ISO/IEC TR 27008 – Guidelines for the assessment of information security controls
The world is ever-changing; as are the risks to a business reputation and bottom line. Organisations must be proactive, and a strong defence should be developed around auditing the controls that support information security. This is what ISO 27708 was designed to help with.
What is ISO 27008?
ISO 27008 is a Technical Document that outlines procedures for conducting an audit of an organisation’s information security controls. ISO 27008 plays a major role in the management activities associated with the implementation and operation of an information security management system (ISMS).
Even though it is meant to be used in conjunction with ISO 27001 and ISO 27002, it is not exclusive to those standards and is applicable to any scenario requiring an assessment of information security controls. ISO 27008 is essential to organisations of all forms and sizes, including public and private businesses, federal agencies, and not-for-profit organisations that perform information management reviews and operational compliance tests.
ISO 27008 proposes a comprehensive organisational security assessment and review framework for information security controls in order to give organisations confidence that their controls have been implemented and managed correctly and that their information security is “fit for purpose.”
It helps to instil trust in an organisation’s information security management system’s controls.
What is Information Security?
Information security is a subject that’s more important than ever before. News reports of data breaches and cyberattacks now come thick and fast, but what is the bigger picture?
Information security, sometimes shortened to InfoSec, is the practice of protecting information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security concerns the protection of information in any form when it is held or processed by an organisation.
Information security covers a broad territory and includes the concepts of confidentiality, integrity, and availability.
Techniques may include encryption to prevent unauthorised parties from viewing information; authorisation at the level of individual users or programs; operations security (OPSEC) to protect the confidentiality and integrity of operations within an organisation; authentication frameworks to prevent fraudulent transactions, and intrusion detection to detect intruders into computer systems.
What are Information Security Controls?
Information security controls are steps taken to mitigate information security vulnerabilities such as device failures, data theft, system breaches and unintended modifications to digital information or processes.
These security controls are usually applied in response to an information security risk evaluation in order to better secure the availability, confidentiality, and privacy of data and networks.
These controls safeguard the confidentiality, integrity, and availability of information in the field of information security.
Types of Information Security Controls
Security protocols, procedures, schedules, devices, and applications all fall into the category of information security controls.
- Preventive security controls, security protocols that are intended to avert cybersecurity accidents
- Detective security controls aimed at identifying and alerting cybersecurity staff to a cybersecurity intrusion attempt or potential security breach.
- Corrective security controls are used after a cybersecurity event to help mitigate data loss and device or network disruption and to easily recover sensitive business systems and operations.
Additionally, security measures can be categorised according to their purpose, as follows:
These include physical entry monitors such as armed guards at building exits, locks, and perimeter fences.
Threat awareness instruction, security framework enforcement training, and incident response processes and procedures.
These include multi-factor account authentication at the point of entry (login) and logical access controls, antivirus applications, and firewalls.
These include privacy rules, frameworks, and requirements, as well as cybersecurity approaches and standards.
ISMS.online was the only tool we found that hit the sweet spot of providing a comprehensive and proven ISMS, ‘out of the box’, at a reasonable price for a mid-sized organisation. And unlike many other solutions, a complete ISMS and data privacy were integrated well in one package.
Risk and Compliance Director, REPL
What is the Purpose of ISO 27008?
ISO 27008 was created to:
Assists in the preparation and implementation of ISMS audits and the method of information risk management;
Provide guidelines for auditing information security controls in accordance with ISO/IEC 27002’s controls guidance;
Enhances ISMS audits by optimising the relationships between ISMS processes and necessary controls;
Assures the audit resources are used effectively and efficiently.
Add value and improves the consistency and benefit of the ISO27k specifications by bridging the difference between updating the ISMS in principle and, where necessary, checking proof of applied ISMS controls (e.g., evaluating security elements of business operations, IT structures, and IT operating environments in ISO27k user organisations);
What is the Scope of ISO 27008?
ISO 27008 provides guidance to all auditors on information security management systems controls. It guides the information risk management process as well as internal, external, and third-party assessments of an ISMS by demonstrating the association between the ISMS and its accompanying controls.
It includes guidelines on how to test the extent to which necessary “information security management system controls” are applied. Additionally, it assists organisations that are implementing ISO/IEC 27001 or ISO/IEC 27002 in meeting compliance criteria and serving as a technical platform for information technology governance.
How does ISO 27008 Work?
ISO 27008 defines general procedures, not techniques for any particular control or forms of controls.
It defines systematic reviews and then outlines the various approaches and forms of reviews that are applicable to information security controls. Finally, it discusses the practices required for a successful review process.
Relationship with ISO 27001 and ISO 27002
ISO 27008 is closely similar to the ISO 27007 audit specification for information security management systems.
However, unlike ISO 27007, which focuses on reviewing the management system components of an ISMS as defined in ISO 27001, ISO 27008 focuses on auditing specific information security controls, such as those listed in ISO 27002 and detailed in ISO 27001’s Annex A.
ISO 27008 “focuses on evaluations of information security controls, including regulatory compliance, against an organisation-established information security implementation standard.
It is, however, not intended to provide detailed guidelines on compliance testing with respect to the calculation, risk evaluation, or audit of an ISMS, as specified in ISO 27004, 27005, or 27007, respectively.
Who Should Implement ISO 27008?
ISO 27008 is intended for internal and external auditors charged with the responsibility of reviewing information management controls that are part of an ISMS. It would, however, be beneficial to anyone doing an analysis or assessment of an ISMS’s controls, whether as part of a structured audit procedure or otherwise. The document is primarily intended for information security auditors who are responsible for verifying that an organisation’s information security controls are technically compliant with ISO/IEC 27002 and all other control requirements used by the organisation.
ISO 27008 will assist them in the following ways:
- Recognise and comprehend the scope of possible issues and weaknesses in information security controls.
- Identify and comprehend the possible consequences of inadequately mitigated computer technology risks and weaknesses for the company.
- Prioritise risk control practices related to information management.
- Ascertain that previously found or newly discovered vulnerabilities or defects have been resolved sufficiently.
ISO 27008 is applicable to a broad range of organisations, including public and private businesses, government agencies, and not-for-profit organisations.
What kind of help do you need from us?
New to information security?
We have everything you need to design, build and implement your first ISMS.
Ready to transform your ISMS?
We’ll help you get more out of the infosec work you’ve already done.
Want to unleash your infosec expertise?
With our platform you can build the ISMS your organisation really needs.
We make it simple for infosec newcomers
Our Adopt / Adapt / Add Policies
Preloaded content giving you a 77% head start on your ISMS documentation
Our Assured Results Method
Our tried-and-tested path to first time ISO 27001 compliance or certification
Take a deep dive into some of our more advanced features
- 1Policies and controls management
- 2Risk management tools
- 3Information asset inventory management
- 4Interested parties management
- 5Measurement and automated reporting
- 6ISO 27001 Statement of Applicability
- 7Audits, actions and reviews
- 8HR security lifecycle frameworks
- 9Compliance policy packs for staff and suppliers
- 10Supply chain management
- 11Security incident management
- 12ISO 27001 business continuity plan
- 13Mapping and linking work
- 14Our Platform
- 15Pre-configured to Adopt, Adapt or Add to
- 16Virtual Coach
- 17Getting Started
- 18Assured Results Method