The ISO (International Organization for Standardization), helped by the IEC (International Electrotechnical Commission) is always releasing new standards across a wide variety of subject areas and few have been quite as busy as the 27000 family which addresses information security. The family starts at ISO/IEC 27000 ( Overview and vocabulary) and currently goes all the way through to ISO/IEC 27037 (Guidelines for identification, collection, acquisition and preservation of digital evidence), with more extending up to ISO/IEC 27043 in the pipeline.
But with (appropriately enough) 27 existing standards to choose from in the ISO/IEC 27000 family, how do you decide which ones are worth a) implementing and b) becoming certified to? I’ll answer these questions, but in reverse order.
There is officially only one standard that an organization can become certified to and that’s ISO/IEC 27001, Information Security Management Systems – Requirements. All the others (Ok, with the exception of ISO/IEC 27006 which is just for auditors) are defined as being guidance for making the best job you can of ISO/IEC 27001; some cover particular aspects of the requirements in more detail, some address extra controls you should consider if you’re in a specific industry and some cover the types of systems you might want to have to improve your information security. The best known guidance standard is ISO/IEC 27002 – Code of practice for information security management which goes into a lot more detail about how to implement all those reference controls in Annex A of ISO/IEC 27001.
But as I said, that is the official position. The reality is that it is possible to pay an auditing organization to certify that your company meets one of the other standards too and you can see why a company might want to do that. It’s all about credibility and assurance to the customer after all. This is why large hosting companies like Amazon Web Services proudly display their ISO/IEC 27017 (Code of practice for information security controls based on ISO/IEC 27002 for cloud services) certificate on their website. In theory it’s not allowed, but in practice…
This is obviously going to depend on what you are trying to achieve. Organizations implement information security standards for varying reasons, although most of these are usually to do with either making more sales or protecting themselves from risk. The most important principle to establish however is that whichever standards you feel fit your industry and/or business model best, you are still going to need an Information Security Management System (ISMS) and this is what ISO/IEC 27001 (and only this standard) delivers. The ISMS is the framework that defines the setting of objectives, the monitoring, the risk management process, the management reviews, the internal audits and the continual improvement, to name but a few of its benefits. You could, if you choose, implement any of the other codes of practice but without the fundamental building block of the ISMS this may simply amount to a one-off control-tightening exercise. The threats are constantly adapting so you have to also, and the ISMS gives you that essential mechanism. So for me, ISO/IEC 27001 is still top of the implementation schedule every time.
Ok, having got that out the way, what’s next? Well, some of the standards simply add further detail to the main parts of your ISMS so whilst you could use these to make sure you do a great job of your implementation, you’re probably not going to want to claim certification to them. I would put the following into this category:
ISO/IEC 27002 — Code of practice for information security management
ISO/IEC 27003 — Information security management system implementation guidance
ISO/IEC 27004 — Information security management — Measurement
ISO/IEC 27005 — Information security risk management
ISO/IEC 27033 — Network security (multiple parts)
ISO/IEC 27035 — Information security incident management
Although sometimes organizations do advertise their conformance to ISO/IEC 27002 which is fair enough (but it’s still not an ISMS).
Then there are some standards in the ISO/IEC 27000 family that help if you are in a particular industry. The main ones are:
ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
ISO/IEC TR 27015 — Information security management guidelines for financial services
ISO 27799 — Information security management in health using ISO/IEC 27002
ISO/IEC 27019 — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry (not out yet, but on the way)
These may well be appropriate to claim certification (or at least conformance) to if an appropriate auditing body offers such a service and you felt it would mean something to your customers or your organization.
Finally, there are the standards that relate to specific types of business model and these are receiving quite a lot of press at the moment. These are:
ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
These standards are raising a lot of interest amongst cloud service providers for obvious reasons. Let’s look at each of these in a bit more detail.
The shared nature of cloud services means that they have their own particular set of benefits but also risks. The ISO/IEC 27001 standard and the ISO/IEC 27002 code of practice are fairly vague when it comes to the specifics of cloud services so this standard has been produced to plug that gap. The layout of the standard mirrors that of Annex A of ISO/IEC 27001 (and therefore ISO/IEC 27002) but goes into more detail about thirty-seven of the Annex A controls, with an extra seven added for good measure in areas such as virtual machine configuration and customer environment separation. Both the customer and supplier perspective are given, implying that the security of the cloud is very much a two-way deal.
With the EU General Data Protection Regulation (GDPR) soon coming into force and debate over the EU-US Privacy Shield, Privacy is a hot topic and the intention of this standard is to help organizations protect Personally Identifiable Information (PII) more effectively. As with ISO/IEC 27017, this standard builds on ISO/IEC 27001/2 but also introduces an extended control set for PII protection, covering areas such as consent and choice, data minimization and privacy compliance.
There is a confusing array of different members of the ISO/IEC 27000 family and the number seems set to only expand as further specific industries and organization types are catered for. The key thing to remember is that all of these are built upon the ISO/IEC 27001 standard and this represents the starting point for the enhancements.
For organizations such as cloud service providers there is some very relevant guidance available and we would encourage them to use the available resources to create the very best ISMS they can.