Code of Practice for Information Security Controls
If your organisation is involved with either the collection, use, or processing of data, there will always be information security risks and threats to watch out for. To guard against these risks, you should have an Information Security Management System (ISMS) to ensure the confidentiality, availability, and integrity of all information and information assets.
The main challenge facing businesses new to the information security management scene is its wide scope. The initiation, implementation and maintenance of an ISMS covers such a broad spectrum that most managers don’t know where to begin.
If you are such a manager or are just looking to stay at the top of your information security, one great starting point is to implement the controls suggested in ISO/IEC 27002:2013.
What is ISO 27002?
ISO/IEC 27002, also referred to as Information Technology — Security Techniques — Code of practice for information security controls is an information security standard published by the International organisation for Standardization (ISO) together with the International Electrotechnical Commission (IEC). ISO/IEC 27002 provides recommendations for best practice for those charged with the management of information security for organisations.
While ISO 27002 is not a certifiable standard by itself, compliance with its information security management guidelines brings your organisation one step closer to meeting ISO 27001 certification requirements. It provides implementation guidance for compliance with the ISO 27001 standard.
The lack of a one-fits-all information security solution means that those responsible for the management of information security risks have to apply the relevant information security controls based on their risk assessment and control objectives. Information security in this context can be defined based on the CIA triad.
ISO/IEC 27002, the most recent of which is ISO 27002:2013, has a close association with ISO 27001. Broadly speaking, it gives guidance on the implementation of ISO 27001.
ISO 27002:2013 is a Code of practice for the information security management system (ISMS) controls and goes into a much higher level of detail than the Annex A controls of ISO 27001. You cannot certify against ISO 27002 because it is not a management standard.
The CIA Triad
Information security involves protecting various aspects of the information which can be represented by the CIA model. Understanding this will enable the formulation and implementation of effective information security controls. These aspects include confidentiality, integrity, and availability of the information.
Confidentiality – The confidentiality of information means measures should be taken to protect it from unauthorized access. One way to achieve this is by enforcing different access levels for information based on who needs access and how sensitive the information is. Some means for managing confidentiality include file and volume encryptions, access control lists, and file permissions.
Integrity – Data integrity is an important part of the information security triad, aimed at protecting data from any unauthorized modifications or deletions. This also involves ensuring that the unauthorized modifications or deletions made to the data can be undone.
Availability – Availability is aimed at ensuring that the data is accessible to those who need them when it is needed. Some of the information security risks to availability include sabotage, hardware corruption, network failure, and power outages. These three components of information security work hand in hand, and you cannot concentrate on one of them at the expense of the others.
The history of ISO/IEC 27002:2013
The ISO/IEC 27k series is a collection of standards and best practices that were donated to the UK government initiative by Shell in the early 1990s. In the mid-1990s, this code was developed into the British Standard BS 7799 and in 2000, it was adapted as the ISO/IEC 17799 standard. 2005 saw the revision of the standard after which it was renamed to ISO/IEC 27002 to match other standards in the ISO/IEC 27000 series such as ISO 27001, 27002 and 27003.
The next revision occurred in 2013 to create the ISO/IEC 27002:2013. In 2015, ISO/IEC 27017 was derived from ISO/IEC 27002 to accommodate extra cloud security controls that were not clearly defined in the standard.
This standard was made up of ISO/IEC 17799:2005 and ISO/IEC 17799:2005/Cor.1:2007. The technical contents of ISO/IEC 27002:2005 are identical to those of ISO/IEC 17799:2005. ISO/IEC 17799:2005/Cor.1:2007 saw the reference number of the standard change from 17799 to 27002.
Various amendments have been made to the standard over time, involving correction of certain terms to make them less ambiguous and more understandable.
ISO/IEC 27002:2013/COR 1:2014
This technical Corrigendum I to the ISO/IEC 27002:2013 was made in 2014 by the Joint Technical Committee (ISO/IEC JTC 1). It involved three changes which saw the inclusion of information as an asset, i.e…
c) … classification of information and management of organisational assets associated with information, information processing … was changed to: … classification of information and management of organisational information, other assets associated with information, information processing …
ISO/IEC 27002:2013/COR 2:2015
This Corrigendum 2 involved the change of one reference section from (see 14.1.1 and 14.1.9) to (see 14.1.1 and 14.2.9) to eliminate confusion that had risen over the issue.
ISO/IEC CD 27002.2
ISO/IEC JTC1/SC27 is tasked with the revision of both ISO/IEC 27001:2013 and ISO/IEC 27002 to keep them relevant and up to current standards. Currently, ISO/IEC 27002 is under revision and will lead to the creation of ISO/IEC CD 27002.2. Due to the large number of organisations already using ISO/IEC 27002 especially to support ISMS information security controls for compliance with ISO/IEC 27001, every change has to be justified and evolutionary.
