ISOIEC 17799:2005

1
ISO/IEC 177992005 and Future ISMS
Standards Vernon Richard Poole Cyprus Infosec
Workshop 4 October 2005
2
Workshop Agenda

• Introductions Logistics
• Why are there changes to ISO 17799
• What are the actual changes
• Practical Implications of the Changes
• Current International Reaction to the Changes
• The 27000 series on ISMS Standards

3
1. Tutor Credentials Vernon Poole

• Recognised global trainer in Information Security
  Management for over 15 years
• Member of UK International 7799 User Groups
• Member of IT Governance Taskforce focussed on
  cultural change
• Chairman of British Computer Societys Security
  Expert Panel

4
1. Who are Sapphire ?

• Independent Information Security Company
• Respected as ISO/BS7799 experts certified
  company
• Achieve Information Security Cultural change
  for clients
• Understands the Information Governance Agenda
• Work closely with the IT Governance Institute -
  COBIT
• Meet all the certification/accreditation
  criteria laid down

5
1. Workshop Format

• Participation is very important and I will
  encourage, please contribute as much as possible
• Enjoyment I am a very relaxed trainer, so
  please enjoy the workshop, and let us have fun in
  learning
• Learning Experience the more you contribute,
  the more each of us will learn from each other

6
1. Delegate Introductions

• Can you please give your name, position,
  organisation and country
• Provide brief details of your Information
  Security Experience
• Provide details on what you expect from this
  workshop and why you are here?

7
2. Why are there changes to ISO 17799 ?

• Emerging trends distributed environmental
  threats
• Governance increasing call for senior
  management commitment
• Assurance global call for more detailed
  assurance measures
• Assessing and demonstrating compliance legal
  regulatory pressures
• Managing risks, threats and vulnerabilities
  whole risk management approach is now clearly
  understood and requires evidencing
• Risk reduction, transfer, avoidance or acceptance
  an increased emphasis on continuous review

8
2. Emerging Trends

• We live in a world without perimeters witness
  Jericho project developments increasing
  distributed threats
• Growth in more mobile ways of working mobile
  communications remote working and home working
  each with their own threats and risks
• Global working means an increased emphasis on
  sharing information calls for a consistent
  and trusted way of demonstrating appropriate
  security frameworks are in place
• Staff are more computer literate the younger
  generation are very adept at new developments
  but they require strong disciplines in the
  workforce

9
2. Governance Requirements

• Sarbanes Oxley and EU directives on effective
  internal controls calls for Information
  Governance regimes to be established
• IT Governance Institute (ITGI) are developing
  excellent Information Security Governance
  frameworks outlining roles for the Board and
  Management to adopt (deploying ISO 17799 COBIT)
• Increased information threats from hacking and
  terrorist activities have heightened the focus on
  effective Information Security Governance calls
  for more international co-operation and
  uniformity

10
2. Assurance Requirements

• We are witnessing an increasing rise in legal and
  regulatory frameworks to force all organisations
  to adhere to adequate information security
  principles
• Legal Compliance consists of Data Protection
  (EU regs) Computer Misuse Acts Freedom of
  Information Acts.
• Regulatory Compliance ISO 17799 being viewed as
  contractual or service level agreement
  requirements
• External Auditing seeing Information Governance
  as a due diligence requirement

11
2. Risk Management Demands

• Increasing number and complexity of Information
  risks moving from viruses and worms to
  unlicensed software and private work to email
  and internet misuse to terrorist threats and
  commercial espionage
• Impact on productivity and reputational damage is
  now very worrying especially if confidentiality
  breaches occur
• Calls for effective risk assessment and
  management techniques to understand your
  vulnerabilities and agree the countermeasures to
  be established new BS7799 Part 3 requirements
  to be published soon

12
3. What are the actual Changes?

