ISO 27001 & ISO 22301

In my previous blog post I analyzed the changes between the old ISO 27001 (published in 2005) and the 2013 draft; naturally, controls from ISO 27001 Annex A cannot change without changing ISO 27002 because the essence of these two standards is to be aligned.

So, let’s take a look at what changes are proposed for ISO 27002 (source: BSI website) – it is important to note here that since this is only a DIS (draft) version of ISO 27002:2013, it is expected that the final version will differ quite a bit. Here I’ll focus mainly on how the controls are structured, and not so much on their description – so here are the main differences:

Number of sections – as expected, the number of sections has increased – from 11 sections containing controls in the old standard to 14 in the new. This way, the problem in the old standard, where some controls were artificially inserted in certain areas where they did not belong, is now resolved.

Number of controls – surprisingly, the number of controls has decreased – from 133 to only 113! This is due to eliminating some controls that were too specific or outdated.

Structure of sections – Cryptography has become a separate section (#10) – it is (logically) not part of Information systems acquisition, development and maintenance any more. A similar thing has happened with Supplier relationships – as deserved, they have become a separate section (#15). Communications and operations management is divided now into Operations security (section 12), and Communications security (now section 13). Here is how the sections look now:

• 5 Security Policies
• 6 Organization of information security
• 7 Human resource security
• 8 Asset management
• 9 Access control
• 10 Cryptography
• 11 Physical and environmental security
• 12 Operations security
• 13 Communications security
• 14 System acquisition, development and maintenance
• 15 Supplier relationships
• 16 Information security incident management
• 17 Information security aspects of business continuity
• 18 Compliance

Placement of security categories – categories have mixed a bit:

• Mobile devices and teleworking, previously in Access control, is now 6.2 – part of section 6 Organization of information security.
• Media handling was previously part of Communications and operations management, but now it is 8.3, part of 8 Asset management.
• Operating system access control, and Application and information access control, have now merged into System and application access control (9.4), and have remained in section 9 Access control.
• Control of operational software, previously a single control in Information System acquisition, development and maintenance, is now a separate category 12.5, part of the Operations security section.
• Information systems audit considerations have moved from Compliance to 12.7, part of the Operations security section.
• A Security category called Network access control is gone, and some of its controls have moved to section 13 Communications security.
• Information transfer (previously called Exchange of information) is now 13.2, part of section 13 Communications security.
• The controversial category Correct processing in applications (part of the old Information System acquisition, development and maintenance) is now gone.
• Electronic commerce services does not exist as a separate category anymore, and controls are merged into 14.1 Security requirements of information systems.
• Two categories from the section Information Security Incident Management are now merged into one.
• The Business continuity section has received a new category – 17.2 Redundancies. Basically, this is about disaster recovery.

New controls – here are a few controls that are new:

• 14.2.1 Secure development policy – rules for development of software and information systems
• 14.2.5 System development procedures – principles for system engineering
• 14.2.6 Secure development environment – establishing and protecting development environment
• 14.2.8 System security testing – tests of security functionality
• 16.1.4 Assessment and decision of information security events – this is part of incident management
• 17.2.1 Availability of information processing facilities – achieving redundancy

Controls that are gone – finally, here are some of the controls that do not exist anymore:

• 6.2.2 Addressing security when dealing with customers
• 10.4.2 Controls against mobile code
• 10.7.3 Information handling procedures
• 10.7.4 Security of system documentation
• 10.8.5 Business information systems
• 10.9.3 Publicly available information
• 11.4.2 User authentication for external connections
• 11.4.3 Equipment identification in networks
• 11.4.4 Remote diagnostic and configuration port protection
• 11.4.6 Network connection control
• 11.4.7 Network routing control
• 12.2.1 Input data validation
• 12.2.2 Control of internal processing
• 12.2.3 Message integrity
• 12.2.4 Output data validation
• 11.5.5 Session time out
• 11.5.6 Limitation of connection time
• 11.6.2 Sensitive system isolation
• 12.5.4 Information leakage
• 14.1.2 Business continuity and risk assessment
• 14.1.3 Developing and implementing business continuity plans
• 14.1.4 Business continuity planning framework
• 15.1.5 Prevention of misuse of information processing facilities
• 15.3.2 Protection of information systems audit tools

Since the structure of ISO 27002 is completely aligned with controls from ISO 27001, all these changes are also valid for new ISO 27001 Annex A.