Relationship with other standards
While it is not in itself a security standard, ISO 27002 issues several controls and implementation guidance that can be applied by organisations to improve their compliance with established standards such as ISO/IEC 27001.
ISO 27002 vs 27001
Organisations wishing to explore information security management systems may have come across both ISO 27001 and 27002 standards. ISO 27001 is a certifiable standard that is part of the ISO 27000 series.
It provides a framework to assist organisations with the establishment, implementation, operation, monitoring, review, maintenance, and continuous improvement of their information security management systems.
An organisation can acquire an independently accredited certification to the ISO/IEC 27001 standard, which will be recognized globally as an indication that your Information security management systems are aligned with the best practice for information security.
The security controls suggested in ISO 27002 can be found in the ISO/IEC 27001 standard as part of the Annex A section. Annex A contains a list of the security categories, domains, control objectives, and the relevant security controls applicable. A key difference between Annex A of ISO 27001 vs 27002 standard is that the latter contains an additional ‘implementation guidance’ which provides detailed information on how each of the specific controls can be successfully implemented to improve ISO/IEC 27001 compliance.
National equivalents of the ISO/IEC 27001 standard
There are various standards in various countries that are equivalent to ISO 27002. Despite local publication and translation delays which lead to these equivalents coming months after the revision and release of the main ISO/IEC standard, national bodies ensure that the content is translated accurately to reflect the ISO 27002 completely.
Below are some of the national equivalent standards for ISO 27002 in various countries:
- Argentina – IRAM-ISO-IEC 27002:2008
- Australia and New Zealand – AS/NZS ISO/IEC 27002:2006
- Brazil – ISO/IEC NBR 17799/2007 – 27002
- Indonesia – SNI ISO/IEC 27002:2014
- Chile – NCH2777 ISO/IEC 17799/2000
- China – GB/T 22081-2008
- Czech Republic – ČSN ISO/IEC 27002:2006
- Croatia – HRN ISO/IEC 27002:2013
- Denmark – DS/ISO27002:2014 (DK)
- Estonia – EVS-ISO/IEC 17799:2003, 2005 version in translation
- Germany – DIN ISO/IEC 27002:2008
- Japan – JIS Q 27002
- Lithuania – LST ISO/IEC 27002:2009 (adopted ISO/IEC 27002:2005, ISO/IEC 17799:2005)
- Mexico – NMX-I-27002-NYCE-2015
- Netherlands – NEN-ISO/IEC 27002:2013
- Peru – NTP-ISO/IEC 17799:2007
- Poland – PN-ISO/IEC 17799:2007, based on ISO/IEC 17799:2005
- Russia – ГОСТ Р ИСО/МЭК 27002-2012, based on ISO/IEC 27002:2005
- Slovakia – STN ISO/IEC 27002:2006
- South Africa – SANS 27002:2014/ISO/IEC 27002:2013
- Spain – UNE 71501
- Sweden – SS-ISO/IEC 27002:2014
- Turkey – TS ISO/IEC 27002
- Thailand – UNIT/ISO
- Ukraine – СОУ Н НБУ 65.1 СУІБ 2.0:2010
- United Kingdom – BS ISO/IEC 27002:2005
- Uruguay – UNIT/ISO 17799:2005
What are the benefits of ISO 27002
By implementing information security controls found in ISO 27002, organisations can rest assured that their information assets are protected by internationally recognized and approved standards. Organisations of all sizes and levels of security maturity can reap the following benefits from adherence to the ISO 27002 code of practice:
- It provides a working framework for the resolution of information security issues.
- Clients and business partners will be more confident and have a positive perception of an organisation that implements the recommended standards and controls.
- Since the policies and procedures provided are in line with internationally recognized requirements, cooperation with foreign partners is made easier.
- Compliance with the ISO 27002 standard helps in the development of an organisation’s best practices which will increase the overall productivity.
- It provides a defined implementation, management, maintenance and evaluation of information security management systems.
- An ISO-compliant organisation will have an advantage in contract negotiations and participation in global business opportunities.
- By complying with ISO 27002 information security controls, one can benefit from lower insurance premiums from providers.
Who can implement ISO 27002
There is no limit to the organisations that can successfully implement and benefit from ISO 27002 standard for information security management.
Both small and large enterprises that depend on, deal in, or handle information of any kind should implement the relevant information security controls to protect their information assets.
No matter the organisation type; whether non-profit, government departments, charities, or multinational corporations, there are information security controls which must be put in place to address certain information risks raised during the risk assessment process.
While the details of the specific information risk and control requirements may differ from organisation to the next, there are some common standards that apply to all enterprises.
How to Get Started With ISO 27002
Since no one formula can guarantee the security of all an organisation’s information and information assets, there is a need for a set of standards and controls to ensure there is an adequate level of security and the relevant resources are used efficiently. The ISO 27001 and ISO 27002 standards are however broad and may not apply to every enterprise. The effective implementation of these controls, therefore, requires an organisation to identify the ones that are relevant to them based on their information security risk assessment. One way this can be achieved is through the use of a Capability Maturity Model (CMM).
