Search in ISMS Guides


Tuesday, July 31, 2007

Key Strategies for Implementing ISO 27001 (4)


Analyze Return on Investment
Based on the groundwork done so far, companies should be able to arrive at approximate time and cost estimates to implement the standard for each of the scope options. Organizations need to keep in mind that the longer it takes to get certified, the greater the consulting costs or internal staff effort. For example, implementation costs become even more critical when implementation is driven by market or customer requirements. Therefore, the longer compliance takes, the longer the organization will have to wait to reach the market with a successful certification.


Implementing ISO 27001 requires careful thought, planning, and coordination to ensure a smooth control adoption. The decision of when and how to implement the standard may be influenced by a number of factors, including different business objectives, existing levels of IT maturity and compliance efforts, user acceptability and awareness, customer requirements or contractual obligations, and the ability of the organization to adapt to change and adhere to internal processes.

To learn more about the standard, BSI has prepared a guidance document available on its Web site, In addition, the Standards Direct Web site,, covers the latest version of the standard.

Key Strategies for Implementing ISO 27001 (1)
Key Strategies for Implementing ISO 27001 (2)
Key Strategies for Implementing ISO 27001 (3)
Key Strategies for Implementing ISO 27001 (4)

Key Strategies for Implementing ISO 27001 (3)


Determine ISO 27001 Maturity Levels
When assessing the organization’s compliance maturity level, auditors should determine whether or not the implementation team is able to answer the following questions:

  • Does a document exist that specifies the scope of compliance?
    According to ISO 27001, a scope document is required when planning the standard's implementation. The document must list all the business processes, facilities, and technologies available within the organization, along with the types of information within the ISMS. When identifying the scope of compliance, companies must clearly define the dependencies and interfaces between the organization and external entities.
  • Are business processes and information flows clearly defined and documented?
    Answering this question helps to determine the information assets within the scope of compliance and their importance, as well as to design a proper set of controls to protect information as it is stored, processed, and transmitted across various departments and business units.
  • Does a list of information assets exist? Is it current?
    All assets that may affect the organization's security should be included in an information asset list. Information assets typically include software, hardware, documents, reports, databases, applications, and application owners. A structured list must be maintained that includes individual assets or asset groups available within the company, their location, use, and owner. The list should be updated regularly to ensure accurate information is reviewed during the compliance certification process.
  • How are information assets classified?
    Information assets must be classified based on their importance to the organization and level of impact, and whether their confidentiality, availability, and integrity could be compromised.
  • Is a high-level security policy in place?
    Critical to implementing an information security standard is a detailed security policy. The policy must clearly convey management's commitment to protecting information and establish the business' overall security framework and sense of direction. It should also identify all security risks, how they will be managed, and the criteria needed to evaluate risks.
  • Has the organization implemented a risk assessment process?
    A thorough risk assessment exercise must be conducted that takes into account the value and vulnerabilities of corporate IT assets, the internal processes and external threats that could exploit these vulnerabilities, and the probability of each threat. If a risk assessment methodology is in place, the standard recommends that organizations continue using this methodology.
  • Is a controls' list available?
    Necessary controls should be identified based on risk assessment information and the organization's overall approach for mitigating risk. Selected controls should then be mapped to Annex A of the standard — which identifies 133 controls divided in 11 domains — to complete a statement of applicability (SOA) form. A full review of Annex A acts as a monitoring mechanism to identify whether any control areas have been missed in the compliance planning process.
  • Are security procedures documented and implemented?
    Steps must be taken to maintain a structured set of documents detailing all IT security procedures, which must be documented and monitored to ensure they are implemented according to established security policies.
  • Is there a business continuity (BC) management process in place?
    A management process must be in place that defines the company's overall BC framework. A detailed business impact analysis based on the BC plan should be drafted and tested and updated periodically.
  • Has the company implemented a security awareness program?
    Planning and documentation efforts should be accompanied by a proper IT security awareness program so that all employees receive training on information security requirements.
  • Was an internal audit conducted?
    An internal audit must be conducted to ensure compliance with the standard and adherence to the organization’s security policies and procedures.
  • Was a gap analysis conducted?
    Another important parameter to determine is the organization's level of compliance with the 133 controls in the standard. A gap analysis helps organizations link appropriate controls with the relevant business unit and can take place during any stage of the compliance process. Many organizations conduct the gap analysis at the beginning of the compliance process to determine the company's maturity level.
  • Were corrective and preventive actions identified and implemented?
    The standard adheres to the Plan-Do-Check-Act" (PDCA) cycle (PDF, 62KB) to help the organization know how far and how well it has progressed along this cycle. This directly influences the time and cost estimates to achieve compliance. To complete the PDCA cycle, the gaps identified in the internal audit must be addressed by identifying the corrective and preventive controls needed and the company's compliance based on the gap analysis.
  • Are there mechanisms in place to measure control effectiveness?
    Measuring control effectiveness is one of the latest changes to the standard. According to ISO 27001, organizations must institute metrics to measure the effectiveness of the controls and produce comparable and reproducible results.
  • Is there a management review of the risk assessment and risk treatment plans?
    Risk assessments and risk treatment plans must be reviewed at planned intervals at least annually as part of the organization's ISMS management review.

