This article looks at the core idea behind applying ISO 27001.
The dynamic environment of security risks is a place of constant change, where new threats develop, vulnerabilities are discovered, and security incidents arise with major repercussions, both for companies and individuals. One approach is centered on the idea that faced with this scenario, it is only a matter of time until a company will have to suffer the consequences of these threats.
For this reason, the most important thing is to be prepared to deal with incidents, without overlooking the proactive preventive measures that help minimize the probability of them occurring and/or the impact they can have, as well as the corrective actions to take in order to resolve problems that arise.
According to Merriam-Webster, “manage” means to achieve one’s purpose. If we take this definition as a starting point, we can see that a fundamental aspect of management is to protect all the information that is essential for fulfilling the company’s business goals, and for this reason, managing information security has become a business need.
Security incidents can arise through people’s lack of knowledge or negligence, and can occur either accidentally or deliberately (which constitutes an attack), so this idea considers the application of different approaches to increasing and improving information security. One way to achieve this is through alignment with standards and better practices in this area.
Applying ISO 27001 (and other standards) has this principle as its basis, so in this post, we will look at the two pillars that make up that document, as well as the fundamental ideas the document expresses.
Security standards as a means to protect a company’s information and its business
One standard that is used internationally to manage information security is ISO 27001, which represents the accumulated experience of experts in the field. And although its actual implementation has to be carried out in accordance with the characteristics, needs and conditions of each organization, one of the first steps for applying it involves becoming familiar with the document and its purposes.
For that reason, in this post, we will focus on understanding the content of the standard, as a step toward the process of implementation. The structure boils down to two basic elements: the clauses of requirements for an organization to operate in alignment with a management system, together with the control objectives and security controls, which involve different approaches to protection.
Guidelines for working with an information security management system
The first basic element that the standard looks at are the clauses that define all the necessary activities for defining and setting up, implementing and operating, monitoring and reviewing, as well as maintaining and improving an information security management system (ISMS).
Although the new version of this document does not explicitly consider a model for continuous improvement (as was the case in the previous version with the Deming cycle or PDCA), these phases are looked at implicitly through Annex SL, that is, the structure used by ISO standards for establishing clauses.
Through monitoring and applying these activities defined in the 10 clauses (regardless of whether a company is aiming for certification in the standard), organizations begin to give shape to a framework that helps manage information security. To be aligned with the standard, an organization has to comply with clauses 4 through 10 (in the 2013 version).
For that edition, the requirements include key elements such as understanding the organization’s context; activities that demonstrate the senior management’s leadership; planning (which, together with other elements, involves risk assessment); support, which involves the necessary resources, skills and awareness among people; operation of the ISMS; evaluation of its performance through internal audits and reviews by the management; and finally, improvement of the management system by taking corrective action.
Defining control objectives and security controls
The second element that makes up the central structure of the standard consists of the control objectives and security controls described in Annex A of the document. These elements are grouped into 14 sections for the 2013 version.
The standard defines a control objective as a “statement that describes what your information security controls are expected to achieve,” while a control is described as a “method to modify risk”. It is important to mention that to modify a risk, you have to affect at least one of its two variables: the probability (possibility) of occurrence, or the impact (consequences) it could have. In the best case scenario, a control modifies both variables.
However, a control does not always lead to the desired results, and, in such cases, it is necessary to adapt the control, replace it, or apply additional controls. These may include processes, policies, devices, practices, or other actions that modify risks.
Annex A of the standard describes a list of 114 security controls grouped into 35 control objectives, which in turn are placed into 14 sections, which include information security policies and organization, human resources security, asset management, access control, cryptography, physical security, operational security and communications security.
These sections take different approaches to protecting information, so they also include control objectives and specific controls for the maintenance, development and acquisition of systems, security measures for relationships with suppliers, security incident management, business continuity and compliance.
Next steps for implementing the standard
To sum up, the basic structure of ISO 27001 consists of two sections:
- First of all, there are the clauses that define the requirements for implementing, operating, reviewing and improving an ISMS.
- The second element is Annex A, which describes controls for protecting information.
Both of the standard’s basic elements incorporate different approaches: security actions and controls applied prior to incidents (such as risk assessments); proactive elements such as contingency plans (for business continuity); offensive security (such as the vulnerability management), and reactive approaches (related to incident management).
In addition, we should not overlook one other central idea of the standard, related to a process of permanent improvement. As we already mentioned, in reality, it is difficult to evade all threats and attacks, so in case they do occur, one of the intentions is to correct errors and prevent them from reoccurring, through lessons learned and corrective action.
Finally, all of the standard’s content is intended to be for the purpose of security management, that is, making decisions that lead us toward achieving a fundamental goal: protection of the information most important to organizations, while achieving the benefits of aligning with the standards. This then directly translates into a goal with a wider scope: protection of the business.
Picture Credits: pixabay/steinchen
Author Miguel Ángel Mendoza, ESET