A Capability Maturity Model offers implementation guidance by helping organisations to measure and gauge the maturity of their information security processes, identifying the areas in need of improvement. By cross checking the CMM of an organisation against the various 27002 ISO controls, an organisation will identify the requirements most relevant to it and can therefore take the necessary information security measures to implement them.
The availability of information security software and tools makes it easy for organisations to benchmark their compliance with ISO 27002. With the help of such tools, managers will have a clearer picture of how their policies and controls compare with the set ISMS requirements. Knowing the areas in need of improvement makes it possible to apply the relevant controls based on the ISO 27002 standard.
Demonstrating Good Practice for ISO 27002
Owing to the broad scope of ISO 27002 standards, there are different guidelines recommended for different sectors of an organisation. The standard contains recommended security techniques, controls, procedures, and implementation guidelines for 14 sectors. Below are a few controls and suggested procedures related to three parts of ISO 27002 controls; physical and environmental security, human resource and access control.
Physical and Environmental
The physical and environmental aspects of an organisation are critical in determining its information security. The proper controls and procedures will ensure the physical safety of an organisation’s information by restricting access to unauthorized parties and protecting them against damages such as fires and other disasters.
Some of the information security techniques include:
1. Measures must be taken to monitor and restrict the physical access to the organisation’s premises and support infrastructures, such as air conditioning and power. This will prevent and ensure the detection and correction of unauthorized access, vandalism, criminal damage, and other tampering that could occur.
2. Sensitive areas must be given partial access and the list of authorized individuals periodically reviewed and approved (at least once a year) by the Physical Security Department or the Administration.
3. Video recording, photography, or any other form of digital recording should be prohibited in restricted areas except with the permission of the relevant authority.
4. Surveillance should be set around the premises at places such as entrances, exits and restricted areas. These recordings should be monitored round the clock by trained personnel and stored for at least a month in case a review is needed.
5. Restricted access in form of access cards should be provided to allow time-limited access to vendors, trainees, third parties, consultants and other personnel authenticated to access the areas.
6. Visitors to the organisations should be accompanied at all times by an employee except when using open areas such as the reception foyer and restrooms.
These measures aim at ensuring the organisation’s information is safe as far as the employees of the organisation are concerned.
Some human resource information security standards include:
1. Each employee should be vetted before employment to verify their identity, their professional references, and their overall conduct. These should especially be rigorous if they are to take up trusted information security positions in the organisation.
2. The employees should all agree to a binding non-disclosure or confidentiality agreement. This will dictate the level of discretion they handle the personal and proprietary information they come in contact with in the course of their employment.
3. The Human Resource department must inform the Finance, Administration and other relevant departments when an employee is hired, suspended, fired, transferred, on long-term leave and any other circumstances that could require the changing of their permissions.
4. Once the HR department informs the other departments of the change of an employee’s status, this should be followed by the adjustment of the relevant physical and logical access rights.
5. Employees’ managers should follow-up to ensure all the keys, access cards, It equipment, storage devices and all other company assets are returned before the termination of their employment.
Access control involves the passwords, key cards, or other security restrictions designed to limit the accessibility of the company’s information and systems.
Some of them include:
1. The access to corporate networks, IT systems, information, and application should be controlled based on the role of the users or as specified by the relevant information asset owners or organisational procedures.
2. Restrictions must be set to alert the system and/or lock out user accounts after a predefined number of failed login attempts. These should be followed up on to eliminate the risk of an attempted breach.
3. All corporate workstations/ PCs should have password-protected screensavers with timeouts of less than 10 minutes of inactivity.
4. The privileged access rights such as for those required tasked with the administration, configuration, management, security, and monitoring of the IT systems should also be reviewed periodically by the relevant Information Security body.
5. The passphrases and passwords must be complex and lengthy with a combination of numerals, letters and special characters to make them impossible to guess. These should not be stored in any written or readable format.
6. The organisation should disable all write access to removable media such as CD/DVD writers on all the company computers unless authorized for specific business reasons.
ISO 27002 certification
ISO 27002 is not a certifiable standard. Instead, it is a set of advisory standards set to be interpreted and implemented by organisations as per their risk assessment. While this flexibility allows you to apply only the measures that make sense to your situation, it makes it difficult to test for compliance, therefore making ISO 27002 controls difficult to certify.
The certifiable standard used for compliance testing is ISO 27001. ISO 27001 standard contains a set of requirements required for the establishment, implementation, maintenance and improvement of an information security management system.
Annex A of ISO 27001 contains a set of information security guidelines and controls derived from ISO 27002. organisations are encouraged to adopt these controls as per the requirements of their ISMS.
ISO 27002 requirements
The ISO 27002 standard does not have any explicit requirements for organisations. It only offers suggestions that should be implemented by organisations as per the nature of their specific information security risks.