ISO 2700X: A Cornerstone of Security
By Jonathan G. Gossels
For years, organizations have been searching for an objective benchmark to measure the security of potential business partners and to distinguish the security-quality of their own services. While not perfect, ISO 17799 emerged as the standard of choice because it overcame many of the critical deficiencies of SAS 70. Specifically, it provided a comprehensive set of security-related topics and an objective means of measuring compliance.
Building on that success and following the same approach it used with the ISO 900X Quality Assurance standards and ISO 1400X Environmental Management standards, the International Organization for Standardization (ISO) has reserved the 27000 numbering range for a series Information Security Standards. The initial standards are:
- ISO 27000 contains technical definitions used throughout the 2700X series.
- ISO 27001 is a specification for an Information Security Management System (ISMS). ISO 27001:2005 is a re-labeling of BS 7799 part 2. This is the formal standard used for certifying Information Security Management Systems. Its focus is evaluation process rather than content
- ISO 27002 is a re-labeling of ISO 17799, which was originally BS 7799 part 1. This standard contains a Code of Practice consisting of a comprehensive set of information security control objectives and a menu of best-practice security controls.
- ISO 27004 is the number reserved for a future standard covering information security management measurement and metrics.
- ISO 27005 is the number reserved for a future standard covering information security risk management.
To achieve certification, an organization's ISMS must be audited by an assessor who works for a Certification Body. A Certification Body must have been accredited by the National Accreditation Body for the relevant geography. The certification process requires clear segregation of duties in that the organization performing the certification must not have been involved in providing either con-sulting or training.
History has shown that far more organizations used ISO 17799 as a framework for conducting comprehensive security assessments aimed at improving the security and controls of their IT infrastructure rather than for the specific purpose of certification. It is impor-tant to recognize that these standards have value well beyond certification.
Unless there is a clear business reason -- such as customers or partners demanding certification to do business – most or-ganizations would be better served thinking in terms of compliance with ISO 27002 rather than certification to ISO 27001.
Because of the expense, without a clear business driver, there is little incremental value in spending those formal certification dollars. In most cases, having a reputable security firm attest that an organization is “substantially compliant” is more than sufficient.
Just as with ISO 9000, the marketplace is not homogenous. Certain vertical markets such as aerospace or certain supply chains may latch on the ISO 27001 certification as a required fact of life.
The decision to certify or comply is more than one of cost; the two standards measure different things. ISO 27001 assesses whether an organization follows a coarse-grained set of processes that are integral to maintaining the security of an enterprise. Certification assumes that if these processes are in place that effective security automatically follows.
In contrast, 27002 describes a comprehensive set of concrete and fine-grained practices with which an enterprise can be compared.
Bare in mind that both of these standards need to be interpreted within a specific business context taking into account the organiza-tion’s technology, its attractiveness as a target, and its bushiness risk.
The ISO 27001 and ISO 27002 standards are gaining attention for being practical mechanisms for both assessing and asserting good security practices.
Building on that success and following the same approach it used with the ISO 900X Quality Assurance standards and ISO 1400X Environmental Management standards, the International Organization for Standardization (ISO) has reserved the 27000 numbering range for a series Information Security Standards. The initial standards are:
- ISO 27000 contains technical definitions used throughout the 2700X series.
- ISO 27001 is a specification for an Information Security Management System (ISMS). ISO 27001:2005 is a re-labeling of BS 7799 part 2. This is the formal standard used for certifying Information Security Management Systems. Its focus is evaluation process rather than content
- ISO 27002 is a re-labeling of ISO 17799, which was originally BS 7799 part 1. This standard contains a Code of Practice consisting of a comprehensive set of information security control objectives and a menu of best-practice security controls.
- ISO 27004 is the number reserved for a future standard covering information security management measurement and metrics.
- ISO 27005 is the number reserved for a future standard covering information security risk management.
To achieve certification, an organization's ISMS must be audited by an assessor who works for a Certification Body. A Certification Body must have been accredited by the National Accreditation Body for the relevant geography. The certification process requires clear segregation of duties in that the organization performing the certification must not have been involved in providing either con-sulting or training.
History has shown that far more organizations used ISO 17799 as a framework for conducting comprehensive security assessments aimed at improving the security and controls of their IT infrastructure rather than for the specific purpose of certification. It is impor-tant to recognize that these standards have value well beyond certification.
Unless there is a clear business reason -- such as customers or partners demanding certification to do business – most or-ganizations would be better served thinking in terms of compliance with ISO 27002 rather than certification to ISO 27001.
Because of the expense, without a clear business driver, there is little incremental value in spending those formal certification dollars. In most cases, having a reputable security firm attest that an organization is “substantially compliant” is more than sufficient.
Just as with ISO 9000, the marketplace is not homogenous. Certain vertical markets such as aerospace or certain supply chains may latch on the ISO 27001 certification as a required fact of life.
The decision to certify or comply is more than one of cost; the two standards measure different things. ISO 27001 assesses whether an organization follows a coarse-grained set of processes that are integral to maintaining the security of an enterprise. Certification assumes that if these processes are in place that effective security automatically follows.
In contrast, 27002 describes a comprehensive set of concrete and fine-grained practices with which an enterprise can be compared.
Bare in mind that both of these standards need to be interpreted within a specific business context taking into account the organiza-tion’s technology, its attractiveness as a target, and its bushiness risk.
The ISO 27001 and ISO 27002 standards are gaining attention for being practical mechanisms for both assessing and asserting good security practices.
posted by Brad C. Johnson, Vice President, CISM, IAM at
12:06 PM
5 Comments:
Costs for ISO 27001 certification in Spain are very expensive (I think is exactly the same in other countries), so I'm with you in this way of thinking.
Don't waste your money on certification. A company must to look foor continuous improvement on Information Security.
Certification is only required for marketing purposes, just for this. The security of the assets is the real problem here, and not to select one certification body or whatever.
Even more, why hackers or crackers don't put on their targets certified organizations as objectives? A good criteria to atacking systems.
We have some blogs in Spain like SAHWor ISO 27001 where we talk about these things, and we all think the same.
The last posting demonstrates a comforting fact; practical security people can be found wherever you are. You just have to look for them.
These practical security professionals can think outside the box and recognize that an international standard can be useful in making continuous information security improvement without certification as the goal.
For many organizations, certification to ISO 27001 will be a marketing exercise while compliance with 27002 will be an exercise in moving toward industry best practices.
by Jonathan Gossels
I think there is a key issue that is missing here.
If you would measure the cost of implementation, you'll find that the certification cost is the least expensive budget item. Since certification cost is relative to the size of the organization and the scope of certification, the cost is a fraction of what the internal implementation cost is.
Once compliant, why not give yourself credit for what you have done? There is no accountability without certification.
You are incorrect in your assessment that it is "expensive" or not cost-justifiable to be certified under ISO 27001. The costs of certifying are very low. Additionally, having an external accredited entity reviewing an organization's information security management system and ensuring effectiveness, efficiencies, evaluating the controls you spoke of that are in Appendix A of ISO 27001 and form the basis for ISO 27002 (formerly ISO 17799)....emphasize continuous reviews and improvements. ISO 27001 and 27002 are all about IT security governance and organizations all can benefit from implementing comprehensive frameworks and going the extra step in getting their information security management systems certified, just as as historically been done with quality control (ISO 9000) and is currently underway with ITIL (ISO 20000).
we offer wow power leveling and wow gold wow gold
Post a Comment
Subscribe to Post Comments [Atom]
<< Home