ISO 27001 Report

The ISO 22399 / PAS 22399 Dilemma

2007-11-23T06:10:00.000-08:00

The business continuity story just gets stranger and stranger. We have covered this previously, with respect to ISO 27031. However, as events unfold the situation becomes ever more tangled.

To recap, there are a host of developments with respect to business continuity and standardization:

1) We have pondered where BSI's useful looking business continuity management standard BS 25999-1 fits into the equation. Even with respect to their own standard set they also have a related publication PAS77, and are developing a standard BS 25777 from this. The second part of BS 25999 was in fact published this week, and as a specification, third party certification schemes will soon be in place.

2) Even within ISO though, the water is as clear as mud. A new standard, ISO 22399 (specifically ISO/PAS 22399) has just been published. This is a "Guideline for incident preparedness and operational continuity management".

Great: so where does this (ISO22399) fit with respect to ISO 27031? And what about chapter 14 of ISO 27002? Or ISO 27001? Let alone all those developments over at BSI, who seem far more advanced in the area.

One might ask what exactly is going on here? How do all these developments relate? Do ISO actually have any idea themselves?

If they do in fact have a road map or overview of all these overlapping standards, it would be nice if they shared it with the public. Our guess is that no such document exists, which is rather bad news for standardization in this area.

ISO 27000 Standard Groupings

2007-09-19T06:51:00.000-07:00

Speculation has recently been rife regarding the future numbering system for the ISO 27000 series of standards. We know as a matter of fact the content areas of ISO 27001 through 27008. We also know about 27011, 27031, 27032, 27033 and 27799.

Although everything else lacks any form of confirmation, there is a logic being frequently quoted which at least gives some credibility to the stories.

The suggestion is that ISO 27010 through ISO 27019 will all cover information security within specific fields and industries. The following have in fact been quoted on a number of Spanish language websites:

ISO 27012: Guidelines for Finance
ISO 27013: Guidelines for Manufacturing
ISO 27015: Accreditation Guidelines
ISO 27016: Auditing and Reviews

It is also suggested that ISO 27030 through ISO 27044 will cover the technical areas of information security, such as cyber security, intrusion detection and trusted third party authentication.

Again, there is some supporting evidence for this, but equally, nothing at all in the way of confirmation.

If any reader of this log can clarify any of this, or provide additional information, please comment below.

ISO 2703n: Latest Developments

2007-08-18T05:56:00.001-07:00

A little more has emerged on the emerging subset of ISO27k standards ISO27031-40. The following reflects the current position as we understand it.

ISO/IEC 27031
Information technology Information technology – Security Security techniques techniques - ICT readiness for business continuity

ISO/IEC 27032
Information technology - Security techniques - Guidelines for Cybersecurity (Suggested)

ISO/IEC 27033
As referenced in previous articles, this is the revision of ISO 18028. It comprises seven distinct parts:

ISO 27033-1
Information technology Information technology – Security techniques Security techniques - Network security Network security – Guidelines for network security

ISO 27033-2
Information technology Information technology – Security techniques Security techniques - Network security Network security – Guidelines for the design and implementation of network

ISO 27033-3
IT network security - Reference networking scenarios - Risks, design, technologies and control issues

ISO 27033-4
IT network security - Security network information with network security gateways - Risks, design techniques and control issues

ISO 27033-5
IT network security - Secure remote access - Risks, design techniques and control issues

ISO 27033-6
IT network security - Securing communications across networks using Virtual Private Networks

ISO 27033-7
IT network security - Guidelines for the design and implementation of network security

ISO/IEC 27034
Information technology Information technology –Security techniques Security techniques - Guidelines for application security

These at are various stages of the publication process, with at least one still at the proposal stage.

ISO 17799 to ISO 27002: A Warning

2007-07-19T01:21:00.000-07:00

It is well known that ISO 17799 has been renamed to ISO 27002. This was confirmed by the appropriate ISO Technical Committee some weeks ago.

A number of people questioned the need for this, and have asked why this couldn't wait until the next upgrade of the standard. Nonetheless, it went ahead, and we waited for the renamed copy to be made available.