Key Strategies for Implementing ISO 27001 (1)
Key Strategies for Implementing ISO 27001 (2)
Key Strategies for Implementing ISO 27001 (3)
Key Strategies for Implementing ISO 27001 (4)

Key Strategies for Implementing ISO 27001 (2)


Select the Proper Scope of Implementation
Identifying the scope of implementation can save the organization thousands of dollars and time. In many instances, it is not necessary for an organization to adopt companywide implementation of a standard. The scope of compliance can be restricted to a specific division, business unit, type of service, or physical location. In addition, once successful compliance has been achieved for a limited, but relevant scope, it can be expanded to other divisions or locations.

Choosing the right scope is one of the most important factors throughout the compliance cycle, because it affects the feasibility and cost of the standard's implementation and the organization's return on investment. As a result, it is important for the selected scope to help achieve the identified business objectives. To do this, the organization may evaluate different scope options and rank them based on how well they fit with each objective.

Organizations also may want to sign memorandums of understanding (MOU) or service level agreements (SLAs) with vendors and partners to implement a form of indirect compliance to the standard. For example, a garment manufacturing company may have a contract with a software provider for application maintenance and upgrades. Therefore, the manufacturing company will not be responsible for the application’s system development life cycle compliance with the standard, as long as it has a relevant MOU or SLA signed with the software vendor.

Finally, the organization's overall scale of operations is an integral parameter needed to determine the compliance process' complexity level. To find out the appropriate scale of operations, organizations need to consider their number of employees, business processes, work locations, and products or services offered.

Key Strategies for Implementing ISO 27001 (1)
Key Strategies for Implementing ISO 27001 (2)
Key Strategies for Implementing ISO 27001 (3)
Key Strategies for Implementing ISO 27001 (4)

Key Strategies for Implementing ISO 27001 (1)


Implementing ISO 27001 can be an arduous task. Determining the scope of implementation, as well as the time and effort required for implementation to occur, can help organizations design a more effective IT compliance process.

By KK Mookhey, Chief Technology Officer, Network Intelligence India Pvt. Ltd.
Khushbu Jithra, Information Developer, Network Intelligence India Pvt. Ltd.

In 1995, the British Standard Institute (BSI) published British Standard (BS) 7799, a widely adopted set of best practices that help organizations implement effective information security management systems (ISMSs) and establish security controls for specific business areas. In October 2005, the standard was adopted by the International Organization for Standardization (ISO). As a result, implementing BS 7799 — now ISO 27001: 2005 — has become a major focus of attention for European-based companies and those working in the region.

Depending on the organization's size, the nature of its business, and the maturity of its processes, implementing ISO 27001 can involve a substantial investment of resources that requires the commitment of senior management. In addition, because of its emphasis on data security, many internal auditors perceive the standard to be focused solely on technology and often recommend that IT departments comply with the standard's requirements without understanding the amount of time and resources required for compliance. To ensure across-the-board acceptance and success, initial analyses and planning are vital. Because internal auditors are in the perfect position to add value to an organization's IT processes, they can help IT departments prepare the groundwork for an effective and efficient ISO 27001 implementation strategy during the initial planning phase. This will help companies ensure their IT processes are better aligned with the standard's requirements and ensure long-term compliance.


Implementing ISO 27001 can take time and consume unforeseen resources, especially if companies don't have an implementation plan early in the compliance process. To enhance compliance efforts, internal auditors can help companies identify their primary business objectives and implementation scope. Auditors should work with IT departments to determine current compliance maturity levels and analyze the compliance process' return on investment. These steps can be conducted by a team of staff members or external consultants who have prior experience implementing the standard. External consultants should work in collaboration with an internal team of representatives from the company's major business units. Below is a description of each recommendation.