At first sight, there are many changes… However, I don’t think most of these changes are really fundamental – many of them have actually corrected the incorrect structure of the old ISO 27002, and added the controls that were missing in the first place. Some things did change – like network security and development process – these areas are now more loosely described and thus more freedom is given to companies on how to implement them.

To conclude, I like these changes – it seems to me implementing this new standard is going to be easier.

When I heard the news that the DIS (draft) version of ISO 27001:2013 is publicly available at the BSI website (until 23 March 2013), I was very impatient to read it. Although one should not get too excited yet – this draft version might differ quite a bit from the final version of the standard (expected to be published in the second half of 2013) – the purpose of such a draft standard is to be revised based on many inputs during a public debate.

When compared to the old (still valid at the time of writing this article) ISO/IEC 27001 from 2005, the changes are actually not too drastic – here are the main differences I found:

The structure

As expected, the new ISO 27001 will be compliant with Annex SL of ISO/IEC Directives, in order to be aligned with all the other management standards – this is already evident in ISO 22301, the new business continuity management standard. So, here are the main clauses that you will see in all the management standards:

0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement

Naturally, Annex A is still here in the new ISO 27001 – this is where all the controls are listed. The quite useless Annex B from the old standard is gone, while there is no need for Annex C anymore.

Interested parties

The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.

This is definitely an excellent way of defining key inputs into the ISMS.

Documented information

The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.

The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is gone – however, the requirement for documenting the output from those processes remains in the new standard. Therefore, you don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions.

Also, the clause from the old standard where all the required documents are listed (4.3.1) is gone – there is no central list of required documents.

Risk assessment and treatment

Assets, vulnerabilities and threats are not the basis of risk assessment anymore! It is only required to identify the risks associated with the confidentiality, integrity and availability – although this might seem too radical of a change, the authors of the new standard wanted to allow more freedom in the way the risks are identified; however, I assume that the assets-vulnerabilities-threats methodology will remain as a best practice for a long time.

The concept of determining the level of risk based on consequences and likelihood remains the same.

Further, Risk Assessment Methodology does not need to be documented, although the risk assessment process need to be defined in advance; the concept of asset owner is gone, too – a new term is used: “risk owners” – so the responsibility is pushed to a higher level.

Objectives, monitoring and measurement

A big change here: these are not mentioned within some other requirements, but now there are separate clauses with very concrete rules. The rules are that you need to set clear objectives, you need to define who will measure them and when, and you need to define who should analyze and evaluate those results. Further, comprehensive plans need to be developed that will describe how the objectives will be achieved.

This is definitely something that will bring ISMS closer to other management processes in a company. Hopefully, it will push information security onto the management agenda because – once you have very clear figures as to how your security performs – you cannot turn your head away from it.

Corrective & preventive actions

The biggest change is there are no preventive actions anymore, at least not at first sight – they are basically merged in risk assessment and treatment, where they naturally belong.

Further, a distinction is made between corrections that are made as a direct response to a nonconformity, as opposed to corrective actions that are made to eliminate the cause of a nonconformity. This way another ambiguity from the old standard is resolved.

Communication

This is also a new clause where all the requirements are summarized – what needs to be communicated, when, by whom, through which means, etc. This will help overcome the problem of information security being only an “IT thing” or “security thing” – the success of information security depends on both the IT side and the business side, and their overall understanding about the purpose of information protection.

What will this mean for the implementation?

I must admit I like all these changes – not only will the new ISO 27001 be easier to integrate with other management standards like ISO 9001, ISO 22301, ISO 20000 and others, but it also allows more freedom for companies (especially smaller ones) to scale the ISMS to their real needs and thereby avoid unnecessary overhead. But this may also turn out to be the greatest weakness of this new standard – because of its loose definitions, some companies may try to focus on satisfying the minimum instead of focusing on increasing security.