Here is the crux though: ISO have now made this available... BUT.... it is simply ISO 17799:2005 with a single accompanying PDF sheet stating "Replace '17799' with '27002'". Seriously, that is it!

So the warning is that if you already have a copy of ISO 17799:2005 and were thinking of buying another copy to replace it, don't, unless the situation changes (and it may not).

If you don't have a copy of ISO 17799:2005 and were thinking of buying a copy of ISO 27002, go for ISO 17799:2005 instead if you can find that cheaper than ISO offer it for (and you can), unless the situation changes (and it may not).

We will continue to monitor the situation and will immediately post any changes which we identify.

And Another Emerges: ISO 27033

2007-07-16T14:33:00.000-07:00

The next ISO 27000 series standard is on the starting block: ISO 27033.

On 12th July a formal note was distributed by the appropriate ISO committee (JTC 1 / SC 27) announcing a letter ballot for early revision and renumbering (to 27033) of existing standard 18028.

Obviously, this is the very start of a lengthy process, but the note also revealed the proposed structure of the new standard, which it is proposed would comprise seven parts:

1. Guidelines for network security
2. Guidelines for design/implementation of network security
3. Reference networking scenarios
4. Securing communications between networks using gateways
5. Securing remote access
6. Securing communications across networks using VPNs
7. Guidelines for securing

Momentum for the series continues to increase.

Update On ISO 27799: ISO 27789?

2007-07-10T05:10:00.000-07:00

ISO 27799 will be the health sector specific version of ISO 17799/27002. The above though is a bit of a misleading title, because it is still under approval and there is no 'update' at all!

However, whilst scanning the airways for progress we identified another health sector related ISO 27000 standard. This is ISO 27789. Like ISO27799 it is specific to the health sector. Its provisional title is: Audit trails for electronic health records. The planned publication date is late 2009.

It looks therefore like the ISO 277nn prefix may have been bagged by the health sector.

TO WATCH:
In the US, the relationship between ISO27799 and HIPAA (Health Insurance Portability and Accountability Act). Will HIPAA become a driver for the adoption of ISO 27799? Will 27799 be used as an example of due diligence with respect to certain aspects of the act? Time will tell.

ISO27000 Interviews

2007-07-10T05:08:00.000-07:00

We are planning a series of short interviews with leading industry figures. These will be posted from this page as and when they are published.

The list of early contenders is currently being drawn up. We will then approach the lucky interviewees!

Please return to this page for more information.

How is ISO27000 Related to ISO 31000 And BS31100?

2007-07-04T07:21:00.002-07:00

The answer is: we don't know! So why ask the question? Because it probes the relationship between different aspects of risk assessment, and different sets of standards.

We tripped upon two holding sites: one for ISO 31000 and one for BS31100. Scratching the surface with both ISO and BSI didn't reveal too much extra. However, it does appear that these BOTH address risk management at a corporate/organizational level. Security risk assessment is part of this, but only part of it.

Why 31000 and 31100? Clearly this similarity indicates SOME relationship and forethought, but at this stage we could not determine specifically what this was. It does appear that BS31100 is much closer to fruition than ISO31000, but how they are related will be interesting to determine, as will the scope for BS31100 to become ISO 31100 or perhaps ISO 31001.

The precise relationship between these and BS7799-3, and/or ISO27005, will also be interesting to see. There will surely be cross reference between these, as there are logical relationships between them. How much further that goes remains to be seen.

This does illustrate however that it isn't just the ISO2700 series which is 'shrouded in mystery', but others too. For those of us who thrive on clarity, it is a bit of a nightmare!

The 27000 Who's Who

2007-07-04T07:21:00.001-07:00

This is another ongoing project. Over time we will build up a comprehensive "Who's Who" of the ISO 27000 world. The current list is below:

David Watson
The very first BS7799/ISO17799/ISO27001 (take your pick) auditor. David Watson is still busy in the infosec arena, owning a consultancy company in the UK and moderating the Dr Watson forum on the ISO 17799/27001 Community. He is also an accomplished author.

Kate Hartley
The driving force behind the biggest online user group dedicated to the standards (17799.com)

Ted Humphreys
A long established consultant, Ted Humphreys has been a key player in the development of the standards, and holds a pivotal role on the relevant ISO technical committee.

