An Overview Of ISO/IEC 27000 Family Of Information .

Transcription

An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsWhat is ISO/IEC 27001?The ISO/IEC 27001 standard, published by theInternational Organization for Standardization (ISO)and the International Electrotechnical Commission(IEC), is known as “Information technology —Security techniques — Information securitymanagement systems — Requirements”. ISO/IEC27001:2013 (hereafter referred to as ISO/IEC27001) is the most recent edition of ISO/IEC 27001standard which revises the previous editionpublished in 2005 (ISO/IEC 27001:2005).ISO/IEC 27001 specifies the requirements forestablishing, implementing, maintaining andcontinually improving an information securitymanagement system (ISMS). The ISMS presents asystematic approach to keep sensitive informationsecure.It manages people, processes and ITsystems through applying risk managementprocesses.The ISMS suits not only largeorganisations but also small and mediumbusinesses.ISO/IEC 27001 is designed to be used in conjunctionwith supporting controls, an example of which ispublished in document, ISO/IEC 27002:2013(hereafter referred to as ISO/IEC 27002). ISO/IEC27002 details 114 security controls which areorganised into 14 sections and 35 control objectives.The table of contents from ISO/IEC 27001 andISO/IEC 27002 are provided in Appendix A.Compliance with ISO/IEC 27001 can be formallyassessed and certified by an accredited certificationbody. An organisation’s ISMS certified against theISO/IEC 27001 standard demonstrates anorganisation’s commitment to information securityand provides confidence to their customers,partners and stakeholders.ISO/IEC 27001 CertificationRequirementsTo meet ISO/IEC 27001 certification requirements,an organisation’s ISMS must be audited by aninternationally accredited certification body.Requirements in sections 4 to 10 in the ISO/IEC27001 (see Appendix A) are mandatoryrequirements with no exclusion allowed. Havingpassed the formal audit, the certification bodyawards an organisation with an ISO/IEC 27001certificate for its ISMS.The ISO/IEC 27001certificate is valid for 3 years, after which the ISMSneeds to be re-certified.During the 3-year validity period, an organisationmust perform certificate maintenance so as toconfirm the ISMS remains compliant, operates asspecified, and continually improves. To maintainthe certification, the certification body will visit theISMS site at least once a year to carry out asurveillance audit. During the surveillance audit,only a portion of the ISMS will be audited.Towards the end of the 3-year period, thecertification body audits the entire ISMS.Published by the Office of the Government Chief Information Officer Updated in May 20211

