Information Security Management: THE ISO 27000 (ISO 27K) SERIES

By Sarah Higgins, Aberystwyth University 

Published: 19 March 2009

1. Security Standards and Digital Curation

The flexibility of digital information can be regarded as a great strength. As software and hardware develop, data can be created, accessed, edited, manipulated and shared with increasing ease, The corollary is that data is vulnerable to unauthorised access, alteration or manipulation, which without checks can easily go undetected, and undermine its authoritative nature. Successful digital curation ensures that data is managed and protected so that its authority is maintained and retained throughout the curation lifecycle.1 To be authoritative data needs to remain authentic, reliable and useable, while retaining its integrity.2 These characteristics of data can be preserved through the implementation of an effective Information Security Management Systems (ISMS). The policies, procedures, human and machine resources which constitute an ISMS should ensure that the CIA Triad — Confidentiality, Integrity and Availability — is maintained across an organisation's physical, personal and organisational layers. Confidentiality ensures that data is only available to those authorised to access it. Integrity ensures that data can only be altered by authorised persons. Availability demands that authorised persons can access data when they require.

Back to top

2. The ISO/IEC 27000 Series

The ISO/IEC 27000 is a series of standards which, when used together, specify the complete implementation of an ISMS. The series is still under development, with four of the planned standards currently published. Work is progressing on the completion of the remainder of standards ISO/IEC 27000 to ISO/IEC 27010. These cover the fundamental requirements of an ISMS, are applicable to any domain, and can be applied to any organisation regardless of size, structure or aim. ISO/IEC numbers after this have been reserved for sector specific implementation guidelines, most of which are still at the planning or pre-draft stage. The appendix summarises the development of the series to date.

The core documents in the series are ISO/IEC 27001, which specifies the requirements for an ISMS, and ISO/IEC 27002, which establishes guidelines and principles for implementation. These standards are based on the Plan-Do-Check-Act (PDCA) model for continuous quality control and improvement.3 An ISMS can be audited against ISO/IEC 27001 and certified for compliancy. Third party certification is available from a number of accredited providers and normally lasts for 3 years. Support for improving an implementation is usually given throughout the certification period.

Back to top

3. Functionality

ISO/IEC 27001 sets out the requirements for establishing, managing, documenting and continuously improving an ISMS using a risk management approach, which must be pre-defined by an organisation.4 Implementers are mandated to identify, analyse and evaluate risks and reduce these to an acceptable level. Contingencies for treating these risks are selected from over 130 controls defined by the standard. These cover a range of areas where information security could be compromised, and focus on the preparation of adequate policies and procedures, and documentation of processes. Controls include: security policy; staffing issues; equipment issues; access controls to both computing equipment and data; compliance with legal requirements and standards; acquisition, development and maintenance of the system; and management of business continuity. The controls are not exhaustive and they may be customised, or additional ones developed, for a specific implementation.

The standard also mandates that a compliant ISMS will: demonstrate management commitment through provision of resource, competent staff and training; undergo internal audit and management reviews; and undertake to continually improve effectiveness.

Mappings across the related management standards ISO 9001 and ISO 14001 are provided, to ensure consistency of approach across implementations.5

ISO/IEC 27002 gives practical implementation guidance and further information for each of the controls identified in ISO/IEC 27001. It contains guidance on how to select appropriate controls for an implementation, including those essential for legislative compliance and those required for best practice.

Back to top

4. Benefits

Implementing or certifying an ISMS against ISO/IEC 2001 can bring a number of benefits to an organisation:

  • Following a defined structured approach, with international recognition, can ensure that an ISMS is fit for purpose
  • Information security issues, and how to mitigate associated risks, will be identified, managed monitored and improved in a planned manner
  • Appropriate processes and procedures for information security management will be defined, documented and embedded in practice
  • Demonstration of organisational commitment to information security, will ensure adequate allocation of resources, identification of roles and responsibilities and appropriate training
  • Data will be protected against unauthorised access, demonstrating its authoritative nature, while authorised users will have access to data when they require it
  • Continuity of an organisation's business will be effectively managed, improving its profile and increasing opportunities
  • Intellectual property rights can be protected
  • Independent verification of compliance with the standard can ensure that an organisation has not been negligent regarding appropriate laws on the privacy of personal information. In England and Wales the standard is recognised by the Information Commissioner as an appropriate source of advice for ensuring compliance with the Data Protection Act (1998).

Back to top

5. Implementations

Organisations which have achieved ISO 27001 certification are detailed in the International Register of ISMS Certificates [external]. To date 5206 certificates have been granted worldwide. Nearly two-thirds of these are for Japanese organisations, due to a Japan Ministry of Economy, Trade and Industry (METI) requirement for companies working with government agencies to be certified. India and the UK have the next largest numbers of certificates with 8% and 7% of the total respectively. UK certified organisations represent a cross-section of the business community, and include the University of Gloucestershire, the Scottish Qualifications Authority, the General Medical Council, Liverpool City Council, the Royal Mail, the Royal Bank of Scotland and the Welsh Assembly Government.