In other words, companies that mean well and really want to increase their level of security will find it easier to comply with this standard; however, the companies that not so positive and are looking for loopholes to implement it only for the sake of certification will see this standard as an opportunity.

P.S. I’ll examine the controls from Annex A more thoroughly in one of my next blog posts that will focus on new ISO 27002:2013.

Believe it or not, there are more than 30 standards in the ISO 27k series. And, to make things worse, they are constantly changing because information security theory and best practice are continuously evolving.

Here’s what will probably happen in 2013:

ISO/IEC 27001 – Since this is the main standard in the ISO27k series, its revision is expected with high excitement. It was published in what is, for this area, a very distant 2005, so the changes are certainly not going to be minor. The largest change (besides the controls from Annex A – for those see ISO 27002 below) will be in the structure of the standard – according to ISO directives Annex SL (previously called Draft Guide 83), the structure of every management standard will have to be aligned, so the same destiny is intended for the new revision of ISO 27001 as well. Such changes are best visible in ISO 22301, the new business continuity standard, which was the first one to be compliant with Guide 83 – click here to see the structure of ISO 22301.

The date for publishing of ISO 27001 hasn’t been set yet, but it could be somewhere in second half of 2013.

ISO/IEC 27002 – The revision of this standard will be published together with ISO 27001 because, as you probably know, it gives guidelines for implementation of controls from ISO 27001 Annex A – therefore, these two standards need to be aligned completely. See here what is expected to change: ISO 27002 – What will the next revision bring?

ISO/IEC 27004 – This is the standard that defines information security metrics; in other words – how to measure information security in an organization. It was initially published in 2009, and it will be in the revision process during 2013. It is, however, not likely that new revision will be published in 2013.

ISO/IEC 27006 – This standard defines the requirements for certification bodies that provide the auditing services. Since other auditing standards (ISO 19011 and ISO/IEC 17021) are currently being revised, it is expected that the revised version of ISO 27006 will be published in 2013 or 2014.

ISO/IEC 27011 is the standard that provides guidelines for information security management in telecoms – since it relies heavily on ISO 27002, it will be revised once the new version of ISO 27002 is published. It may happen in 2013, but more likely in 2014.

ISO/IEC 27014 defines the governance of information security; since this standard is – at the time of writing this article – in FDIS status, it is expected to be published in the first half of 2013.

ISO/IEC TR 27016 is the standard that defines organizational economics for information security management. Since this standard is still in the draft version, it is theoretically possible that it will be published in 2013; however, 2014 is much more realistic as a publishing year.

ISO/IEC 27017 is the standard that will define a very hot area: security in cloud computing. Since it will depend heavily on revised ISO 27001 and ISO 27002, at best it will be published at the end of 2013 or the first half of 2014.

ISO/IEC 27018 is the standard that will provide code of practice for data protection controls for public cloud computing services – similar to ISO 27017, this standard will wait until ISO 27002 is published. Let’s hope we’ll see it in 2013, or some time shortly after that.

ISO/IEC TR 27019 is the standard that focuses on information security management guidelines for the energy industry. Since it is based on ISO 27002, it is not expected to be published until the end of 2013 or in 2014.

ISO/IEC 27033-5 is still in the draft phase, and defines how to use secure communications using Virtual Private Network (VPNs). Its publication is expected near the end of 2013.

ISO/IEC 27036 is still in the draft phase, too, and it specifies how to regulate information security in supplier relationships. This standard will be published in four or five parts, three of which could be published during 2013 or early 2014.

ISO/IEC 27040 defines another very interesting area: storage security.  It is scheduled to be published in 2013, but may be pushed to 2014.

As you can see, many standards are to be published soon, or at least are going to be revised. Who says information security is a boring business?

