The implementation of an Information Security Management System (ISMS) is a combination of requirements based on security objectives. The requirements may be based on standards, laws, regulations, agreements, or established by the organization using some other internal or external sources. An ISMS Implementer has to consider these requirements and plan the implementation activities, defined as, statement of applicability (SOA). The ISMS Auditor has to use the same requirements and create the audit criteria, defined as audit test plans.
In this article, the possibilities of using the ISO standards as appropriate source for guidance and practices are explained to find the suitable support for implementing an ISMS. Moreover, it may serve as a good option for ISMS Auditors that want to be better prepared for their next audit. This provided approach also helps to consider the technology trends (e.g., use of cloud computing) and regulative requirements (e.g., related with privacy) in information security management.
Information Security Management System
The ISO/IEC 27001 standard establishes the requirements for an ISMS, which can be used by both – people who implement the standard and build the SoA, but also those who audit the organization.
“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.” – ISO/IEC 27001:2013
The requirements that ISO/IEC 27001 standard covers are:
- Organizational context and stakeholders;
- Information security leadership and high-level support for policy;
- Planning an information security management system; risk assessment; and risk treatment;
- Supporting an information security management system;
- Making an information security management system operational;
- Reviewing the system’s performance;
- Corrective action.
Information security controls
“ISO/IEC 27002:2022 provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC 27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management system guidelines.” – ISO/IEC 27002:2022
Information security controls guidelines provide a list of 93 controls separated in 4 themes:
- Organizational (include 37 controls);
- People (include 8 controls);
- Physical (include 14 controls);
- Technological (include 34 controls).
For each selected control, it is practicable to concentrate on processes, activities, and records.
Information security risk
“This document provides guidelines for information security risk management. This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes, and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document.
This document is applicable to all types of organizations (for example, commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization’s information security.” – ISO/IEC 27005:2018
Risk management process should cover the following:
- Context establishment
- Risk identification
- Risk analysis
- Risk evaluation
- Risk treatment
- Risk acceptance
- Risk communication and consultation
- Risk monitoring and review
“ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular:
- information security,
- network security,
- internet security, and
- critical information infrastructure protection (CIIP)
It covers the baseline security practices for stakeholders in the Cyberspace. This International Standard provides:
- an overview of Cybersecurity,
- an explanation of the relationship between Cybersecurity and other types of security,
- a definition of stakeholders and a description of their roles in Cybersecurity,
- guidance for addressing common Cybersecurity issues, and
- a framework to enable stakeholders to collaborate on resolving Cybersecurity issues.” –ISO/IEC 27032:2012
To select the cybersecurity controls and to better understand the risks from cyberspace, it may be advisable to use other sources as well. For example, based on ENISA statistics (2020), the most common cybersecurity risks are:
- Web-based attacks
- Web application attacks
- Identify theft
- Data breach
- Insider threat
- Information leakage
- Physical manipulation, damage, theft, and loss.
The above-mentioned cybersecurity risks can be managed by implementing appropriate cybersecurity controls at different levels, such as:
- End user device
- Application level
- Server level
- Network level
Even if the appropriate security controls are in place and operating, for security management we have to take care of incidents since the probability that some of the risks are realizing is not zero. Therefore, it will be appropriate to establish an incident management process pro-actively before the incidents happened. To manage the information security, one of the requirements is to have the capabilities to manage incidents. For practical preparation it is possible to rely on the ISO/IEC 27035 standard.
“ISO/IEC 27035:2011 provides a structured and planned approach to:
- detect, report and assess information security incidents;
- respond to and manage information security incidents;
- detect, assess and manage information security vulnerabilities; and
- continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities.
ISO/IEC 27035:2011 standard provides guidance on information security incident management for large and medium-sized organizations. Smaller organizations can use a basic set of documents, processes and routines described in this International Standard, depending on their size and type of business in relation to the information security risk situation. It also provides guidance for external organizations providing information security incident management services.” – ISO/IEC 27035:2011
In cases where the organization is using cloud services, it may be advisable to focus more in the implementation of necessary controls by cloud service provider. ISO/IEC 27017 guidelines can be used to find controls based on the cloud service extended control set.
“ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance for relevant controls specified in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services.
This International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.”– ISO/IEC 27017:2015
The extended control set covers the following topics:
- Relationships between cloud service customer and cloud service provider;
- Responsibility for assets;
- Access control of cloud service customer data in shared virtual environment;
- Operational procedures and responsibilities;
- Logging and monitoring;
- Network security management.
It is quite common that one of the most relevant legal and regulatory requirements for most of the organizations is to protect personally identifiable information (PII), for example, strict requirements to comply with general data protection regulation (GDPR). For guidance, the ISO/IEC 27701 standard may be appropriate reference to improve the information security management from a privacy perspective.
“This document specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. It is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.” – ISO/IEC 27701:2019
Additional guidance for personally identifiable information (PII) controllers and processors:
- Conditions for collecting and processing;
- Obligations to PII principals;
- Privacy by design and privacy by default;
- PII sharing, transfer and disclosure.
There is no single solution for organizations to get reasonable assurance for their information security. The key is a combination of appropriate requirements and practices. ISO is providing many options to select the guidance which may be useful to reach the combination that works for organization’s purposes. In addition, the provided explanation above, may be useful for organizations that have already implemented an ISMS, but are seeking possibilities for continual improvement.
Organizations are advised to define the roles and responsibilities accordingly and provide suitable training for roles who are responsible of implementation or audit of the information security practices. To ensure the security implementation maturity, organizations can proceed with ISMS certification. MSECB is an accredited certification body that provides audit and certification against ISO/IEC 27001 and ISO/IEC 27701. Get to know more about the MSECB audit and certification process.
As a result, we can highlight the security checklist as top 10 activities and results which may be needed to ensure that information security is actually managed:
- Information security management system established, maintained, certified and continually improved;
- Information security risks identified, analyzed, assessed, decided and treated;
- Appropriate information security controls identified, planned, implemented, operated and measured;
- Incident management process developed, implemented, prepared and tested;
- Cybersecurity program defined, planned, operated and improved;
- Operational security integrated with IT operations;
- Cloud security program established and operating;
- PII protection controls planned, implemented and operating;
- IT readiness for business continuity is ensured and tested;
- Internal control activities for information security established and internal audit program operating.
- ENISA. 2020. ENISA Threat Landscape 2020 – List of top 15 threats. [online] Available at: <https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-list-of-top-15-threats> [Accessed 15 October 2021]. ISO/IEC 27001:2013
- ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. [online] Available at: <https://www.iso.org/standard/54534.html> [Accessed 15 October 2021].
- ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls. [online] Available at: < https://www.iso.org/standard/75652.html> [Accessed 24 August 2022].
- ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management. [online] Available at: < https://www.iso.org/standard/75281.html> [Accessed 15 October 2021].
- ISO/IEC 27032:2012 Information technology — Security techniques — Guidelines for cybersecurity. [online] Available at: <https://www.iso.org/standard/43757.html> [Accessed 15 October 2021].
- ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management. [online] Available at:< https://www.iso.org/standard/44375.html> [Accessed 15 October 2021].
- ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. [online] Available at: < https://www.iso.org/standard/44379.html> [Accessed 15 October 2021].
- ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines. [online] Available at: <https://www.iso.org/standard/71670.html> [Accessed 15 October 2021].
Andro Kull holds a PhD degree from the University of Tampere, concentrating on the IT oversight and compliance verification methodologies. He currently is lecturing IT risk and information security management issues at the university of Tallin.
Previously, he has worked for the financial sector in IT and information security, and for the energy sector in IT risks, where security and continuity demands are very high. Kull started his career as IT specialist, IT manager and has worked extensively as IT auditor and as IT risk manager for one of the largest companies in Estonia.
At the same time, he founded a consulting company and managed projects related to IT risk assessment, the implementation of security measures, business continuity planning (BC), planning for recovery (DR), and crisis management mostly in public sector organizations.
His auditing experience with MSECB has started in 2017, until this day he has been engaged in many ISO/IEC 27001 audits for companies of different sizes and types.