• Update controls and include new developments
  this is a standard revision based on a 3/5 year
  revision period
• Clarify international context since the early
  BS7799 days the need for clarity in a global
  business environment is vital
• Revise wording and culture efforts have been
  taken to seek common definitions and agreed
  working to avoid any confusion or
  misunderstanding
• Brings into place more management controls it
  is vital in our time based security world to give
  further personnel guidance and also focus on
  incident handling

13
3. Updated controls
- new control/s added
14
3. Control Objectives Controls Changes
9 old controls modified
117 controls remaining
17 new controls added
ISO/IEC 17799 old edition
ISO/IEC 17799 new edition

• There are now 134 controls (with an improved user
  friendly interface)
• There are 8 new controls in the revised version
  of the standard
• 5 control objectives have been re-arranged into
  other controls

15
3. New controls added Organising IS (3)

• Internal organisation
• - achieving management commitment no longer
  required to have a separate management forum if
  not appropriate
• - contact with special interest groups which
  to contact and how useful they can be
• External parties
• - how to manage customer access this section
  puts greater emphasis on electronic access with
  respect to computer systems, business processes
  or business information

16
3. New controls added Asset Management (2)

• Ownership of assets
• - covering how to assign asset ownership and
  what assets owners should be responsible for
  (difficult area to agree on)
• Acceptable use of assets
• - establishing rules for the acceptable use of
  assets (vital for business information protection
  IPR implications)

17
3. New controls added Human Resources (4)

• During Employment
• - management responsibilities (authorisation and
  supervisory roles)
• Termination or Change of Employment
• - termination of employment (time,
  circumstances, exit interviews)
• - return of assets (major issue
  laptop,confidential information,etc)
• - removal of access rights (major headache for
  many, IT/HR relationship)

18
3. New controls added Physical Security (1)

• Protecting against external and environmental
  threats
• - extended from the previous secure offices -
  this control now deals with external threats of
  any kind with new technologies this control
  needed expansion

19
3. New controls added Comms Operations(6)

• Third party service delivery management (new
  clause)
• - service delivery
• - monitoring review
• - managing changes
• Protection against malicious software
• - controls against mobile code
• Electronic Communication Services
• - on-line transactions
• Monitoring
• - protection of log information

20
3. New controls added Info Systems A,D M(1)

• Technical vulnerability management
• - this covers what many refer to as patch
  management which today is a major headache
  both in terms of the increasing numbers and time
  to effect the changes ensuring that this change
  does not have undesirable effects in other areas

21
3. International Clarity
22
3. Revised wording and culture

• In the field of Information Technology, ISO (the
  International Organisation for Standardisation)
  and IEC (the International Electrotechnical
  Commission) have established a joint technical
  committee ISO/IEC JTC 1 to prepare this
  internationally accepted standard (requires
  approval by 75 of national bodies)
• Standard abides by and influences the OECD
  guidelines for the Security of Information
  Systems and Networks crucial as
  interconnectivity increases and more worryingly
  as information is exposed to a wider variety of
  threats and vulnerabilities

23
3. Management Changes response to
changingbusiness arrangements and new technology

• External services outsourcing, 3rd party
  contracts, sub-contracts etc
• New ways of doing business mobile systems,
  wireless technologies, multiplexing
• Reaction to emerging threats and vulnerabilities
  timely and secure patch management
• Human resources before, during and termination
  of employment, revocation of services etc

24
3. Improving the management of External Risks

• Customers
• Outsourcing
• Off- shoring
• 3rd party access
• Business partners
• Suppliers

• Physical access
• Electronic access to computer systems
• Networks
• Services
• Business processes
• Business information

25
3. Improving the management of External Risks

• Identifying risks/ addressing security
• Outsourcing , service providers, suppliers and
  third parties, customers and business partners
• Service Level Agreements
• Contracts and Audits
• Service Delivery Management
• Service delivery
• Monitoring and review of third party services
• Managing changes to third party services
• BS1500/ ISO 20000

26
3. Incident Management Responsibilities

• Past incidents disasters
• Corrective actions
• Identify/ detect, analyse and respond to
  incidents
• Monitor review and re-assess risks take action
  to improve and control the risks
• Prevent actions
• Future business availability

27
3. Vulnerability Management

• Reducing the risks resulting from exploitation of
  known vulnerabilities
• Are you up to date to face the next attack?
  Better patch management etc
• Counter measures for zero day exploitations