Gary Hinson
Gary a consultant and is ISSA's UK Secretary. He also runs several websites, including a very easy to read blog (noticebored.com).

Andrew Smith
A policy writer and consultant, but best known as the moderator of the major Yahoo user groups.

Brian Doswell
Manages a consultancy practice and is a member of BCI's advisory board. Brian is also a published (ISO 17799) information security author.

This of course is an initial seed list, which will be added to. Please add your own suggestions via the comment option below.

ISO 27000: ISO 27031 and Business Continuity Numbering

2007-07-02T02:58:00.000-07:00

The assignment of numbers within the ISO 27000 series has been the subject of ongoing debate for some time. The confusion with respect to future intentions is no better exemplified than with respect to business continuity.

ISO 27031 has long been understood to be earmarked for at least one aspect of business continuity. Clarity was been a long time in coming, but it does now appear that this number will be assigned to a standard pertaining to ICT Readiness for Business Continuity, based perhaps upon SS507. Or does it? Confirmation can still not be found on the ISO website.

If ISO27031 is to be assigned to ICT, then what about other aspects of business continuity? If ICT readiness fits under the ISO 27000 billing, what about planning or service continuity?

Other Business Continuity Standards
BS25999 is currently setting about filling the void for business continuity planning (BCP). This is interesting because its structure is the same as ISO standards tend to be: a code of practice and a specification. BS25999-1 is the code of practice. BS25999-2 is the specification.

Does that sound familiar? It should do. Think ISO 27001 and ISO 27002. Think the two parts of ISO 20000. The list is rather long.

So if 25999 is to evolve to be an ISO standard, where does that fit in the 27000 numbering system?

It doesn't end here. What about PAS77? This BSI document relates to IT service continuity, which is part of the ISO 20000 scene. It is aligned with that standard. Unofficial word has it that this is to become a BS standard (this site: BS25777.Info - is a bit of a giveaway). So where is this to fit if it evolves into the ISO system? It is hard to imagine that ISO will not embrace such a standard given the success of ISO 20000.

We have heard a number of rumours with respect to business continuity numbering, but repeating them probably wouldn't serve a positive purpose at this time. A little more clarity from ISO might, however.

The Official ISO27001 Certification Register

2007-07-01T03:23:00.000-07:00

We frequently see questions asked regarding this issue, largely as people search for data regarding existing certifications, or perhaps to get an idea of the total number of certificates issued.

There simply is no official worldwide register.

Searching the internet reveals a couple of efforts to build credible registers, but in truth these are sourced by a very tiny minority of certification bodies. They are thus not even remotely complete.

The most interesting approach is the one adopted by the ISO17799/27001 Guide, which is a dedicated Wiki. This operates a voluntary register, which enables certified organizations to enter their own details. This is surely the most valid approach.

Voluntary v Involuntary
Not every certified organization wants its details paraded on the internet. There may be a variety of reasons for this.

For example, there is a school of thought which believes that specifying in public which security framework has been followed is in itself something of a security risk. If something is missing from that framework, then it is quite possible that it is missing from the security implementation too, and stating this in public is not sensible. Another example could be the loss of competitive advantage if the certification of part of an organization is made public in the circumstance in which others are to follow shortly.

Whatever the reason, however, surely the certified organization should be the party to determine when, where and whether this is made public. A voluntary arrangement supports this proposition.

It has to be accepted that this approach will never create a complete register, but at least the playing field will be level and equal, and not driven by selected certification bodies.

The voluntary register is a worthy initiative.

The Benefits of ISO 27001 Implementation

2007-06-30T10:12:00.000-07:00

The benefits of standardization, and of implementation of one or more of the ISO 27000 series are wide and varied. Although they tend to differ from organization to organization, many are common.

The following is a list of potential benefits. As with many items on this website, this is an ongoing project. Please feel free to add further points via the comments option below.

Interoperability
This is a general benefit of standardization. The idea is that systems from diverse parties are more likely to fit together if they follow a common guideline.

Assurance
Management can be assured of the quality of a system, business unit, or other entity, if a recognized framework or approach is followed.

Due Diligence
Compliance with, or certification against, and international standard is often used by management to demonstrate due diligence.