Identify Business Objectives
Plans to adopt ISO 27001 must be supported by a concrete business analysis that involves listing the primary business objectives and ensuring a consensus is reached with key stakeholders. Business objectives can be derived from the company's mission, strategic plan, and existing IT goals and may include:

  • Ensuring effective risk management, such as identifying information assets and conducting accurate risk assessments.
  • Maintaining the company's competitive advantage, if the industry as a whole deals with sensitive information.
  • Preserving the organization's reputation and standing among industry leaders.
  • Providing assurance to customers and partners about the organization’s commitment to protecting data.
  • Increasing the company's revenue, profitability, and savings in areas where protective controls operate well.

The standard also emphasizes compliance with contractual obligations, which might be considered another key business objective. For instance, for an online banking division, implementing the standard would provide customers and partners greater assurance that risks stemming from the use of information systems are managed properly.

Key Strategies for Implementing ISO 27001 (1)
Key Strategies for Implementing ISO 27001 (2)
Key Strategies for Implementing ISO 27001 (3)
Key Strategies for Implementing ISO 27001 (4)

Hints and Tips

If you have implemented, audited or have any other serious experience with respect to ISO 17799 and/or BS7799, please add your own hints/tips below:

— Aim to reach compliance with ISO 17799 and let the processes bed-down before considering certification against ISO 27001 (ex BS7799-2).

— Stick to the plan (eg: as outlined in the Guide To Certification)

— If you can undertake an implementation, compliance or certification task yourself, do so. In the long run you will obtain greater benefit by learning the ropes and performing activities such writing information security policies yourself. However, advice and guidance from knowledgeable and experienced consultants can help cut corners, save time and avoid pitfalls.

— Be sure that you have explicit backing from the top, the very top, of your organization for your compliance and/or certification efforts, and indeed for information security as a whole. Be sure that senior management understands the objectives, benefits and likely costs of the implementation and certification project at the outset. This implies the need to achieve management awareness of information security at an early stage. Without this, the rest is more-or-less doomed to failure.

— The benefits of compliance with ISO 17799 are not necessarily limited purely to better information security. Rigorous analysis and documentation of key information processing activities may identify opportunities to improve process efficiencies, for instance. The structured information security management framework incorporates elements of ISO 9000 quality assurance practices. Legal and regulatory compliance supports management's governance obligations and reduces liabilities.

— Note that information security is not the same as computer security. All information assets need to be secured appropriately, including hardcopy documents, CCTV/videoconference data, telephone systems etc. as well as computer data, systems and networks.

— Once information security is brought under management control, continuous improvement is possible. Over time, information security and related processes will mature and things you can only dream of today will eventually become a reality. Have faith!

— Don't forget security awareness. See ISO 17799 and information security awareness

— Getting the RiskAssessment right is crucial to the success of implementation. The structure of the risk assessment is clearly outlined in ISO27001 and should be followed very closely. The fourth point above indicates how important the management commitment element is. Part of that commitment is to give approval the risk assessment process and define the levels of risk which are to be accepted, mitigated, transferred or avoided. They must also approve the residual risks following impementation of the selected controls.

From :

ISO 17799 and ISO 27001 FAQ

1) Which ISO17799 controls are most important?
That largely depends upon the individual organization. However, ISO17799 does give some guidance, in the form of 'legislative essentials' and 'common best practice' under the IS "starting point" section. These are:
- intellectual property rights (12.1.2)
- safeguarding of organizational records (12.1.3)
- data protection and privacy of personal information (12.1.4)
- information security policy document (3.1.1)
- allocation of information security responsibilities (4.1.3)
- information security education and training (6.2.1)
- reporting security incidents (6.3.1)
- business continuity management (11.1)

2) What is a Certification body?
An accredited certification body is a third party organization that assesses/certifies the IS management system against the standard (BS7799-2 / ISO 27001).

3) Who are the Accredited Certification bodies for the standard?
There are a growing number of organizations accredited to grant certification against ISO27001. The following are amongst them: BSI, Certification Europe, DNV, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH

4) How do I become a certified auditor?
The International Register for Certified Auditors operates a certification scheme for ISMS auditors.

5) How does this standard fit with ISO 9000?
BS7799 is actually being "harmonized" with other management standards, including ISO 9000 and ISO 14000. Watch this space!

