The BSI (British Standards Institution) Group originally published the standard called BS 7799. It was written by the United Kingdom government's Department of Trade and Industry (DTI) and consisted of several parts.
The first part, containing the best practices for information security management, was revised in 1998. It was adopted in 2000 by the ISO as ISO/IEC 17799, titled “Information Technology: Code of Practice for Information Security Management”. ISO/ IEC 17799 was then revised in June 2005 and incorporated into the ISO 27000 series of standards as ISO/IEC 27002 in July 2007. The second part of the standard BS 7799 was published in 1999 with the title “Information Security Management System”. The focus of BS 7799-2 was on how to implement an information security management system. Later, this was updated to cover risk analysis and management and was called ISO/IEC 27001:2005. The latest published version of the Information Security Management System (ISMS) standard is BS EN ISO/IEC 27001: 2017. The ISO version of the standard (2013) was not affected by the 2017 publication and the changes do not introduce any new requirements. If you are interested in reading a detailed history of information security, read BS 7799-3:2017. An ISMS is a framework of policies and procedures for ameliorating risk.
Define an information security policy: The main purpose of an information security policy is to define what top management wants to achieve with its security measures. This tells management who is responsible for which items, with clear expectations, roles, and responsibilities.
Define the scope of ISMS: Scope is an important factor in accordance with the statement of applicability. The scope should cover the location of the information security audit, the functions involved in the audit, as well as the personnel and assets involved (physical, software, and information). It should clearly define any exclusions. For example, say you are performing an audit for a software division that includes the HR, IT, and admin departments (not including sales and marketing). In this case, your scope document should clearly define sales and marketing as exclusions.
Confidentiality: Only those people who have access rights or are authorized can see the information. For example, salary data is confidential, so only authorized persons should be able to access that information.
Integrity: Integrity refers to the completeness of the information. The information that you save must be complete and not corrupted. For example, you save important information to the database. When you access it, it must be retrieved the same way it was saved.
Information security is the practice of protecting information from unauthorized use. We are living in an era where electronic devices such as laptops and mobile phones have become part of our basic needs. We save huge amounts of information on our computers, smartphones, storage devices, tablets, and on paper and then we often treat them as ordinary files that have no importance. But if this information gets into the wrong hands, it can lead to inconvenience, monetary losses, and reputation issues for the organization. Hence, you need to make sure that all your important documents are password protected, and you should avoid the habit of using the same passwords for everything. Information security is not only about securing information against unauthorized access. It is the practice of preventing unauthorized access, use, modification, and destruction of information. Let’s now look at why a standard on information security was necessary. You should know the basic history and origin of information security.
Imagine you are responsible for securing confidential data. What if this information was stolen? What if your competitor accessed this information? In the wrong hands, personal information can be used against you. This section explains how ISO 27001 can safeguard your information.
The BSI (British Standards Institution) Group originally published the standard called BS 7799. It was written by the United Kingdom government's Department of Trade and Industry (DTI) and consisted of several parts.
The first part, containing the best practices for information security management, was revised in 1998. It was adopted in 2000 by the ISO as ISO/IEC 17799, titled “Information Technology: Code of Practice for Information Security Management”. ISO/ IEC 17799 was then revised in June 2005 and incorporated into the ISO 27000 series of standards as ISO/IEC 27002 in July 2007. The second part of the standard BS 7799 was published in 1999 with the title “Information Security Management System”. The focus of BS 7799-2 was on how to implement an information security management system. Later, this was updated to cover risk analysis and management and was called ISO/IEC 27001:2005. The latest published version of the Information Security Management System (ISMS) standard is BS EN ISO/IEC 27001: 2017. The ISO version of the standard (2013) was not affected by the 2017 publication and the changes do not introduce any new requirements. If you are interested in reading a detailed history of information security, read BS 7799-3:2017.
An ISMS is a framework of policies and procedures for ameliorating risk.
Define an information security policy: The main purpose of an information security policy is to define what top management wants to achieve with its security measures. This tells management who is responsible for which items, with clear expectations, roles, and responsibilities.
Define the scope of ISMS: Scope is an important factor in accordance with the statement of applicability. The scope should cover the location of the information security audit, the functions involved in the audit, as well as the personnel and assets involved (physical, software, and information). It should clearly define any exclusions. For example, say you are performing an audit for a software division that includes the HR, IT, and admin departments (not including sales and marketing). In this case, your scope document should clearly define sales and marketing as exclusions.
Conduct a risk assessment: Risk assessment is an essential part of any business and ISO 27001 focuses on risk-based planning. The assessment or analysis is based on the asset register. In simple words, you need to identify which incidents might happen and determine the best way to do asset-based risk assessments. This can be done by creating a focus group, holding a brainstorming session, or interviewing asset owners.
Manage identified risks: When managing identified risks, it is important to use the plan document. When a risk is identified, it should be registered into the risk register and categorized based on the organizational risk management plan. The asset owners should be responsible for their asset risk; however, the standard does not tell you how to deal with the risk.
Select the control objectives and controls to be implemented: There is a long list of controls in ISO 27001. Chapter 7 covers these controls in detail.
Prepare a statement of applicability: A statement of applicability in ISO 27001 is also referred to as an SOA document. It is one of the most important documents in the system and organizations generally tend to spend more time preparing it. This document will tell you how they implement the controls. It also identifies any inclusions and exclusions.
This international standard provides requirements for establishing, implementing, maintaining, and continually improving an information security management system. An ISMS is a systematic approach to managing sensitive company information so that it remains secure. Adopting an ISMS is a strategic decision since it includes people, processes, and IT systems. It can help small, medium, and large businesses in any sector keep their assets secure. If you are new to ISO 27001 and are familiar with some other standard, you may assume that by purchasing/downloading the standard, you can figure out what you need to do, but that is not the case.