It’s been six years since the last revision of ISO/IEC 27002 (in 2005) – much has changed in information security since then, and this standard definitely needs some “facelifting”. Since ISO 27002 is closely tied to ISO 27001, this revision has to be done simultaneously for both standards, and is expected to happen in the latter half of 2012 or during 2013.

ISO 27001 and ISO 27002

What these two standards have in common are the 133 controls – they are offered as a kind of catalogue in Annex A of ISO 27001, with the idea that appropriate controls are selected based on the risk assessment. ISO 27002 lists all of these 133 controls again, but offers detailed explanation of best practices for their implementation. For a detailed explanation of the differences between ISO 27001 and ISO 27002, read ISO 27001 vs ISO 27002.

This relationship between the two standards is why ISO 27002 has changed its name in 2007 – it was previously called ISO/IEC 17799, but its name was changed to ISO/IEC 27002, making it part of ISO 27k series.

This most important link between ISO 27001 and ISO 27002 – identical structure of ISO 27001 Annex A and ISO 27002 controls – will most likely still be included in new revisions of both standards. However, the way it is structured and the individual controls will most probably change.

Expected changes

At the moment of writing this article (October 2011) it is impossible to predict all the changes in ISO 27002 because the final draft hasn’t been written yet. However, most likely changes can be judged by hearing what ISO 27001 experts have to say – here’s a summary of suggestions from ISO 27k Forum, the leading expert forum about ISO 27001/ISO 27002:

• Accountability – definition of what it means in relation to human resources management
• Authentication, identity management, identity theft – they need better description because of their criticality for web-based services
• Cloud computing – this model is becoming more and more dominant in real life, but hasn’t been covered in the standard
• Database security – the technical aspects haven’t been systematically laid down in the existing revision
• Ethics and trust – an important concept not covered at all in the existing revision
• Fraud, phishing, hacking, social engineering – these particular types of threats are gaining more and more importance, but aren’t covered systematically in the existing revision
• Governance of information – this concept is very important for the organizational aspect of information security and is not covered in the current revision
• IT auditing – needs to focus more on computer auditing
• Privacy – needs to go broader than existing data protection and legal compliance, especially because of cloud computing
• Resilience – this concept is completely missing in the existing revision
• Security testing, application testing, vulnerability assessments, pen tests etc. – these are essentially missing in the current revision

As Gary Hinson from the ISO27k Forum argues, several of these issues are already covered, but they were not given sufficient emphasis in the current revision of the standard – key terms widely used today are either completely missing or are only vaguely alluded to.

Also, the new ISO 27002 will refer more on other standards that define certain areas in more detail – for instance, Section 14 Business Continuity Management will refer to ISO 22301 (new standard dedicated to business continuity management) and ISO/IEC 27031 (focused on ICT aspect of business continuity).

All these changes mean that not only some of the controls will change or will be added, but it also means that the structure of the standard will change – instead of existing 11 sections of Annex A / ISO 27002, some new sections will probably have to be created, and others merged. And these structural issues are probably the toughest ones since the body in charge of the revision (JTC 1/SC 27 committee) will need to ensure compatibility with the existing revision. This is why we have no idea at the moment what these structural changes will look like.

ISO 27002 certification?

Many people still ask me whether it is possible to get certified against ISO 27002. The situation with the new revision will stay the same – currently it is not possible, nor will it be possible to get an ISO 27002 certificate because unlike ISO 27001, this is not a management standard.

This means ISO 27002 will remain a code of practice (or best practices) for implementation of security controls. It will not define the management system – e.g. the documentation management, internal audit, management review, corrective and preventive actions, risk management, etc.  – all these remain in the domain of ISO 27001. Therefore, ISO 27001 will remain the only certifiable standard in the ISO 27k series.

Implications for the ISMS

If you already have your Information Security Management System implemented, you don’t have to worry too much – no matter which changes the new revision will bring, you will have enough time (normally one year after both standards have been published) to implement the changes.

Once the revisions are published, you will need to align the structure of your controls in the Statement of Applicability with the new Annex A in the revised ISO 27001. And although the structure won’t change too much, this alignment will be the biggest job that’s ahead of you.