An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsBenefits of ISO/IEC 27001 CertificationAn organisation certified with ISO/IEC 27001 willbring benefits to its internal security as well as itsexternal competitiveness.to a recognised international standard maygradually become a pre-requisite imposed bymany customers.Certification BodiesInternally, by adopting the ISO/IEC 27001, anorganisation can:Form a basis to enable the secure exchange ofinformation and to protect data privacy, inparticular relating to sensitive information;Manage and lower risk exposure, hence lesschance of incidents being realised and in turnreducing time and money spent on respondingto incidents;Strengthen the internal organisation andimprove the security structure of the business,such as to clearly define responsibilities andduties related to information security;Reduce the resources needed for completingsecurity-related information in bidding forcontracts, as well as on-going submission afterthe contracts awarded, as required by clients.Externally, by publicising the fact that ISO/IEC27001 is certified, an organisation can:Provide customers and stakeholders withconfidence in how it manages risks andsecurity of their sensitive information;Facilitate compliance with legal obligationssuch as the Personal Data (Privacy) Ordinance(PD(P)O);Receive a competitive advantage, which assiststhe organisation to attract more investors andcustomers as a result;Improve consistency in the delivery of itsservices and products, thus enhancingcustomer satisfaction and client retention;Safeguard and enhance the organisation’sreputation as its security processes have beenvalidated by an independent certification body,and hence improve protection to theorganisation, assets, shareholders anddirectors;Better prepare to face ever-increasingcustomer expectations. Nowadays thecommunity is becoming more sensitive toinformation security incidents. CertificationThe ISO/IEC 27001 certification process involvesthe accreditation of certification bodies. Suchaccreditation is granted to organisations who havedemonstrated that they fully meet the requirementsof the international standards ISO/IEC 17021“Conformity assessment – Requirements for bodiesproviding audit and certification of managementsystems” and ISO/IEC 27006 “Requirements forbodies providing audit and certification ofinformation security management systems”.Accreditation service for ISO/IEC 27001certification was officially launched by Hong KongAccreditation Service (HKAS) on 15 November 2011.Certification bodies can contact HKAS and apply foraccreditation on a voluntary basis.Costs for CertificationFor initial certification, it includes the costs for bothimplementing the ISMS and certifying the ISO/IEC27001.The cost of implementation dependslargely on the gaps between the existing securitycontrols and the required controls within theorganisation. In terms of costs to implement, thereare costs and resources for implementing securitycontrols, writing documentation, training staff, etc.For the certification itself, it includes the cost of theexternal auditors (that charge a certain rate per day),application fees, certificate fees and maintenancefees, etc.Adoption in Hong KongAccording to ISO Survey 2019, at least 36 362ISO/IEC 27001 certificates have been issued in 133countries and economies worldwide. In 2019, thetop three countries for the total number ofcertificates issued were China (8 356), Japan (5 245)and the United Kingdom of Great Britain andNorthern Ireland (2 818). From the information ofthe same survey, the number of certificates acquiredin Hong Kong was 158. The number includedsome government departments certified againstISO/IEC 27001 for specific functional areas.Published by the Office of the Government Chief Information Officer Updated in May 20212

An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsOverview of the ISO/IEC 27001 Implementation and Certification process ISO/IEC 27001 Implementation12345 Define information security policy Task: Identify business objectives and obtain management support to implement a securityimprovement program Define scope of the ISMS Task: Compare the existing information security management system against the requirements ofISO/IEC 27001 and select what business units, departments or systems are to be covered by the ISMS Perform a risk assessment Task: Define a method of risk assessment, inventory the information assets to protect, and rank assetsaccording to risk classification based on risk assessment Manage the identified risk Task: Create a risk treatment plan to identify appropriate management actions, resources,responsibilities and priorities for managing information security risks Select controls to be implemented Task: Prepare a Statement of Applicability (SoA) to document which of the controls (e.g. the 114security controls from ISO/IEC 27002) that are applicable to the ISMS and the way they will beimplemented Implement controls Task: Develop programs to implement the identified controls6 ISO/IEC 27001 Certification78 Prepare for certification Task: Operate the ISMS and conduct a full cycle of internal audits, management reviews and activities Apply for certification Task: Proceed to certification application which includes stages of document review and on-sitecompliance auditPublished by the Office of the Government Chief Information Officer Updated in May 20213

An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsFamily of ISO/IEC 27000The ISO/IEC 27000 family of standards (seeAppendix B) consists of inter-related standards andguidelines, already published or under development,and contains a number of significant structuralcomponents. These components are focused uponnormative standards describing ISMS requirements(ISO/IEC 27001), certification body requirements(ISO/IEC 27006) for those certifying conformitywith ISO/IEC 27001, and additional requirementframework for sector-specific implementations ofthe ISMS (ISO/IEC 27009). Other standards andguidelines provide guidance for various aspects ofan ISMS implementation, addressing a genericprocess as well as sector-specific guidance.Published by the Office of the Government Chief Information Officer Updated in May 20214