ISO 27001 is not prescriptive. It doesn’t tell you what kind of technology to use to protect your network or how often you need to perform backups, for example. Those decisions need to be made by your organization. Imagine if the standard prescribed that you needed to back up your system every 24 hours. How do you know that this is the right interval for your organization? Organizations have different needs and different types and amounts of data. For example, companies like Facebook, Google, LinkedIn, etc. generate petabytes of data every day. The rate of change of their data is very quick and they need realtime backup (or if not real-time, at least hourly backup). Conversely, there are small organizations for which the rate of data change is very slow. Their backup interval could easily be once a week.
ISMSs stand on three main pillars, referred to as the CIA triad.
Confidentiality refers to protecting information from being accessed by unauthorized parties. Imagine that you started a new company. You have physical assets like a building, equipment, and computers. You have employees and important data, which are also assets. You want only authorized people to see the data, so you want to implement confidentiality. This way, only authorized people can access the data and work with it. You can implement confidentiality by encrypting the data files and then storing them to a disk. By doing this, only people who have access to the disk can see the data and work with it. In terms of personal information, say you want to open a new savings account at the bank and need to invest $10,000. This information is confidential, as only the bank and you can access it.
Integrity refers to the consistency, accuracy, and trustworthiness of data over its entire lifecycle. If you transfer $1001 to your friend, you want to be sure that he receives $1001. You want to be confident that an unauthorized attacker can’t alter or manipulate it to make it $100, or that the bank won’t make an error.
The availability of data is also very important. If the data is stored in a database, it is very important that the business or authorized user can access it when needed. The data should be readily available to authorized users. If the data is secured but not available when it’s requested, this can be a big risk to the company. Say you go to the bank to withdraw some money from your account, but the bank official tells you that service is not available at that time. You will likely lose faith in that bank. Availability is ensured by continuously maintaining the hardware and software. It is important to ensure an optimal environment that is free from software conflicts. Security equipment, such as firewalls and proxy servers, can guard against downtime and ensure protection from denial of service (DoS) attacks.
Safeguarding information is essential to protecting yourself and your organization against malicious or misguided attacks. As examples of what can happen when your data is not secure, this section describes some real security breaches that happened in the past. These examples will help you understand the following:
Yahoo announced that a state-sponsored actor pulled off a big data breach in 2014. This breach included the real names, email addresses, dates of birth, and telephone numbers of 500 million users. Most of the passwords were hashed using a robust encryption algorithm.
In November 2018, Marriott International announced that cybercriminals had stolen 500 million customers’ data. Marriott had acquired the Starwood hotel in 2016, and the cyberthieves had attacked and entered their system. This was not discovered until September 2018. In this attack, 100 million customers’ credit card numbers and expiration dates were stolen. For some, only their names and contact information were taken. Marriott communicated that they believed the attackers were not able to decrypt the credit card numbers. According to The New York Times published article, a Chinese intelligence group pulled off that attack.
In May 2014, eBay reported a cyberattack in which all of its 145 million users’ personal details were stolen. That included their names, addresses, dates of birth, and encrypted passwords. How did this happen? The hackers used the credentials of eBay employees to enter the company network. They had complete access to the user database for more than seven months. When eBay discovered this breach, they requested its users change their passwords, and they communicated that the users’ credit card numbers were not stolen, as they were stored separately.
In January 2009, Visa and MasterCard reported suspicious transactions to Heartland payment systems. At that time, Heartland was processing over 100 million payment card transactions per month. Heartland was declared non-compliant by the Payment Card Industry Data Security Standard (PCI DSS). That meant that major credit card providers were not allowed to process their payments. This ban was in place until May 2009. They were also asked to pay an estimated $145 million in compensation for fraudulent payments. It was discovered that two unnamed Russians masterminded the international operation that stole the credit and debit cards. This all happened due to a vulnerability of many web-facing applications which made SQL injection the most common form of attack against websites.
Uber had to pay the hackers $100,000 to destroy the data. It cost Uber in terms of reputation and money.
Hackers broadcasted ransomware called WannaCry, also called WanaCrypt, through emails that tricked the recipients into opening the attachments and releasing malware onto their systems. Once the system was affected, it encrypted the files and locked it in such a manner that users could not access it. Then a red message was displayed demanding payment in cryptocurrency bitcoin in order to regain access. Hospitals and GP surgeries in the UK were hit by this ransomware attack. The hospital staff had no option other than to use pen, paper, and their own mobile phones when the attack affected key systems, including telephones and other important equipment. This forced the hospitals to cancel appointments, which resulted in huge losses. The attackers blackmailed the healthcare systems without any assurance that access would be granted after the payment was done.
After reading these real-life scenarios, you can see where information security may apply to you and your organization. You learned that you need to reduce or eliminate the risks related to unauthorized disclosure, modification, and deletion of critical information.
Industry-wide information security can be applicable to any industry. There is a myth about information security being applicable only to the software or IT industries. The fact is that any industry that generates information that’s valuable to them needs good information security.
Banking transactions are part of our day-to-day activities and most people have one or more savings accounts. According to the Global Findex World Bank report, 69 percent of adults have an account, up from 62 percent in 2014 and 51 percent in 2011. India saw a major rise in account numbers after the announcement of PM Narendra Modi’s “Jan Dhan” scheme. The total number of savings accounts rose to 1.57 billion in March 2017, compared to 1.22 billion in 2015. The numbers clearly show that banking is integral to our daily life and hence securing that data is a continuous challenge. The good news is that with emerging technologies, we can keep our data secure if we follow the guidelines and standard procedures.