28
3. Distributed Systems Implications

• From centralised mainframe, mid-frame world to
  mobile environment
• PDAs
• PC tablets
• Mobile telephones
• Remote Working
• Wireless Technologies
• etc

29
3. Human Resources

• Prior to employment importance of screening and
  security agreements
• During employment awareness training correct
  use of facilities disciplinary procedures
• Termination of change of employment exit
  interviews and removal of assets security
  rights

30
4. Practical Implications of the Changes

• Transition Period
• How it will affect certified organisations
• Hopes and Aspirations Global Take-up
• Discussion Session

31
4. Transition Period

• Today Against BS7799 Part 2 2006 Against ISO
  / IEC 27001
• Certification Transition Statement Defines the
  period during which
• certifications will be transferred from being
  BS7799 Part 2 compliant to
• being ISO/IEC 27001 compliant
• Transition Period
• ISO/IEC 17799 new version published on 15 June
  2005
• End of 2005 IS0/IEC 27001 ISMS requirements
  standard published and BS7799 Part 2 discontinued
• A Certification Transition Statement issued
• End of transition period

32
4. How it will affect certified bodies

• Japan 58
• UK 14
• Mainland Europe 10
• Far East 8
• India 7
• Middle East 1
• USA/Canada 1
• S.America 1
• Total of 1,700 global certifications to date
  (August 2005), estimated to rise to 2,000 by end
  of 2005 and to 5,000 by end of 2006!!

33
4. Hopes Aspirations Global Take-up

• Increased global relevance and demand
• Global Consistency
• Updated to account for new information
  developments
• Increasing vulnerabilities
• Global terrorism

34
4. Discussion Group Session

• In your syndicate groups, please prepare bullet
  points for discussion on the following items -
• How effective will be revisions be?
• What are the benefits and obstacles to
  implementation?
• Your overall conclusions and comments

35
5. Current International Reaction to the Changes

• How well has it been received?
• What are the future plans?
• Introduction to the 27000 series
• Questions Answers

36
5. How well has revised standard been received?

• Very positive global response especially in
  Europe USA where previously the take-up was
  slow
• Professional bodies applaud is wider
  international appeal easier to adopt as a
  professional or mandatory requirement
• National governments, in the face of increasing
  security concerns especially cyber-crime, welcome
  its arrival
• Governance organisations especially ITGI fully
  support the update

37
5. What are the future plans?

• ISMS certification
• ISMS family of standards (ISO 27000series)
  covering specification, metrics, implementation
  guides, audit guides, risk management
• ISMS Sector Specific Requirements/ Frameworks
• - Healthcare (ISO 27799),
• - Telecoms (ITU T),
• - Finance (TC68)

38
5. Introduction to theISO 27000 series

• ISO 27000 principles and vocabulary (in
  development)
• ISO 27001 ISMS requirements (BS7799 Part 2)
• ISO 27002 (ISO/ IEC 177992005) from 2007
  onwards
• ISO 27003 ISMS Implementation guidelines (due
  2007)
• ISO 27004 ISMS Metrics and measurement (due
  2007)
• ISO 27005 ISMS Risk Management
• ISO 27006 27010 allocation for future use

39
5. Question Answer Session

• Is ISO standards group right in forming a new ISO
  27000 series?
• Will organisations delay still further
  implementation of effective information security
  management practices until 2007?
• Is there a need to define Risk Management IS
  Metrics Measurement guidance?
• Any other issues

40
6. ISO 27000 series on ISMS

• A step by step guide the five ISO 27000 series
  currently in development
• An idea of the timescales
• Potential benefits obstacles
• Discussion Group Presentation Work - Watch this
  space!