An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsThe current version of ISO/IEC 27001 was releasedin 2013. Apart from the most mentioned ISO/IEC27001, ISO/IEC 27002 and ISO/IEC 27018, someother standards in the ISO/IEC 27000 family arealso being widely referenced. Some examples are:ISO/IEC 27000 – “Information securitymanagement systems -- Overview andvocabulary” provides an overview of ISMS, andterms and definitions commonly used in theISMS family of standards.To ensureconsistency in adopted terminology, all 27000family of standards rely on the terms anddefinitions provided in ISO/IEC 27000. Thisstandard provides readers with overallstarting point by which they can get introducedto the 27000 family.ISO/IEC 27003 – “Information securitymanagement systems -- Guidance” providesguidance on the requirements for an ISMS asspecified in ISO/IEC 27001, as well as therecommendations,possibilitiesandpermissions in relation to the requirements.ISO/IEC 27004 – “Information securitymanagement -- Monitoring, measurement,analysis and evaluation” provides guidelines toassist organisations in evaluating theinformation security performance and theeffectiveness of an ISMS in order to fulfil themonitoring, measurement, analysis andevaluation requirements as specified in theISO/IEC 27001.ISO/IEC 27005 – “Information security riskmanagement” provides guidelines forinformation security risk management. Itsupports the general concepts specified inISO/IEC 27001 and is designed to assist thesatisfactory implementation of informationsecurity based on a risk management approach.ISO/IEC 27017 – “Code of practice forinformation security controls based onISO/IEC 27002 for cloud services” providesguidelines supporting the implementation ofinformation security controls for cloud serviceconsumers and providers. The selection ofappropriate controls and the application of theimplementation guidance are based on riskassessment and other requirements for the useof cloud services.The standard isaccompanied by ISO/IEC 27018 to cover thewider information security angles of cloudcomputing in addition to privacy.ISO/IEC 27031 – “Guidelines for informationand communication technology readiness forbusiness continuity” describes the s technology (ICT) readinessfor business continuity, and provides aframework of methods and processes toidentify and specify all aspects for improvingan organisation's ICT readiness to ensurebusiness continuity.ISO/IEC 27035-1 – “Information securityincident management -- Part 1: Principles ofincident management” provides basicconcepts and phases of information securityincident management and combines theseconcepts with principles in a structuredapproach to detecting, reporting, assessing andresponding to incidents, and applying lessonslearnt.ISO/IEC 27035-2 – “Information securityincident management -- Part 2: Guidelines toplan and prepare for incident response”provides guidelines to plan and prepare forincident response.ISO/IEC 27036-4 – “Information security forsupplier relationships -- Part 4: Guidelines forsecurity of cloud services” defines guidelinessupporting the implementation of ISMS for theuse of cloud services.ISO/IEC 27037 – “Guidelines for identification,collection, acquisition and preservation ofdigital evidence” provides guidelines forspecific activities in the handling of digitalevidence, which are identification, collection,acquisition and preservation of potentialdigital evidence that can be of evidential value.Published by the Office of the Government Chief Information Officer Updated in May 20215

An Overview of ISO/IEC 27000 family ofInformation Security Management System StandardsPersonally Identifiable Information(PII) in Cloud C omputingPII Protection Controls of ISO/IEC27018Cloud computing is now evolving like never before.This trend will continue to grow and develop in thecoming few years. It is well-known that cloudcomputing has potential advantages. It is the costefficient method to use, maintain and upgrade.Backup and recovery method in cloud computing isrelatively easier than traditional methods of datastorage. Moreover, it gives the advantage of quickdeployment and easy access to information.ISO/IEC 27018 was developed taking into accountthe requirements already contained in ISO/IEC27002.It augments ISO/IEC 27002 in twoapproaches: firstly, supplementing implementationguidance for those controls prescribed by ISO/IEC27002; and, secondly, providing additional controlsand associated guidance that are tailored to addresspublic cloud PII protection requirements but notcovered by the ISO/IEC 27002 control set. For thefirst approach, ISO/IEC 27018 provides additionalimplementation guidance on the following 11ISO/IEC 27002 controls:Information security policiesOrganization of information securityHuman resource securityAccess controlCrypto

Requirements To meet ISO/IEC 27001 certification requirements, an organisation’sISMS must be audited byan internationally accredited certification body. Requirements in sections 4 to 10 in the ISO/IEC 27001 (see Appendix A) are mandatory requirements with no exclusion allowed. Having passed the formal audit, the certification body awards an organisation with an ISO/IEC 27001 certificate for .File Size: 1MBPage Count: 10