If a bank does not secure important information like account details, account balances, and transaction histories, its customers would lose trust in it and may not feel safe depositing money there. As a personal example, imagine you ran into one of your friends after a long time and she asked for your phone or cell number. You would probably feel comfortable exchanging this information, since she is your friend. But what if she asked for your credit card number and CVV pin? You should be willing to share only things that are not confidential. The same goes with banks. Your account number is yours only and only you are supposed to get the details of your account by authenticating your identity. If you are using a mobile banking application, you understand that your customer ID and password are highly confidential and sharing them with others is like sharing the key to your home and valuables. Some countries do not require two-factor authentication, but others require you to enter your high security code, which is one-time password (OTP) received on your registered mobile number. This gives you the assurance that your transactions are more secure.
Cybersecurity is of utmost importance in the financial/banking sector. The foundation of the banking system lies in nurturing trust and credibility. In this digital age, people seem to be going cashless, instead using digital currencies like crypto-currencies such as bitcoin, debit cards, credit cards, and wallet payments. In this context, it becomes very important for banks to ensure all measures of cybersecurity, to protect your money and your privacy. For financial institutions such as banks, data breaches can result in serious trust issues. A weak cybersecurity system can lead to data breaches that could easily cause the customer base to take its money elsewhere. Even in the case of a minor information leak, banks need have to cancel the previously issued card, dispatch a new card, and then monitor accounts for similar incidents.
Banks are responsible for guarding the financial data of their customers and for keeping their operations safe. Banks are prone to security breaches if they are not protected from cybercrime. These days, people do lots of financial transactions via online banking and ATM machines. Both of these must be very secure. Banks therefore make a lot of effort to safeguard online transactions and data from hackers. ATM machines are an important part of the banking system and must be secure. There are cases in which the ATM card slot was compromised. This is a high-tech form of theft from ATM machines called skimming. Thieves place a card reader over the real ATM card slot. When you slide your card into the card slot, the reader captures all your information and later they can clone the card to steal your hard-earned money
Impact of the attack: $13.5 million stolen from the Cosmos Bank Scope: ATM switch compromise, swift environment compromise, and malware infection. According to cyber experts, the attacker hacked the ATM switch of the Cosmos Bank to access the firewall server.
We all are aware of Apple and the iPhone. Imagine if you are an Apple employee and are working in the product design department. You have the access to the new iPhone designs before their launch. If this information gets leaked to the outside world, imagine the impact on the company and on the morale of the employees.
Management may feel mistrustful of the employees, thinking that they are the origin of this breach. The outside world may be concerned that the company cannot protect its confidential data. This can have a major impact on company revenue and on the product image. Competitors get to see the new design and might be able to release a similar lookalike product before the launch of the original product at a cheaper price. It becomes important to protect the product information throughout its lifecycle, from its concept/design phase to the product release phase. Information security was and always will be a challenge. Apple has been affected by serious security issues many times. In 2014, the company's iCloud data storage was hit by a flurry of apparent breaches, culminating in a targeted attack on celebrity accounts. This was dubbed Celebgate. In this attack, various embarrassing images of Hollywood celebrities and actors were leaked to the Internet. In short, if you are storing personal data on cloud services, you should know that it is not 100% safe. Better not to store any personal and sensitive data on the cloud. For example, if you saved an Excel file on your mobile or laptop that’s highly confidential, you need to keep it password protected.
Healthcare is one the sector in which awareness about security is low. Hackers try attack systems that are less secure and more easily prone to compromise. Cybercriminals can easily trap hospital data, as it is often less secure. You might wonder what kind of data one can get from a hospital. The answer is social security numbers ( SSN), names of the patient, companies they are insured with, their blood types, and so on. This kind of information can be very handy for criminals. They can get more details and interlinked information from your SSN or Aadhar card, if you are from India. Again, your confidential information, like credit card details if you happen to pay through that medium, are all exposed. More innocuous information can serve as the first step to steal confidential information that otherwise you would not share.
According to the PwC Healthcare research institute, the consequences of a data breach in a hospital can be up to $200 per patient, while the cost of prevention is just $8 per patient. The famous quote by Desiderius Erasmus, “prevention is better than cure,” comes to mind here. It fits well with cybersecurity. Some of the leading healthcare organizations are now investing in information security. So, will the ISO 27001 standard be enough to protect the healthcare industry?
It can help healthcare organizations, but if you want to implement additional healthcare directives pertaining to the healthcare domain, you may choose ISO 27799.