41
6. ISO 27000 Principles Vocabulary

• This standard will explain the terminology for
  all the 27000 series family of standards
• This development will address global concerns on
  definitions that vary from country to country
  so consistency will be established
• Hopefully these principles will impact on other
  standards like COBIT(IT Processes) and ITIL (IT
  Service Delivery) and avoid any confusion

42
6. ISO 27001 ISMS Requirements

• ISO/ IEC is progressing an ISMS standard based on
  BS7799 Part 2
• With some improvements and changes
• Annex B (Implementation Guidance has been
  removed) this will become 27003
• At the final stage of editorial balloting
• Estimated publication date November 2005
• Once ISO 27001 is published BS7799 Part 2 will be
  withdrawn
• Interim Period (Now until November 2005)
• The technically stable version ISO/IEC FDI 27001
  is likely to be available for purchase from BSI.
• BSI have quoted those purchasing the FDIS
  version now will get a copy of the ISO version
  when published (estimated to be November 2005)

43
6. ISO 27001 ISMS Requirements
44
6. ISO 27001 ISMS Highlights

• Clarifies and improves existing PDCA process
  requirements
• ISMS scope (inc. details justification for any
  exclusions)
• Approach to risk assessment (to produce
• comparable reproducible results)
• Selection of controls (criteria for accepting
  risks)
• Statement of Applicability (currently
  implemented)
• Reviewing risks
• Management commitment
• ISMS internal audits
• Results of effectiveness and measurements
• (summarised statement on measures of
  effectiveness)
• Update risk treatment plans, procedures and
  controls

45
6. ISO 27002 ISO/IEC 177992005(from Nov05)

• 11 sections specify 39 control objectives to
  protect information assets
• Provides 134 best practice controls that can be
  adopted based on a risk assessment process but
  leaves an organisation free to select controls
  not listed in the standard giving great
  flexibility in implementation
• (but challenging for certification bodies!)
• New recommendations cover
• - security of external service delivery
  provisioning of outsourcing
• - patch management and other current issues
• - security prior to, during and at termination
  of employment
• - guidance on risk management, and a section on
  incident management
• - mobile, remote distributed communications
  information processing

46
6. ISO 27003 ISMS Implementation Guidelines

• A new (JTC 1/SC27) project on implementation
  guidelines to support the new requirement
  specification standard
• Annex B of BS7799 Part 2 is the basis-
• - overview
• - management responsibilities
• - governance regulatory compliance
• - personal security human resources
• - asset management
• - availability/continuity of business processes
• - handling information incidents
• - access control
• - risk management case studies

47
6. ISO 27004 Metrics and Measurement

• ISO/IEC has a new project to develop an ISMS
  Metrics and Measurements Standard
• This development is aimed at addressing how to
  measure the effectiveness of ISMS implementations
  (processes and controls)
• Performance targets
• What to measure
• How to measure
• When to measure

48
6. ISO 27005 ISMS Risk Management

• A new standard on Information Security Risk
  Management an ISO version of the soon to be
  published BS7799 Part 3
• This standard is being drawn up by the
  DTI/Cabinet Office with significant input from
  CSIA (central Sponsor for Information Assurance)
  draft for consultation came out in July 2005
  with consultation period finishing in October
  2005
• Will be linked to MITS-2 - a new management
  standard for ICT risk management currently in
  development

49
6. ISO 27000 series Benefits/Obstacles

• BENEFITS
• Alignment to ISO 9000 series on Quality
  Management
• Ensured a level of consistency in IS Management
• International cohesion
• Professional acknowledgement
• Governance Benefits
• OBSTACLES
• International acceptance take-up
• Nation state support agreement

50
6. Conclusions

• 2005 will go down as a defining year in
  Information Security Management Best Practice in
  bringing global consistency
• New 7799 revision takes account of new IS
  developments
• Risk Management comes to prominence
• IS Metrics Measurement minimum requirements
  begin to be defined
• Governance Assurance requirements can be
  addressed

51
Further Information

• Vernon Poole Security Consultant
  vernon.poole_at_sapphire.net
• Tel 01642 702100 or Mobile 00 44 (0)7976
  922886
• Certification Register information -
  www.xisec.com
• Business Guidance - www.dti.gov.uk
• UK Developments - BS7799 User Group
  www.dti.gov.uk/industries/information_security/bus
  inessadvice.html
• (Contact Stephanie ONeil 0207 215 1318)