1. Security policy
Information security policy
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

2. Organization of information security
Internal organization
Objective: To manage information security within the organization.
External parties
Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

3. Asset management
Responsibility for assets
Objective: To achieve and maintain appropriate protection of organizational assets.
Information classification
Objective: To ensure that information receives an appropriate level of protection.

4. Human resources security
Prior to employment
Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
During employment
Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.
Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.

5. Physical and environmental security
Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises and information.
Equipment security
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities.

6. Communications and operations management
Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of information processing facilities.
Third party service delivery management
Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
System planning and acceptance
Objective: To minimize the risk of systems failures.
Protection against malicious and mobile code
Objective: To protect the integrity of software and information.
Back-up
Objective: To maintain the integrity and availability of information and information processing facilities.
Network security management
Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.
Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities.
Exchange of information
Objective: To maintain the security of information and software exchanged within an organization and with any external entity.
Electronic commerce services
Objective: To ensure the security of electronic commerce services, and their secure use.
Monitoring
Objective: To detect unauthorized information processing activities.

7. Access control
Business requirement for access control
Objective: To control access to information.
User access management
Objective: To ensure authorized user access and to prevent unauthorized access to information systems.
User responsibilities
Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities.
Network access control
Objective: To prevent unauthorized access to networked services.
Operating system access control
Objective: To prevent unauthorized access to operating systems.
Application and information access control
Objective: To prevent unauthorized access to information held in application systems.
Mobile computing and teleworking
Objective: To ensure information security when using mobile computing and teleworking facilities.

8. Information systems acquisition, development and maintenance
Security requirements of information systems
Objective: To ensure that security is an integral part of information systems.
Correct processing in applications
Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications.
Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.
Security of system files
Objective: To ensure the security of system files.
Security in development and support processes
Objective: To maintain the security of application system software and information.
Technical Vulnerability Management
Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.

9. Information security incident management
Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach is applied to the management of information security incidents.

10. Business continuity management
Information security aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

11. Compliance
Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
Compliance with security policies and standards, and technical compliance
Objective: To ensure compliance of systems with organizational security policies and standards.
Information systems audit considerations
Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process.

Now, in another report from April 2008, there were 4500 certificates. With the distribution: Japan (2550); UK (370);India (430); Taiwan (175); China(110); Germany (90); and then a group of countries (Hungary, Italy, USA, & Korea) at 60.

The distribution remained pretty much the same, with Japan holding more than half of world-wide certifications. Japanese are mad about productivity, so by adopting a standard they accept a set of rules that work.

China made a boost from 110 to almost 500. India made it to almost 530. This two countries are huge producers of security equipments and software developers and the western clients needed assurance about procedures. Reported to the size and populations of this countries the number of certifications is still small so we should expect growth. Taiwan with 430 falls in this category also.

UK is champion of the rest-of-the-world team. It is a financial center and power of Europe, they initiated the standard via BS7799 and they love rules and regulations.

On the other side, US just made it to 100 (Czech Republic has 101). It seems like this standard is not well accepted in the new world. In the US, a major requirement is the Sarbanes-Oxley act, which aligns better with COBIT and ITIL, and thus the poor adoption of ISO 27001.

]]> https://pentest.ro/2011/08/16/isms-certification-vs-conformity/ Tue, 16 Aug 2011 16:12:54 +0000 http://www.pentest.ro/?p=207 Continue reading ISMS Certification vs Conformity]]> So, as stated here you can certify against ISO/IEC 27001 only. But why certify? Here are some reasons provided by certification bodies.

Certification finds no basis in legislative or regulatory requirement, so why bother? The best answer is to validate that investment in security controls meets business goals and provides business value. Business value is found in managing business risk, achieving high levels of legislative and regulatory compliance, and managing vulnerabilities and threats. The ISO security standards provide a disciplined approach to information security, business risk management, and compliance management. Certification provides an independent validation that the organization has applied that discipline effectively and proves due diligence on the part of executives and management, that they are addressing the information security needs of
the organization.

The business value of certification includes a disciplined approach that promotes the development of security management processes, methodologies, tools, and templates that may be reused across the organization and through security planning, implementation, operations, monitoring, tracking, and reporting. With basis in an industry standard like ISO, the tracking and reporting tools promote easier audits; this implies less cost of the actual audit and higher likelihood of passing an audit.

So, the benefits would be:

• Established a formal approach to IS
• Raised the internal visibility of IS
• Raised the level of IS awareness
• Proof of robust controls
• Clear focus & control of Risk Management
• Increased customer confidence
• Tangible competitive advantage
• Embedded IS in a process of continuous improvement

But is it really necessary to certify? Wouldn’t it be more useful to comply with the standard?

This depends on the situation. An external auditor is always welcomed because he can see what the internals overlooked. This doesn’t imply certification.

One situation encountered were certification is need is when a business partner is asking this. When you gain access to sensitive information from a partner, the partner needs to know that you can handle it in a proper way. He doesn’t have the time to check and ask for a formal process like ISMS to be in place and assure him that his data is safe.

ISMS should be a implemented in all businesses, but certification is not a must.

Certification against these ISO standards is only defined for ISO 27001, that is, an organization may be certified ISO 27001 compliant. ISO 27001 describes how to build what ISO calls an ISMS. An ISMS is a process to create and maintain a management system for information security. ISO 27001 references details from ISO 27002 and describes how to apply the ISO 27002 security controls; however, the organization is not ISO 27002 certified. By virtue of using ISO 27002 and adhering closely to the guidelines therein, an organization may claim to be ISO 27002 compliant, but without official recognition of this claim via certification.

ISO/IEC 27001 and ISO/IEC27002 are derived from ISO/IEC 17799:2005 who is derived from BS7799 (British Standard).

Many standards regarding ISMS are under development and the published ones are subject to periodical reviews.

The ISO/IEC 2700x family is composed of three main categories:

1. ISMS family of standards (ISO/IEC 27000 – ISO/IEC 27010) – covering specification, metrics, implementation guides, audit guides, risk management
2. Sector specific requirements (ISO/IEC 27011 – ISO/IEC27030) – Telecos; Healthcare; Automotive; Lotteries
3. Operational guidance (ISO/IEC 27031 – ISO/IEC 27059)

The standards are:

• ISO/IEC 27000 — Information security management systems — Overview and vocabulary
• ISO/IEC 27001 — Information security management systems — Requirements
• ISO/IEC 27002 — Code of practice for information security management
• ISO/IEC 27003 — Information security management system implementation guidance
• ISO/IEC 27004 — Information security management — Measurement
• ISO/IEC 27005 — Information security risk management
• ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems
• ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
• ISO/IEC 27031 — Guidelines for information and communications technology readiness for business continuity
• ISO/IEC 27033-1 — Network security overview and concepts
• ISO 27799 — Information security management in health using ISO/IEC 27002

Other standards under development in this category :

• ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on the management system)
• ISO/IEC 27008 — Guidance for auditors on ISMS controls (focused on the information security controls)
• ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
• ISO/IEC 27014 — Information security governance framework
• ISO/IEC 27015 — Information security management guidelines for the finance and insurance sectors
• ISO/IEC 27032 — Guideline for cybersecurity (essentially, ‘being a good neighbor’ on the Internet)
• ISO/IEC 27033 — IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already)
• ISO/IEC 27034 — Guideline for application security
• ISO/IEC 27035 — Security incident management
• ISO/IEC 27036 — Guidelines for security of outsourcing
• ISO/IEC 27037 — Guidelines for identification, collection and/or acquisition and preservation of digital evidence