| ISO 27799 | Subsection Summary of Additional Directives Pertaining to the Healthcare Domain as Provided in the ISO 27799 |
|---|---|
| 6.4.3 | A unique forum called an information security management forum (ISMF) should be established to manage and direct the information security management system activities within the healthcare sector. When organizing the ISMF within the healthcare sector, stakeholder views need to be accommodated and regulatory obligations are to be met. A scope statement may be used in various types of organizations, but in the case of health organizations, the scope statement should be publicized widely, reviewed, and adopted by the organization’s information, clinical and corporate governance groups. Some health organizations seek comments on the scope statement from clinicians' professional regulatory bodies, which may be aware of other organizations pursuing compliance or certification. |
| 6.4.4.2 | Information security risk assessment is important in the healthcare sector because the sector carries high risk due to having facilities such as laboratories, emergency departments and operating theatres. Both qualitative and quantitative factors need to be considered when assessing information security risks in these environments. Examples of issues to consider when designing valuation guidelines are recognizing the importance of patient safety; uninterrupted availability of emergency services; professional accreditation; and clinical regulation. |
| 6.4.4.4 | Information custodianship, ownership, and responsibility are issues that are raised when risk assessment is to be undertaken in the healthcare sector. For effective information security risk assessment to be achieved in the healthcare sector, the knowledge and skills listed below are necessary: a) Clinical and nursing process knowledge, including care protocols and pathways b) Knowledge of the formats of clinical data and the capability for the misuse of this data c) Knowledge of external environment factors that could exacerbate or moderate any or all the levels of the risk components described previously d) Information on IT and medical device attributes and performance/failure characteristics e) Knowledge of incident histories and actual case impact scenarios f) Detailed knowledge of systems architectures g) Familiarity with change management programs that would change any or all the risk component levels |
| 6.4.5.3 | There are numerous factors to be considered to define criteria for the acceptance of risks. A selection from these factors includes: a) Health sector, industry or organizational standards b) Clinical or other priorities c) Cultural fit d) Reactions of subjects of care (patients) e) Coherence with IT, clinical, and corporate risk acceptance strategy |
| 6.4.6 | The organization’s information security officer, data protection officer or risk manager should be responsible for the security improvement plan of the organization on behalf of the ISMF. The plans should be made available to clinical and other staff; they are useful in demonstrating progress and process improvement. These plans are sometimes effective in minimizing interruptions to operations when integrated with information security improvement, planned changes in IT facilities and healthcare. |
| 6.5 | Because of the critical nature of health information systems, it is especially important to define responsibilities and action steps in the initial phase of response because events can unfold quickly, and this leaves little time for reflection as a security incident unfolds. In the health context the ISMF is further responsible for making sure that the risk treatment plan is carried out. In healthcare approving the risk treatment plan may involve both information governance and clinical governance. |
The manufacturing industry is no different than other industries when it comes to vulnerability. Attackers are targeting manufacturers in order to steal information about new products, processes, or technologies that the manufacturer creates. This can be a secret formula, blueprints of confidential designs, or any process. For example, a competitor try to steal the magic formula or unique ingredients for his new noodle business in order to sell products at a lower price and reduce the margins and competitive edge. The operation technology used by manufacturers is very often unsecured and therefore vulnerable to external cyberattacks and internal threats. Attackers know that manufacturers’ networks can be easily compromised because of the lack of awareness of cybersecurity tools and processes. The following sections look at some real-world examples of manufacturing threats. These real-world cases will help you understand the potential consequences for the manufacturing industry.
In 2011, the Stuxnet worm targeted the PLC system of Iran’s nuclear program and destroyed many of its nuclear centrifuges. This virus is said to be one of the most successful industrial attacks in cyber history. At the time of this writing, no data was available to show the impact in terms of revenue. But the attack successfully destroyed a fifth of Iran's nuclear centrifuges and damaged the country’s nuclear program quite badly.
This scenario considers people who work with software development companies or are aware of how the industry operates. The software company develops software applications/products for their external and internal customers. The company receives a lot of information in terms of requirements from their clients and these are highly confidential. They can be considered the intellectual property of the customer, especially if the product/application is not available in the market yet. It becomes very important for the company to safeguard this information. That’s why many companies require non-disclosure agreements (NDA) to be signed. Both parties officially agree not to disclose information to another third party. An NDA creates a confidential relationship between the parties, in order to protect confidential and proprietary information or trade secrets. Once both companies agree and start working together, we call it a project and assign a team to it.
Note A project is a temporary endeavor having a definite start and end date. Projects must be aligned to organizational goals and should be executed in a secure environment.
Upon assigning team members to the project, they must be reminded of their responsibilities to safeguard client information. They should never disclose that information to unauthorized persons or to anyone outside the organization. Consider how the information will be used and accessed during the project execution and all the ways it needs to be safeguarded.
As part of the project, team members need to prepare or access many documents and work on the source code repository. The project manager, with the help of the IT team, must define and provide access for each team member working on the project. Members access is usually defined as read, write, and delete. Only a few privileged members can delete information. This may be a part of the configuration control and the role may vary depending on the organization. It is also important to review the access rights on a regular basis. IT teams who provide access to the source code repository must keep track of users, in order to stop any unauthorized access or tampering with the information. For example, a team member may try to send client information outside the official email system to their personal email or other known contacts. Also, if USB ports are not disabled, it becomes very easy to copy and transfer information to a USB stick and carry it outside. Once the project is delivered, the client might ask to have the source code (developed by the company for the client), which must then be deleted from company systems. This is to ensure that the company doesn’t reuse that source code for its benefit.
Once the business need is clear, you can implement a robust ISMS (Information Security Management System) that covers the needs of the interested parties and customers. It should also meet management expectations. Clause 4.1 of ISO 27001, identifying the organizational context, is the first step in implementation. This clause requires you to analyze the external and internal issues that influence your company’s information security. Management requires that you define the organizational context.
As per ISO 31000 Clause 5.3.1, these issues can be of two types:
Let’s look at a few examples of internal issues:
Organizational structure: Defines the roles, responsibilities, accountability, and hierarchical positions in the organization. This helps define the position of the ISMS. Having clearly defined roles and responsibilities in securing the information helps you know who is responsible for which areas and provides clarity on what needs to be done.
Organizational culture: The culture of the organization can be expressed in terms of the vision, mission, and values. The organizational policy, business strategies, and objectives also help define the information security policy. As per the standard ISO 27001:2013 Clause 5.2, organizations need to publish their information security policies. Considering employees perspectives is very important when publishing documents that will affect the way people work.
Available resources: It is important to know which resources are available to the organization to implement information security. Knowing which technologies, systems, equipment, and personnel you already have helps guide you in terms of procurement or acquisition of resources.
