« Version 4.1 - 7.1 Security Policy Elements | Main | Version 4.1 - 7.3 Standards Bodies »

Version 4.1 - 7.2 Information Security Standards

ISO/IEC 27001 is a formalized specification for an ISMS with two distinct purposes:
It lays out, at a fairly high level, what an organization can do in order to implement an ISMS;
It can (optionally) be used as the basis for formal compliance assessment by accredited certification auditors in order to certify an organization.

ISO/IEC 27002 is a code of practice - a generic, advisory document, not a formal specification such as ISO/IEC 27001. It recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity and availability of information. Organizations that adopt ISO/IEC 27002 must assess their own information risks, clarify their control objectives and apply suitable controls (or indeed other forms of risk treatment) using the standard for guidance.

Okay - so you would think that the best way to get information on this is to go to the source. The ISO page directs US users to the ANSI Webstore. And if you have nothing better to do with ~$500 USD, you can download the 27001 and 27002 standards. Also note that there are very few specifics on the standards - since outlining the standard would actually be a copyright violation.

Here's the only page I found that gives you the Structure of the 27001 standard. It also lists the mandatory documentation for ISO 27001 certification. [This is the part I would focus on and know.]

And at the same site I found ISO 27002 Code of practice page. It gives the outline of the 27002 sections.

Both 27001 and 27002 were updated in 2013 - so the current standards are ISO 27001:2013 and ISO 27001:2013.

Reading through these - if you have experience in security and have been through some audits, you're probably familiar with these topics. Just looking at the outline, you should be able to fill in specifics and know how they relate.

In addition to the ones listed in the blueprint, I also found on the Cisco site - Standards for Information Security Management under the Security Standards documentation. It discusses ISO 17799 - which some consider a "control" rather than a "standard." However, with this being on the Cisco site, it's actually fair game. It's a relatively short read and you might want to take the time to read it.

You may also want to be familiar with the COBIT framework.

COBIT (Control Objectives for Information and Related Technologies) is a good-practice framework created by international professional association ISACA for information technology (IT) management and IT governance. COBIT provides an implementable "set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers."

COBIT components include:

Framework: Organizes IT governance objectives and good practices by IT domains and processes and link them to business requirements.

Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run, and monitor.

Control objectives: Provides a complete set of high-level requirements to be considered by management for effective control of each IT process.

Management guidelines: Helps assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.

Maturity models: Assesses maturity and capability per process and helps to address gaps.

Like I said - if you've been through a bazillion audits, you're familiar with this stuff.


Powered by
Movable Type 3.2