assessment, all the business continuity risks will be taken into account.

And the good thing is, risk assessment as it is described in ISO 27001 and ISO 27005 is perfectly aligned with ISO 31000.

Possible differences in approach

But this is where it might get complicated – my client had another question because he wanted everything to be cleared out: “I think that another difference between those two Risk Assessment approaches is – with ISMS we deal with assets (both primary and supportive); however, with BCM we deal with critical activities and processes.”

And he was basically right – business continuity risk assessment does not have to be so detailed; it can be made high-level for activities and processes. But, although this approach is fine from the point of view of the standard itself, in my view the problem is in the implementation – how would you mitigate the risks if you don’t know exactly where the problems are?

This is where I think ISO 27001 risk assessment framework is better – it forces you to pinpoint where the weaknesses are, which assets should be protected better, etc. If you kept the risk assessment on the process level you probably wouldn’t get all this valuable information.

Risk mitigation compatibility

It is worth mentioning here – ISO 27001 risk treatment options are completely aligned with risk mitigation requirements in ISO 22301 and ISO 31000. Basically, business continuity mitigation comes down to 4 options described in ISO 27001: (1) applying appropriate controls, (2) accepting risks, (3) avoiding risks, and (4) transferring risks. There are no options listed in ISO 22301, while in ISO 31000 they are named a bit differently and organized a bit differently, but they are essentially the same:  changing the likelihood and the consequence, retaining the risk, avoiding the risk, and sharing the risk.

Further, ISO 22301 requires you to “plan actions to address these risks and opportunities,” while ISO 27001 asks for developing the Risk Treatment Plan – again, very similar requirement­ with a slightly different name.

And to finish with this: there is another good thing about ISO 27001 – in Annex A it gives you a catalogue of possible safeguards to choose from; this is something that neither ISO 22301 nor ISO 31000 has.

Hope I managed to persuade him. What do you think?

Click here to see a Risk Assessment and Treatment Methodology template.

For a long time a debate has been going on regarding whether information security/cybersecurity has something to do with critical infrastructure, and if yes, how important cybersecurity is for critical infrastructure. This dilemma is definitely resolved with President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity.

For quite some time now, cyber attacks on various financial institutions, technology companies, and media houses have been filling the newspaper headlines. However, it seems that most people seem to be quite indifferent to such incidents – the “It’s just another hacker having fun” perception. What they don’t understand is that this could be merely foreplay to something much more serious.

For instance, could you imagine a blackout lasting 1 or 2 weeks? Or perhaps stopping the public transport for a couple of hours during rush hour (and doing that for couple of days in a row)? And how about this – stealing intellectual property from companies, so that they no longer have a competitive edge? (As a consequence, they have to lay off people, and the most profitable business goes to some other country, to some other continent.) And how about messing with IT systems of air traffic control? Or the systems of nuclear power plants? Or perhaps those of the stock exchange? Coupled with launching some (false) news through legitimate media houses?

And all of this together? Compared with something like that, 9/11 would seem like child’s play.

I’m not saying this will happen for sure, but rest assured that this is definitely one of the options the attackers are considering. Why? It is much easier to weaken a nation by attacking its critical infrastructure than by attacking it with conventional weapons.

This is because a cyber attacker doesn’t have to assemble an army or purchase weapons; it doesn’t even have to train suicide bombers and then figure out how to infiltrate them into a foreign country; it doesn’t matter if their attack succeeds or not, because the attackers will always be protected, far out of reach of the legal system of the country they’ve attacked; and lastly, most countries still do not have a doctrine on how to treat cyber attacks, so basically they won’t hit back, or at least not in comparable measure.

Luckily, governments are much more aware of such scenarios, and the Executive Order is a product of this. And how far the governments must go is visible also from the related Presidential Policy Directive on Critical Infrastructure Security and Resilience – both government and private organizations are covered by this regulation, and specifically, the sectors that are covered are Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, and Water and Wastewater Systems.

It is debatable whether it is possible to organize such a comprehensive defense on such a wide front; however, one thing is for sure – unless a government recognizes the breadth of a problem, and directs its policy accordingly, the effect will be poor. And the U.S. government certainly did recognize the priorities, and set good foundations.