Now let’s look at some external issues. Here are a few examples:
Legal and regulatory requirements: From an implementation point of view, it is essential to determine the legal, safety, and regulatory requirements of your organization. Some regulatory requirements — such as labor laws, IT-related safety requirements, and intellectual copyright law—are mandatory and must be met to be compliant. Chapter 6 covers the mandatory controls in detail.
Political and economic environment: This also plays an important role when implementing ISMS, and you need to monitor government policy changes or changes in currency rate.
Technological trends: New technologies may bring new security challenges and may require new ways to protect the information.
Organizations need to determine their business context. For that, you need to identify the internal and external issues in your organization and identify the relevant interested parties.
It is important to understand the business needs, which means you need to know the context of your business. In other words, why does your business exist? This will help you assess the business needs and strategize the ISO 27001 implementation. Many organizations either skip or neglect to understand the business context. Then, during the scope planning, many areas are missed or unidentified and that can lead to problems because of incomplete scope analysis.
So, who should know or understand the business context? Every employee, contractor, and vendor who works with your organization should, because it directly or indirectly impacts the organization’s business objectives. If the business context is not clear, workers won’t be able to meet the organization’s set objectives. To understand this in a more holistic manner, let’s look at this from different industry angles:
IT/hardware/software organization: The company is doing software development work or providing IT services. Lots of customer data is handled by the company. If the solutions provided or the systems used by the company are not secure, it can impact company business and its reputation. Hence, it becomes important to secure business critical information in all possible ways.
Banking organization: Banks handle your financial data and transactions and they must be protected from unauthorized access and theft. Their customers have put lot of faith in the bank and in its systems. If it gets breached, it can impact the bank’s business and reputation. It’s very important for bank to secure their systems and networks in all possible ways.
Healthcare organization: These organizations handle and store patient healthcare information and it must be protected from unauthorized access and theft. Your customers won’t be happy if their personal health information is made public or stolen. Victims could sue you, which in turn could impact the company’s business and reputation. Hence, it’s important for healthcare organizations to secure their systems and networks in all possible ways.
These are just a few examples to show you why it’s worth it to invest your time and money in implementing ISO 27001 security practices.
Note No matter how small or big the organization is, the scope assessment is very important, as it will provide an understanding to all stakeholders and employees including senior management, customers, and auditors about the areas in your organization that are part of the implementation.
There are numerous factors involved in identifying the scope. You need to consider the organization entities, locations, geographies, business units, departments, any products or services that are offered. You need to look for areas that are out of scope from an implementation or certification point of view and then assess the impact on the overall implementation. For areas you find to be out of scope (not under your control or influence), you have to assess if important stakeholders or interested parties are affected. So, how do you identify out of scope areas? You analyze business process flow and key dependencies between the activities performed by the organization and activities that are outsourced to another organization. Say your organization has outsourced the hosting of datacenter services. The activities of the datacenter are out of your controlled scope, but you still need to manage your vendor as part of your outsourced policies and processes. They are responsible for managing your business and customer risks. You should also conduct a vendor risk assessment, which you will learn about in the coming chapters.
Tip Look for vendors/suppliers who are compliant with information security practices, as this will help you feel confident that they understand your business risks.
By taking all these steps, you can rest easy that you have not missed any important areas or stakeholders.
You can take three main steps to identify the scope of implementation for your organization’s ISMS:
By taking these steps, you can prepare the following documents: • Scope document • Statement of applicability
A well-defined scope provides assurance that all the important areas of your organization have been covered in terms of implementing security controls. It also helps to get everyone, including management, on the same page, with one common vision. If this is not handled properly, it may delay or extend the implementation timeline. Documenting the organization’s scope is one of the requirements of the ISO 27001 standard.
Many organizations have security departments, which are lead by the chief information security officer (CISO). This person usually reports directly to the vice president or managing director. The CISO has the authority to form a team to work on the implementation of ISO 27001. In general, the team includes the following members:
Steering committee members: This includes the managing director, vice president, chief executive officer, chief technology officer, and the chief information security officer.
Information security department members: This includes the information security manager, team members, and department heads of any departments that are part of the implementation. The information security department members schedule a meeting with the department heads to define their scope of work and determine what standard operating procedures they use on a daily basis to perform their tasks.
During such discussions, you can use a checklist or questionnaire to collect the information. This will help you conclude whether the collected information is important from a business point of view and can be placed under the crucial category. That is why this chapter discussed business context. You need to understand the business context in order to understand the systems and processes that you use in your organization. Once all these department discussions are done, the team makes a collective decision to identify the overall scope of the organization, including the departments to be included, company locations, etc. To decide on the final scope, a meeting is arranged with the steering committee members. The scope is presented to them and there might be multiple rounds of discussions. The CISO might need to explain the reasoning for selecting the identified scope, at which point it might be tweaked. There can be multiple rounds of this process. Once management or the approval authority has approved everything, the scope can be frozen, and it becomes a guiding document for working on the implementation. The key is to manage the expectations of management. Once the scope document is frozen, you might wonder whether it can be revised or modified. It can be revised based on the many inputs and scenarios observed during the implementation, because more clarity comes when you execute the tasks. Team members must meet on a weekly basis to share information with the CISO, who can make initial decisions and determine whether the issues should be included in the scope. The final decision is the steering committee’s as they know the budget requirements as well as the implementation requirements.
This section lists a sample table of contents for a scope document. It is for reference purposes only. This content may be modified or deleted based on the organization’s requirements/knowledge/experience.
Purpose of the document: Describe what is covered in the scope document.
Company/organization description: A brief description of the organization, including the company’s business.