Back to top

6. Additional Resources

Back to top

1 See the DCC Curation Lifecycle Model (accessed 12 March 2009). 2 The characteristics of an authoritative record as defined by ISO 15489: Information and Documentation - Records Management. 3 Also known as the Deming Cycle or Shewhart Cycle. See more information on Wikipedia (accessed 12 March 2009). 4 ISO/IEC 27001 recommends, but does not mandate, the use of ISO/IEC 27005, Information Technology - Security Techniques - Information Security Risk Management for defining an organisation's risk management approach. 5 ISO 9001: Quality Management Systems - Requirements and ISO 14001: Environmental Management Systems - Requirements with Guidance for Use.

Back to top

Appendix

STANDARD STATUS TITLE

ISO/IEC 27000

Final Distribution Draft

Publication due 2009

An introduction and overview for the ISMS family of standards, plus a glossary of common terms

ISO/IEC 27001:2005

Published

Replaces: BS7799-2: 2002

Information Technology - Security Techniques - Information Security Management Systems - Requirements

Establishes the requirements for initiation, establishment, implementation, maintenance and improvement of an ISMS within and organisation

ISO/IEC 27002:2005

Published

Comprises and replaces: ISO/IEC 17799-1:2005 and ISO/IEC 17799:2005/Cor.1:2007

Information Technology - Security Techniques - Information Security Management Systems - Code of Practice for Information Security Management

Establishes guidelines and principles for an ISMS within an organisation, including: initiation, establishment, implementation, maintenance and improvement

ISO/IEC 27003

Final Committee Draft

Publication expected 2010

Information Technology - Security Techniques - Information Security Management - Implementation Guidance

Gives help and guidance for implementing an ISMS

ISO/IEC 27004

Working Draft

Publication expected late 2009

Information technology - Security techniques -Information Security Management - Measurement

Provides measurements and metrics for implementing an ISMS and related systems

ISO/IEC 27005: 2008

Published

Revises: ISO/IEC TR 13335-3:1998 and ISO/IEC TR 13335-4:2000

Information Technology - Security Techniques - Information Security Risk Management

Provides guidelines for implementing ISMS using the risk management approach to security breach

ISO/IEC 27006: 2007

Published

Information Technology - Security Techniques - Requirements for Bodies Providing Audit And Certification Of Information Security Management Systems

Supports the accreditation, in terms of competence and reliability, of bodies providing ISMS certification

ISO/IEC 27007

Confirmed

Guidelines for Information Security Management Systems Auditing - Management Systems

Guidelines for ISMS auditing with a focus on management systems

ISO/IEC 27008

Publication expected November 2011

Guidelines for information security management systems auditing - Security controls

Guidelines for ISMS auditing with a focus on security controls

ISO/IEC 27010

First working draft being prepared

Information Technology - Security Techniques - Information Security Management for Inter-Sector Communications

Planned as a multi-part standard to provide guidance on ISMS implementation for cross sector communications

ISO/IEC FDIS 27011

Under development

Currently available as ITU-T Recommendation X.1051

Information Technology - Information Security Management Guidelines for Telecommunications Organizations Based on ISO/IEC 27002

Will provide ISMS implementation guidelines for the telecommunications industry

ISO/IEC 27012

Speculative

Plans to provide ISMS guidance for e-government

ISO/IEC 27013

Pre-draft

Plans to provide guidance on the integrated implementation of ISO/IEC 20000-1 (ITIL) and ISO/IEC 27001 (ISMS)

ISO/IEC 27014

Pre-draft

Plans to cover information security governance

ISO/IEC 27015

Pre-draft

Plans to provide ISMS guidance for financial services organisations

ISO/IEC 27031

Pre-draft

Plans to provide specifications for ICT readiness for business continuity

ISO/IEC 27032

Pre-draft

Plans to provide guidelines for cyber security within an ISMS

ISO/IEC 27033

Pre-draft

Will replace ISO/IEC 18028:2006

Planned as a multi-part standard for IT network security within an ISMS

ISO/IEC 27034

Pre-draft

Plans to provide guidelines for application security within an ISMS

ISO/IEC 27035

Pre-draft

Will replace ISO TR 18044 /p>

Plans to provide guidelines for classification of security incident management within an ISMS

ISO 27799:2008

Published

Health Informatics - Information Security Management in Health Using ISO/IEC 27002

Health sector specific ISMS implementation guidance

ISO/TR 27809:2007

Published

Health Informatics - Measures for Ensuring Patient Safety of Health Software

Provides control guidelines for patient safety within a health sector ISMS

Back to top