With this Executive Order a bare truth, already known to information security specialists, will now become clear to the general public: the biggest vulnerability of a modern society is no longer a lack of ability to defend itself against an attack with conventional arms; the biggest vulnerability is a lack of ability to defend itself against cyber attacks.

Click here to download the free eBook 9 Steps to Cybersecurity: The Manager’s Information Security Strategy Manual.

In my previous blog post I analyzed the changes between the old ISO 27001 (published in 2005) and the 2013 draft; naturally, controls from ISO 27001 Annex A cannot change without changing ISO 27002 because the essence of these two standards is to be aligned.

So, let’s take a look at what changes are proposed for ISO 27002 (source: BSI website) – it is important to note here that since this is only a DIS (draft) version of ISO 27002:2013, it is expected that the final version will differ quite a bit. Here I’ll focus mainly on how the controls are structured, and not so much on their description – so here are the main differences:

Number of sections – as expected, the number of sections has increased – from 11 sections containing controls in the old standard to 14 in the new. This way, the problem in the old standard, where some controls were artificially inserted in certain areas where they did not belong, is now resolved.

Number of controls – surprisingly, the number of controls has decreased – from 133 to only 113! This is due to eliminating some controls that were too specific or outdated.

Structure of sections – Cryptography has become a separate section (#10) – it is (logically) not part of Information systems acquisition, development and maintenance any more. A similar thing has happened with Supplier relationships – as deserved, they have become a separate section (#15). Communications and operations management is divided now into Operations security (section 12), and Communications security (now section 13). Here is how the sections look now:

• 5 Security Policies
• 6 Organization of information security
• 7 Human resource security
• 8 Asset management
• 9 Access control
• 10 Cryptography
• 11 Physical and environmental security
• 12 Operations security
• 13 Communications security
• 14 System acquisition, development and maintenance
• 15 Supplier relationships
• 16 Information security incident management
• 17 Information security aspects of business continuity
• 18 Compliance

Placement of security categories – categories have mixed a bit:

• Mobile devices and teleworking, previously in Access control, is now 6.2 – part of section 6 Organization of information security.
• Media handling was previously part of Communications and operations management, but now it is 8.3, part of 8 Asset management.
• Operating system access control, and Application and information access control, have now merged into System and application access control (9.4), and have remained in section 9 Access control.
• Control of operational software, previously a single control in Information System acquisition, development and maintenance, is now a separate category 12.5, part of the Operations security section.
• Information systems audit considerations have moved from Compliance to 12.7, part of the Operations security section.
• A Security category called Network access control is gone, and some of its controls have moved to section 13 Communications security.
• Information transfer (previously called Exchange of information) is now 13.2, part of section 13 Communications security.
• The controversial category Correct processing in applications (part of the old Information System acquisition, development and maintenance) is now gone.
• Electronic commerce services does not exist as a separate category anymore, and controls are merged into 14.1 Security requirements of information systems.
• Two categories from the section Information Security Incident Management are now merged into one.
• The Business continuity section has received a new category – 17.2 Redundancies. Basically, this is about disaster recovery.

New controls – here are a few controls that are new:

• 14.2.1 Secure development policy – rules for development of software and information systems
• 14.2.5 System development procedures – principles for system engineering
• 14.2.6 Secure development environment – establishing and protecting development environment
• 14.2.8 System security testing – tests of security functionality
• 16.1.4 Assessment and decision of information security events – this is part of incident management
• 17.2.1 Availability of information processing facilities – achieving redundancy

Controls that are gone – finally, here are some of the controls that do not exist anymore:

• 6.2.2 Addressing security when dealing with customers
• 10.4.2 Controls against mobile code
• 10.7.3 Information handling procedures
• 10.7.4 Security of system documentation
• 10.8.5 Business information systems
• 10.9.3 Publicly available information
• 11.4.2 User authentication for external connections
• 11.4.3 Equipment identification in networks
• 11.4.4 Remote diagnostic and configuration port protection
• 11.4.6 Network connection control
• 11.4.7 Network routing control
• 12.2.1 Input data validation
• 12.2.2 Control of internal processing
• 12.2.3 Message integrity
• 12.2.4 Output data validation
• 11.5.5 Session time out
• 11.5.6 Limitation of connection time
• 11.6.2 Sensitive system isolation
• 12.5.4 Information leakage
• 14.1.2 Business continuity and risk assessment
• 14.1.3 Developing and implementing business continuity plans
• 14.1.4 Business continuity planning framework
• 15.1.5 Prevention of misuse of information processing facilities
• 15.3.2 Protection of information systems audit tools

Since the structure of ISO 27002 is completely aligned with controls from ISO 27001, all these changes are also valid for new ISO 27001 Annex A.

At first sight, there are many changes… However, I don’t think most of these changes are really fundamental – many of them have actually corrected the incorrect structure of the old ISO 27002, and added the controls that were missing in the first place. Some things did change – like network security and development process – these areas are now more loosely described and thus more freedom is given to companies on how to implement them.

To conclude, I like these changes – it seems to me implementing this new standard is going to be easier.

When I heard the news that the DIS (draft) version of ISO 27001:2013 is publicly available at the BSI website (until 23 March 2013), I was very impatient to read it. Although one should not get too excited yet – this draft version might differ quite a bit from the final version of the standard (expected to be published in the second half of 2013) – the purpose of such a draft standard is to be revised based on many inputs during a public debate.

When compared to the old (still valid at the time of writing this article) ISO/IEC 27001 from 2005, the changes are actually not too drastic – here are the main differences I found:

The structure

As expected, the new ISO 27001 will be compliant with Annex SL of ISO/IEC Directives, in order to be aligned with all the other management standards – this is already evident in ISO 22301, the new business continuity management standard. So, here are the main clauses that you will see in all the management standards:

0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement

Naturally, Annex A is still here in the new ISO 27001 – this is where all the controls are listed. The quite useless Annex B from the old standard is gone, while there is no need for Annex C anymore.

Interested parties

The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.

This is definitely an excellent way of defining key inputs into the ISMS.

Documented information

The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.

The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is gone – however, the requirement for documenting the output from those processes remains in the new standard. Therefore, you don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions.

Also, the clause from the old standard where all the required documents are listed (4.3.1) is gone – there is no central list of required documents.

Risk assessment and treatment

Assets, vulnerabilities and threats are not the basis of risk assessment anymore! It is only required to identify the risks associated with the confidentiality, integrity and availability – although this might seem too radical of a change, the authors of the new standard wanted to allow more freedom in the way the risks are identified; however, I assume that the assets-vulnerabilities-threats methodology will remain as a best practice for a long time.

The concept of determining the level of risk based on consequences and likelihood remains the same.

Further, Risk Assessment Methodology does not need to be documented, although the risk assessment process need to be defined in advance; the concept of asset owner is gone, too – a new term is used: “risk owners” – so the responsibility is pushed to a higher level.

Objectives, monitoring and measurement

A big change here: these are not mentioned within some other requirements, but now there are separate clauses with very concrete rules. The rules are that you need to set clear objectives, you need to define who will measure them and when, and you need to define who should analyze and evaluate those results. Further, comprehensive plans need to be developed that will describe how the objectives will be achieved.

This is definitely something that will bring ISMS closer to other management processes in a company. Hopefully, it will push information security onto the management agenda because – once you have very clear figures as to how your security performs – you cannot turn your head away from it.

Corrective & preventive actions

The biggest change is there are no preventive actions anymore, at least not at first sight – they are basically merged in risk assessment and treatment, where they naturally belong.

Further, a distinction is made between corrections that are made as a direct response to a nonconformity, as opposed to corrective actions that are made to eliminate the cause of a nonconformity. This way another ambiguity from the old standard is resolved.

Communication

This is also a new clause where all the requirements are summarized – what needs to be communicated, when, by whom, through which means, etc. This will help overcome the problem of information security being only an “IT thing” or “security thing” – the success of information security depends on both the IT side and the business side, and their overall understanding about the purpose of information protection.

What will this mean for the implementation?