Bench Marking
Organizations often use a standard as a measure of their status within their peer community. It can be used as a bench mark for current position and progress.

Awareness
Implementation of a standard such as ISO 27001 can often result in greater security awareness within an organization.

Alignment
Because implementation of ISO 27001 (and the other ISO 27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment often results.

Talking About ISO 27001

2007-06-30T08:40:00.001-07:00

A number of forums have emerged over the years to enable peer to peer communiction and dialogue on ISO 27001 and the other ISO 27000 standards.

The major ones are as follows:

The ISO 17799 and 27001 Community Portal
(17799.com)
This is the oldest and the biggest, with around 2,000 members

Yahoo ISO 17799
(tech.groups.yahoo.com/group/iso17799security/)
Whilst not the biggest, this is probably the busiest

Yahoo ISO 27001
(tech.groups.yahoo.com/group/iso-27001/)
Similar to the other Yahoo group, but focused entirely upon ISO 27001

Google Group ISO 27001 Security
(groups.google.com/group/iso27001security)
Directed at the ISO 27000 series.

Google Group ISO 27001
(groups.google.com/group/ISO-27001)
This is related to the ISO 27001 newsletter

MSN ISO 27000 Group
(groups.msn.com/27000UserGroup/)
This covers all of the ISO 2700 series.

Have we missed any? Probably. If you know of any not listed above, please let us know via the comment function.

ISO 27000: Where Are We?

2007-06-30T08:21:00.000-07:00

The ISO 27000 series of information security standards is a moving feast. This is a 'live page' which will be kept current with the latest situation as we understand it.

ISO 27000
Not yet published. It will define vocabulary and definitions for the rest of the series.

ISO 27001
Published. This is the specification for an ISMS

ISO 27002
Awaiting publication. This will be the rename of ISO 17799.

ISO 27003
Not yet published. This will be an implementation guide.

ISO 27004
Not yet published. This will cover measurement and metrics for information security management.

ISO 27005
Not yet published. This will cover information security risk management, and is likely to be based upon BS7799-3.

ISO 27006
Published. This is a formal guide to the certification and registration process.

ISO 27007
Not yet published. This will cover the audit process for an ISMS

ISO 27031
Not yet published. This standard will cover ICT business continuity planning.

ISO 27032
Not yet published. This is currently a proposed standard for internet security.

ISO 27799
Awaiting publication. This will be the first industry specific version of ISO 27002. It is focused upon the health sector.

ISO 27002 Status

2007-06-30T08:13:00.000-07:00

There is no real rush: ISO 27002 is simply the re-publication of ISO 17799, but with a different name. Why this is deemed necessary as an interim publication, rather than at the next upgrade, is unclear. However, the momentum behind the ISO 27000 series concept has driven the decision in this direction.

The original intention was to rename ISO 17799 in April 2007. Due to several factors, this did not occur. The decision to press ahead though was endorsed in May at a meeting of the appropriate ISO sub-committee (SC 27).

Despite this, a search of all the major internet webstores and a scan of the websites of the standard bodies indicates that ISO 27002 is still not available.

We will update this post when this position changes.

What Is ISO 27001?

2007-06-30T07:57:00.000-07:00

In a nutshell it is an ISO standard specifying the requirements for an information security management system. It was published in October 2005, and was based heavily upon the British Standard, BS 7799-2.

ISO/IEC 27001 is often considered to be the prime ISO 27000 standard because it is this against which certification can be sought. It is aligned with other ISO quality management standards, such as ISO 9001 and ISO 14001.

The standard is also intended to drive the selection of adequate and proportionate security controls. Hence the relationship with ISO 27002, which defines individual controls within a code of practice framework.

ISO 27001 Report: The Mission

2007-06-30T07:49:00.000-07:00

The first day and the first post: ISO 27001 Report has been created.

This informational newslog is dedicated to ISO 27001 and related standards and topics. It will offer both information and prespective on both this ISMS standard, and the rest of the ISO 27000 series.

In addition to reporting recent events (the news function), we will strive to document the standard(s) and provide ongoing information on implementation, including certification. This will be framed within a wider information security setting.

Hopefully you will enjoy reading the log as much as we will enjoy creating it.

Thank you for visiting us.