Scope statement: A statement that covers the primary objective of the ISMS implementation.
If you adequately cover all these points in your scope document, you will properly document your organization ISO 27001/ISMS implementation’s scope. This can be shown to your customers or to auditors who need to know the scope and areas that are excluded.
The Statement of Applicability (SOA) goes hand in hand with the scope identification exercise. It is an important document that helps you look for the areas to be included in your ISMS. This document helps you select the controls that you implement within your organization. It is also a mandatory document and it’s required to show the auditor or the certification body during the ISO 27001 certification exercise. It will act as a roadmap of your ISMS implementation and will ensure that your organization meets the standard criteria put forth by the international standard organization (ISO). The sample SOA template explained in the following sections will help you understand the controls mentioned in the SOA. Then you can determine which controls are applicable to specific teams or members in your organization. When it is not clear which team member has the responsibility to implement certain controls, this document can help clarify the roles and responsibilities.
When you initiate the risk assessment, it is important to identify the framework to be followed to manage risk. This method can help the teams provide a guideline to conduct a risk analysis on assets based on the defined scope. There are three main scenarios for performing the risk assessment, which are as follows:
It is also important to understand the benefits of conducting the risk assessment:
The risk assessment process consists of the following components:
Note Most companies do not consider risk assessment for an asset value that is less than or equal to 5, as the impact to the business would be minimal or negligible.
In ISO 27001, the term “threat” is designed to focus on identifying and analyzing scenarios that are unexpected or unwanted, and if they occurred, would cause harm to the organization. Risk assessment is based on threat identification, which means if there is a potential scenario of a threat, you need to do risk analysis or assessment and treatment. A threat may be caused by intentional or unintentional acts. There are also acts of nature, such as floods, fires, and earthquakes, which you cannot control. There are different types of threats, and each threat could lead to unique problems. Some examples are:
A “vulnerability” is a weakness in an asset or system that makes it susceptible to threats. For example, if you are vulnerable to a specific type of allergy, it’s because your immune system reacts to that particular allergen. To avoid this issue, you can either take steps to make your body strong or avoid certain actions to prevent interacting with this allergen. When you come across a condition or set of conditions that occurs frequently in your business operations and exploits an asset, you need to identify the vulnerability and avoid the conditions.
Note It is important to identify vulnerabilities as early as possible. By analyzing conditions in which you can use the asset, you should collect and analyze various other inputs, such as reports and penetration tests, which may provide better understanding in identifying vulnerabilities.
How do you define a security risk? When you get input by analyzing a threat to an asset and determine the associated vulnerabilities, you will arrive at a conclusion. If the identified threat has the potential to exploit any vulnerabilities and negatively impact an asset or group of assets, that constitutes a security risk. This means directly or indirectly there will be a negative impact on your organization. You also need to evaluate the security risk level in order to identify which security risk:
To determine the risk value, you combine the asset values (covered in the “Asset Value” section of this chapter), the assessed levels of risk, and the risk’s impact. The formula is as follows:
Risk Value = Asset Value * Likelihood * Impact| Likelihood | Levels | Rating Description |
|---|---|---|
| Rare | 1 | Very low probability of occurrence (might occur once every 3-4 years or more) Might cause a very negligible impact |
| Moderate | 2 | Might occur every two years Has a noticeable impact, i.e., some financial loss or data loss may occur |
| Likely | 3 | Might occur at least once a year Has a significant impact, i.e., financial loss or data loss or could be injuries to people and other assets |
| Almost Certain | 4 | Might occur more than once a year Has a very high impact, i.e., financial loss or data loss or could be injuries to people and other assets |
| Impact | Scale Rating | Description |
|---|---|---|
| Minor | 1 | Service or business downtime that is less than a few hours (for IT infrastructure and other operational facilities) |
| Moderate | 2 | Service or business downtime that is more than a few hours and could last for one calendar day |
| Major | 3 | Service or business downtime that is more than a day and could affect delivery of services, so that the office/site is not operational (could be for hours or days) Or, the IT infrastructure is down or not able to reach the office/site due to public strikes, floods, earthquakes, etc. |
| Catastrophic | 4 | Service or business downtime caused by severe damage to the office/site and the IT infrastructure Major financial loss leading to operations being shut down |
The rank assigned to each risk is called its risk ranking. Risks are ranked into four types, depending on the calculated risk value and the priority level of the risk.
The table shows the risk rankings and a description of the associated actions that could be taken to treat the risks.
| Risk Value | Risk Rank | Description | Risk Priority |
|---|---|---|---|
| 1 – 36 | Low | A security control already exists Chance to exploit the vulnerability is low Requires monitoring | P4 |
| 37 – 72 | Medium | There are chances to exploit the vulnerability Probability of occurrence is medium May damage only non-critical application/services and associated assets. No major impact but proactive risk monitoring is required | P3 |
| 73 - 108 | High | There are high chances to exploit the vulnerability Probability of occurrence is high May impact critical business applications or services resulting in service degradation High impact on business operations and risk monitoring is required on regular/frequent basis | P2 |
| 109 - 144 | Very High | There are very high chances to exploit the vulnerability Probability of occurrence is very high Adverse impact on critical business applications/services resulting in major downtime of services Very high impact on business operations and risk monitoring is required on regular/frequent basis | P1 |
The table shows the actions that can be taken based on each risk priority ranking. The idea is to prioritize the risks and to allocate resources appropriately for risk treatment.
| Risk Priority | Action |
|---|---|
| P1 | Risk is a showstopper or blocker Plan for immediate action Actions taken must bring down the risk to an acceptable level |
| P2 | Take actions mentioned in Risk Rankins |
| P3 | Take actions mentioned in Risk Rankins |
| P4 | No action required |
It is the responsibility of each department head to take ownership of their departmental risks. Then they can assign further risk ownership to their team members. Once all the risk owners have been identified, they can start analyzing the risks and evaluate them based on the risk acceptance criteria defined in their organization.