I must admit I like all these changes – not only will the new ISO 27001 be easier to integrate with other management standards like ISO 9001, ISO 22301, ISO 20000 and others, but it also allows more freedom for companies (especially smaller ones) to scale the ISMS to their real needs and thereby avoid unnecessary overhead. But this may also turn out to be the greatest weakness of this new standard – because of its loose definitions, some companies may try to focus on satisfying the minimum instead of focusing on increasing security.

In other words, companies that mean well and really want to increase their level of security will find it easier to comply with this standard; however, the companies that not so positive and are looking for loopholes to implement it only for the sake of certification will see this standard as an opportunity.

P.S. I’ll examine the controls from Annex A more thoroughly in one of my next blog posts that will focus on new ISO 27002:2013.

Believe it or not, there are more than 30 standards in the ISO 27k series. And, to make things worse, they are constantly changing because information security theory and best practice are continuously evolving.

Here’s what will probably happen in 2013:

ISO/IEC 27001 – Since this is the main standard in the ISO27k series, its revision is expected with high excitement. It was published in what is, for this area, a very distant 2005, so the changes are certainly not going to be minor. The largest change (besides the controls from Annex A – for those see ISO 27002 below) will be in the structure of the standard – according to ISO directives Annex SL (previously called Draft Guide 83), the structure of every management standard will have to be aligned, so the same destiny is intended for the new revision of ISO 27001 as well. Such changes are best visible in ISO 22301, the new business continuity standard, which was the first one to be compliant with Guide 83 – click here to see the structure of ISO 22301.

The date for publishing of ISO 27001 hasn’t been set yet, but it could be somewhere in second half of 2013.

ISO/IEC 27002 – The revision of this standard will be published together with ISO 27001 because, as you probably know, it gives guidelines for implementation of controls from ISO 27001 Annex A – therefore, these two standards need to be aligned completely. See here what is expected to change: ISO 27002 – What will the next revision bring?

ISO/IEC 27004 – This is the standard that defines information security metrics; in other words – how to measure information security in an organization. It was initially published in 2009, and it will be in the revision process during 2013. It is, however, not likely that new revision will be published in 2013.

ISO/IEC 27006 – This standard defines the requirements for certification bodies that provide the auditing services. Since other auditing standards (ISO 19011 and ISO/IEC 17021) are currently being revised, it is expected that the revised version of ISO 27006 will be published in 2013 or 2014.

ISO/IEC 27011 is the standard that provides guidelines for information security management in telecoms – since it relies heavily on ISO 27002, it will be revised once the new version of ISO 27002 is published. It may happen in 2013, but more likely in 2014.

ISO/IEC 27014 defines the governance of information security; since this standard is – at the time of writing this article – in FDIS status, it is expected to be published in the first half of 2013.

ISO/IEC TR 27016 is the standard that defines organizational economics for information security management. Since this standard is still in the draft version, it is theoretically possible that it will be published in 2013; however, 2014 is much more realistic as a publishing year.

ISO/IEC 27017 is the standard that will define a very hot area: security in cloud computing. Since it will depend heavily on revised ISO 27001 and ISO 27002, at best it will be published at the end of 2013 or the first half of 2014.

ISO/IEC 27018 is the standard that will provide code of practice for data protection controls for public cloud computing services – similar to ISO 27017, this standard will wait until ISO 27002 is published. Let’s hope we’ll see it in 2013, or some time shortly after that.

ISO/IEC TR 27019 is the standard that focuses on information security management guidelines for the energy industry. Since it is based on ISO 27002, it is not expected to be published until the end of 2013 or in 2014.

ISO/IEC 27033-5 is still in the draft phase, and defines how to use secure communications using Virtual Private Network (VPNs). Its publication is expected near the end of 2013.

ISO/IEC 27036 is still in the draft phase, too, and it specifies how to regulate information security in supplier relationships. This standard will be published in four or five parts, three of which could be published during 2013 or early 2014.

ISO/IEC 27040 defines another very interesting area: storage security.  It is scheduled to be published in 2013, but may be pushed to 2014.

As you can see, many standards are to be published soon, or at least are going to be revised. Who says information security is a boring business?