And this is where the new ISO 27002 will bring the most value – in the transition period you will have plenty of refreshed best practices to choose from. And since ISO 27002 is quite detailed, and you still have the freedom to choose only the appropriate stuff for your organization, it will definitely help you make such transition easier.

You can also check out our webinar ISO 27001 Foundations Part 3: Annex A overview (commercially sold training).

Annex A of ISO 27001 is probably the most mentioned annex of any management standard. Why is there so much talk about it? Why is it sometimes controversial?

If you have read the Annex A, you have seen that 133 security controls are listed there. If that is the case, what is the main part of the standard used for?

The purpose

Annex A contains the following clauses (sometimes called ISO 27001 Annex A domains):

• A.5 Security policy
• A.6 Organization of information security
• A.7 Asset management
• A.8 Human resources security
• A.9 Physical and environmental security
• A.10 Communications and operations management
• A.11 Access control
• A.12 Information systems acquisition, development and maintenance
• A.13 Information security incident management
• A.14 Business continuity management
• A.15 Compliance

As already mentioned, Annex A contains 133 controls which, as can be seen from the names of the clauses, are not focused solely on IT – they also cover physical security, legal protection, human resources management, organizational issues, etc.

Therefore, you could consider Annex A as a form of a catalogue of security measures to be used during your treatment process – once you identify unacceptable risks in risk assessment, Annex A will help you choose the right control(s) to decrease those risks. And ensure you don’t forget any important control.

Annex A is where ISO 27001 and ISO 27002 come together – the controls in ISO 27002 are named the same as in Annex A of ISO 27001, but the difference is in the level of detail – ISO 27001 gives only a short definition of a control, while ISO 27002 gives detailed guidelines on how to implement the control.

Drawbacks

If by now you are thinking that Annex A is a perfect implementation tool for your information security project, don’t be too optimistic – it also has some things that don’t make sense. For instance, some controls define almost the same issues, sometimes causing confusion – like A.9.2.6 (Secure disposal or re-use of equipment) and A.10.7.2 (Disposal of media). On the other hand some issues, like relationships with third parties, are scattered around various clauses of Annex A – you can find it in clause A.6.2 (External parties), A.8 (Human resources security) and A.10.2 (Third party service delivery management), and control A.12.5.5 (Outsourced software development). This sometimes makes Annex A difficult to use as an implementation tool.

But those are not the only ambiguities – in some of the controls, Annex A mentions policies and procedures, however it does not require those to be documented. It might seem funny, but only where the word “documented” appears, does the standard require written policies/procedures. When you analyze the whole Annex A, it mentions the word “documented” in only 6 controls (A.5.1.1, A.7.1.3, A.8.1.1, A.10.1.1, A.11.1.1, A.15.1.1) – that means you can implement all the other controls without documenting them.

However, you shouldn’t abuse this flexibility of Annex A – the larger the organization, the more documents you should produce in order to ensure that everyone is aware of (and complies with) your security procedures. On the other hand, you should be careful not to overdo the documentation – if it is excessive, no one is going to observe it.

Relationship with the main part of the ISO 27001

The main part of the standard, or more precisely the mandatory clauses 4 to 8 contain the management part of the standard – they prescribe the PDCA cycle (Plan-Do-Check-Act phases), including risk assessment and treatment, documentation control, records control, provision of resources, internal audit, management review, corrective and preventive actions, etc.

As said earlier, the risk assessment & treatment process is the main connection between clauses 4 to 8 and the controls from Annex A – it will help you decide whether individual controls from Annex A are necessary for decreasing risks or not.

It means clauses 4 to 8 and Annex A cannot exist one without the other – risk assessment does not make sense if there are no controls to decrease the risks, and the only way to determine the applicability of controls is through risk assessment.

In my opinion, this focus on risks and the flexibility to apply security controls according to what you consider as appropriate are the best things in ISO 27001 – you just have to be careful to take full advantage of them.

You can also check out our webinar ISO 27001 Foundations Part 3: Annex A overview (commercially sold training).