Risk owners and teams need to analyze which risks are acceptable and which risks require immediate attention. Risk decisions fall into one of the following:
To decide whether to accept the risk or not, you should focus on the following implementation constraints:
Note There may be other reasons for not implementing the controls, other than those listed here. It depends on your business and industry requirements.
Mitigation in simple terms involves the planned and executed actions you take to reduce the impact of any risk. In ISO 27001, risk reduction is done when you select the controls to be implemented for the assessed risks. You select these controls from the ISO 27001 standard implementation guide, which helps you achieve the desired result and in turn reduces the risk. Some of the criteria to consider are as follows:
The control is selected based on the assurance provided by treating the risk and the acceptable (residual) risk after implementing that control. The Information Security team should review and approve the selected controls. As part of implementing security controls to treat risks, risk owners can take the following actions:
Risk avoidance is possible when potential threats are eliminated. This is often done by changing process ladders or execution methods. For example, instead of using foreign vendors, local vendors are used, as the risk of using them is much less.
Tip Risk owners must review risks that fall under the category of risk avoidance with the Information Security/compliance team and any relevant stakeholders.
This is often the best strategy, as organizations can share their risk burdens with third parties on contractual terms.
Note All contractual terms must be clearly identified in the agreement before proceeding with a third party.
For example, you can insure business-critical assets by purchasing an insurance policy. Thus, if an event occurs, the insurance policy will help manage costs, such as repairs, lost expenses, legal expenses, etc. Another example is outsourcing business processes to third parties due to lack of experience/skills in-house. In this case, risk could be minimized, as the third party provides the assurance that outsourced processes will be taken care of.
Caution Be sure to review risk transfer cases with the Information Security team and to get approval from management before making a final decision.
What is acceptable risk? In other words, how much risk can an organization accept? Acceptable risk is the risk that remains or still exists after implementing security controls. Table 5-5 describes the different kinds of acceptable risk.
| Acceptable Risk | Description |
|---|---|
| Very High/High/Medium | Requires additional controls to bring the risk to an acceptable level It should be accepted only if management approves it Low Risk is at an acceptable level |
Note When the risk score is higher than the acceptable level, the controls must be analyzed again and re-implemented.
Risk monitoring and review is a continuous process. Once you implement the security measures and controls, you must monitor and track the progress of all risks on a regular basis to ensure you’re getting the desired result. Risk owners from their respective departments are also responsible for monitoring and reviewing risks and reporting to management on a monthly basis (or as needed).
Before you start learning how to identify information assets based on the ISO 27001 implementation, it is important to understand what is meant by assets. An asset can be anything that has value to the organization. This can be tangible or intangible value. For example, machines, people, software, patents, reputation, etc. Assets include all those items that contribute to the establishment of information that an organization requires to conduct their daily business operations. From an information security point of view, an asset can be any device, data, or components of environments such as development, testing, and production environments that support the information security activities within the organization. In general terms, anything that you see in your organization that helps or supports the dayto-day activities, using assets such as laptops, desktops, hardware (servers, switches, and routers), software (business and/or support applications and software tools), and any confidential information (trade secrets and financial data). The table shows a comprehensive list asset register that you should prepare.
| Asset | Category |
|---|---|
| Information assets | Include files including details, image files, product information, manuals, policies, and procedures |
| Paper assets | Include HR records, contracts, invoices and, written papers |
| Software assets | Include system software, application software, and development tools and utilities that are required |
| Hardware/physical assets | Include computer and communications equipment, magnetic media, environmental equipment, furniture, facilities, accommodations, etc. |
| Extension services | Include communication services, air conditioning, lighting, UPS, generators, service providers, etc. |
| People assets | Include employees, contractors, visitors, guests, etc. |
Each asset is assigned a value, called the asset value. In simple terms, this helps you decide the importance of the asset to your business and its operations. The asset value helps you identify and determine the appropriate protection for the assets. You can also use asset values to identify and describe the consequences that might occur if an unexpected event occurred. In Table, the criticality rating is defined at three levels. This rating is based on the confidentiality, integrity, and availability of an asset. These numbers represent how critical an asset is to the business.
| Rating | Confidentiality (C) | Integrity (I) | Availability (A) |
|---|---|---|---|
| 1 | Public | Low | Not Important |
| 2 | Internal | Medium | Important |
| 3 | Confidential | High | Very Important |
By using the rating formula, you can calculate the net asset value of an asset. The net asset value is the sum of the confidentiality, integrity, and availability values.
Net Asset Value = (Confidentiality + Integrity + Availability)For example, say you are calculating an asset value for the HR data. The confidentiality = 2, the integrity = 3, and the availability = 1. In that case, the net asset value would be: 2+3+1 = 6. So, the asset value of that HR data is 6.
An asset can be grouped into different categories based on similarities and characteristics. The process of grouping similar assets is called asset classification. For example, servers, routers, switches, and LAN cables can be grouped as IT assets. Desktops, VDI devices, and IP phones can be added into the IT asset group, or you are free to make a new sub-category for these assets.
Note Asset classification varies from organization to organization and the industry to industry. The grouping of assets depends on the asset owners.
