Professional Documents
Culture Documents
Introduction
This is a collaborative document created by ISO/IEC 27001 and 27002 implementers belonging to the ISO27k implementers' forum. We wanted to document
and share some pragmatic tips for implementing the information security management standards, plus potential metrics for measuring and reporting the status of
information security, both referenced against the ISO/IEC standards.
Scope
This guidance covers all 39 control objectives listed in sections 5 through 15 of ISO/IEC 27002 plus, for completeness, the preceding section 4 on risk
assessment and treatment.
Purpose
This document is meant to help others who are implementing or planning to implement the ISO/IEC information security management standards. Like the
ISO/IEC standards, it is generic and needs to be tailored to your specific requirements.
Copyright
This work is copyright © 2007, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-
Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is
not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers’ forum (www.ISO27001security.com),
and (c) derivative works are shared under the same terms as this.
Management (specifically, the information asset owners) need Trend in numbers of information security-related risks at
to assess risks and decide what (if anything) to do about them. each significance level.
Such decisions must be documented as a Risk Treatment Plan
Information security costs as a Percentage of total revenue
4.2 Treating security risks (RTP). It is acceptable for management to decide explictly to
or IT budget.
do nothing about certain information security risks deemed to
be within the organization's "risk appetite", but not for this to be Percentage of information security risks for which
the default approach! satisfactory controls have been fully implemented.
5. Security policy
Think in terms of an information security policy manual or wiki Policy coverage (i.e. percentage of sections of ISO/IEC
containing a coherent and internally consistent suite of policies, 27001/2 for which policies plus associated standards,
standards, procedures and guidelines. procedures and guidelines have been specified, written,
Information security approved and issued).
5.1 Identify review frequency of the information security policy and
policy
methods to disseminate it organization-wide. Review of Extent of policy deployment and adoption across the
suitability and adequacy of the information security policy may organization (measured by Audit, management or Control
be included in management reviews. Self Assessment).
7. Asset management
Are you getting your money's worth? Answer this question and
support it with facts by establishing a monitoring system for 3rd- Cost of downtime due to non-fulfillment of service level
party service providers and their respective service deliveries. agreements
Third party service
10.2 Look at periodic of review of service-level agreements (SLA)
delivery management
and compare it with monitoring records. A reward and penalty Performance evaluation of 3rd-party providers to include
system may work in some cases. Watch out for changes that quality of service, delivery, cost etc.
impact security.
The old quality assurance axiom "you cant' control what you Percentage of systems whose security logs are (a)
can't measure or monitor", holds true for information security. appropriately configured, (b) securely captured to a
The necessity of implementing monitoring processes is now centralised log management facility and (c) routinely
more evident as measurement of the effectiveness of controls monitored/reviewed/assessed.
10.10 Monitoring
is made an explicit requirement. Look at the criticality and
significance of data that you are going to monitor and how this Trends in the number of security log entries that have (a)
affects the overall business objectives of the organization in been captured; (b) been analyzed; and (c) led to follow-up
relation to information security. activities.
Set up a discrete "security admin" function with operational Average delay between access change requests being
responsibilities for applying the access control rules defined by raised and actioned, and number of access change
User access application owners and Information Security Management.
11.2 requests actioned in the previous month (with trends
management
Invest in providing security admin with the tools to do their jobs analysis and commentary on any peaks/troughs e.g. "New
as efficiently as possible. Finance application implemented this month"...).
Use current formal standards such as AES rather than home- Percentage of systems containing valuable/sensitive data
12.3 Cryptographic controls grown algorithms. for which suitable cryptographic controls have been fully
Implementation is crucial! implemented (3- to 12-monthly reporting period).
Embed information security into the system development “Developing systems security status” i.e. informed
Security in
lifecycle at all stages from conception to death of a system, by commentary on the current security status of the software
12.5 development and
including security "hooks" in development and development processes, with notes on recent/current
support processes
operations/change management procedures and methods. incidents, current known security vulnerabilities and
15. Compliance
Invest in a qualified IT audit function that uses the ISO27k, Number of audit issues or recommendations grouped and
COBIT, ITIL, CMM and similar best practice standards/methods analyzed by status (closed, open, new, overdue) and
as benchmarks for comparison. significance or risk level (high, medium or low).
Information systems Look into ISO 19011 Guidelines for quality and/or Percentage of information security-related audit findings
15.3 environmental management systems auditing as a valuable that have been resolved and closed vs. those opened in
audit considerations
source for the conduct of internal ISMS audits. ISO 19011 the same period.
provides an excellent framework for creating an internal audit Mean actual resolution/closure time for recommendations
programme and also contains qualifications of the internal audit relative to the dates agreed by management on completion
team. of audits
*** End of table ***
Change record
Version 1 June 28th 2007
Published by the ISO27k implementers' forum. Contributions from Gary Hinson, H Deura, K, Marappan Ramiah, Rainier Vergara and Richard O.
Regalado.
Feedback
Comments, queries and improvement suggestions (especially improvement suggestions!) are welcome either via the ISO27k implementers' forum or direct to the
forum administrator Gary@isect.com