Once you are done with the information asset classification process, it must be labeled properly. You need to determine how your team will label the assets. Asset labeling is the small step toward achieving better security, since organizations deal with lots of information assets in their daily activities. That means the chances of misplacing or losing assets or if them being stolen is greater. Therefore, asset tagging or labeling is very important in order to cut down on administrative expenses. There is no one good way to do asset labeling. You can use unique asset identification numbers or codes or indicate details about the specific location or group, or use any other relevant asset category. These labels can be QR codes, bar codes, or RFIDs. These codes can be easily scanned to provide additional information about the asset, which makes it easier to monitor and track the assets.
Any asset that you think is crucial to your business needs to be labeled. Each asset should have a different identifier, such as a serial number or an asset identification number (AIN).
Note There is no specific format for tagging assets. They should be tagged based on your defined organizational procedure. Some companies prefer not to mention the company name when tagging the assets, for security purposes.
Some best practices for labeling assets include:
By item ID: Some assets are tagged based on their IDs or location. For example, if your company is in New Delhi and you are tagging a laptop from the software team, you can code it as follows. ND is for New Delhi. For laptops, you can assign a sequential code L001 to L00N based on the number of laptops you have. Then you include a department ID. For the software department, let’s say the ID is S01. The final code would be ND/L001/S01 or ND-L001-S01.
Tip This labeling practice is best suited if your employees tend to travel with their tools or machines or you have multiple departments in your organization.
Adding a color code: In some cases, item ID tagging will not work. For example, companies with different software teams working on different software projects demand different configuration needs for their projects. In such scenarios, adding color codes to the asset will be helpful. Laptops with a high configuration can tagged with blue, a middle configuration with green, and those with a basic configuration can be tagged with amber to differentiate them. Similarly, tags can be used for LAN cables for voice data, browsing data, and lease lines.
Customized tagging: The need for tagging depends on the categories of assets that you want to tag. Hence, customized tagging is also important. For example, you want to label the information using barcodes that may contain different data as per your business needs. This could include manufacturer name, manufacture year, serial number, or other tracking numbers.
Note Barcodes and QR codes are very popular these days. Based on the report published in an EZOfficeInventory whitepaper, use of asset tags can reduce administrative errors by up to 41.4%.
So far so good. These are just some of the benefits of asset labeling:
An asset register is a list of assets owned by the organization. The main benefit of having an asset register is that it gives you a list of assets along with their owners. Every department needs to create an asset register. To create the register, you need to identify the various assets in the business’ operations and in its daily activities. This can sometimes be tedious to identify. The table shows some of the examples of assets in different sub-groups and categories that might help you identify assets more easily.
| Hardware/Physical | Assets Softwar |
|---|---|
| Computers - Servers - Switches/routers/hubs - Access points - Access card readers - Firewalls- Communication equipment - Data storage - Cabinets - Safes - Server racks | Anti-virus software, Business applications, Network management system software, Development tools, Operating systems, Utilities |
| Services : Outsourced operations - Outsourced services - Outsourced telephone operations - Security services - IT services | People : Employees, Customers, Subscribers, Contracts |
| Information : Databases and data files/soft copies - System documentation/manual - User manuals - Training materials - Operational or support procedures - Backup - AMC document | Paper : Contracts, HR records, Invoices |
Asset disposal is the act of obsoleting unwanted equipment or assets in a safe manner. A large volume of data is being transferred and stored on computer systems and the security of this information is essential, even when the data is being removed. If the information is not properly removed before the disposal of asset, it could be accessed and viewed by unauthorized personnel. Hence, organizations need to write an organizational policy that covers the disposal of information assets. A few key points that need to be covered in this asset disposable policy are the following:
Media sanitization procedures : All the electronic media must be properly sanitized before it is transferred from the custody of its current owner. The proper sanitization method depends on the type of media and the intended disposal process of the media. For example, if you are sharing the hard drive from one department to another, it must be formatted before being reused to ensure security of the data.
Destruction of electronic media : Destruction of electronic media is the process of physically damaging the medium so that it cannot be reused by any device that may normally be used to read electronic information, such as computers, hard drives, pen drives, etc.
Repairing hard drives under warranty : In a special situation where a hard drive under warranty has failed and the manufacturer requires that the failed disk drive be returned, an appropriate Business Associate Agreement between the manufacturer and organization must be in place before the drive can be shipped to the manufacturer. If the manufacturer will not sign a Business Associate Agreement, the old drive must be properly destroyed.
Disposal of damaged media : The first attempt should be to overwrite the hard drive or other media device. If it cannot be overwritten, the hard drive must be disassembled and mechanically destroyed so that it is not usable
External party : You can choose from many companies that will remove your media, but you need to make sure that the provider you select agrees to the non-disclosure agreement (NDA) and follows it.
Tip An organization may use a shredder to destroy any important physical information. It’s a very secure and cost-effective way to dispose of information.
This section explains how to track and maintain asset information in your department, with examples. The following sections discuss some examples of departments.
In any organization, human resources is the first department that communicates the company’s information security controls and ensures that everybody follows them. Figure 5-4 shows the sample HR assets. There could be more, depending on the organization. For example, this register should include any software application/tool used by HR to perform HR operations. The two important columns in the table to note are Category and Asset Value. The Category column determines whether the information is in the form of paper or soft copy. Assets like laptops or desktops are common in each department, so they fall under the Hardware/Physical category. People are also assets, so team members fall under the People category. Some documents are for information purposes only, so they can be placed in the Information category.
The second most important thing in this table is the Asset Value. The Asset Value column in Figure shows numbers, which are calculated by taking the sum of the values of Confidentiality, Integrity, and Availability. If the sum value is more than 5, it becomes important and you must implement controls. Note the Justification for Asset Value column. It is good to provide reasons in your own words so that nobody questions the given asset’s value.