6) Who originally wrote the security standard?
Originally a BSI/DISC committee, which included representatives from a wide section of industry/commerce. It was reviewed subsequently by an ISO (International Standards Organization)committee and ultimately emerged through the ISO publication process.

7) What is the ISO 17799 Toolkit?
This is the main support resource for the standard, including the standard itself, ISO 17799 policy, etc. See top right panel for a more complete description.

8) What is ISO/IEC Guide 62?
This is largely for those bodies operating certification schemes and contains general requirements applicable to them.

9) What is ISO 27001?
BS7799-2, the original specification for an information security management system, was 'fast tracked' by ISO to become ISO 27001 in 2005. It is also suggested that ISO17799 may be renamed to ISO 27002 at some point in the future, thus creating an ISO 27000 series of standards.

From :


Email security breach is becoming an increasingly significant threat to organizations around the world. To counter this, most organizations will already have a firewall and anti-virus software in place. Hopefully, as new viruses are found daily, they have made sure that their virus protection is also updated on a daily basis.

Viruses, of course, can sometimes penetrate the firewall by hiding within emails. Once opened, the virus can spread and cause significant damage to internal systems. The virus may not always be serious enough to cause permanent damage but, even with moribund viruses, the disruption may well take time and money to rectify.

Despite these risks, there is no escaping the fact that e-mail is rapidly becoming the principal means of business communication. Draconian restrictions on use are therefore not tenable. However, rigid application of stringent security policy certainly is.

The following high level best practice statements should be adhered to as a basic minimum

• Personnel should understand the rights granted to them by the organization in respect of privacy in personal e-mail transmitted across the organization’s systems and networks. Human Resources Department should incorporate a suitable wording into employee contracts to ensure that this privacy issue is fully understood.

• Confidential and sensitive information should not be transmitted by e-mail - unless it is secured through encryption or other secure means.

• Personnel should not open emails or attached files without ensuring that the content appears to be genuine. If you are not expecting to receive the message or are not absolutely certain about its source, do not open it.

• Personnel should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E-mails of little or no organizational value should on the other hand be regularly purged or deleted from your system.

From these, it is recommended that more specific corporate requirements are produced and implemented.

From :


Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences. This issue considers genuine cases illustrating different threats from WITHIN the organization:

1) The Disgruntled Employee

An organization in the US fired an employee who had been known to be less than happy in his work and had been causing problems for management through a variety of activities. Unbeknown to the organization, this employee had made a copy of the main client database for himself and therefore had access to sensitive information.

Shortly after the employee was dismissed, major customers started receiving offensive material purportedly being sent by the organization itself. The ex-employee used a simple open SMTP server to simulate the organization's email addresses. Customers immediately started to move away from the organization and even when they were informed that this material had been maliciously sent to them by a previous employee, they remained unimpressed with a company that had so little security in place.

The organization quickly went out of business, paying a heavy price for not having sufficient control over employee access to sensitive information.

2) Intellectual Property Rights

A firm in London developed a range of new products mainly by utilizing the services of one of its employees who was particularly skilled at these activities. Once these products had been developed, they were successfully marketed by the firm and a good revenue stream emanated from this new business area.

Unfortunately, the firm had not considered protecting the intellectual property rights of work undertaken during the employee’s time with them and it was subsequently successfully sued by the employee who had authored the products, and who then claimed ownership over the intellectual property rights contained within them.

The lesson to be learned here is that employees' contracts should clearly state the ownership of any work developed for the company during his/her employment. This agreement should be signed by the employee to signify acceptance of these terms and conditions prior to undertaking this type of work.

3) Who Audits the Auditor?

A large financial company thought they had security in the bag. Their security department was active, and involved in most activities of the Group. It had a reputation for being on top of new technology, and had an aggressive audit schedule, with all sensitive applications and projects being regularly audited.

What a pity they got a fundamental principle so badly wrong! As the Group's security area they had full access to security settings, and administered access control for key applications. As auditors they audited the same. That was the crunch.

The same individuals who set security levels and granted access to information resources, also audited them. A classic case of insufficient segregation of duties.

In one sense they were lucky. The incident which brought this to light was petty. The individual in question could not resist the temptation to adjust his overtime figures on the payment database. He inflated the figures by several hundred dollars, each month, for several months. He was caught because someone else on his team spotted his payslip (which he had left inside his briefcase, which he left open!) and knew instinctively that he had not been working long hours in recent weeks and therefore that the salary figure was far too high.

It could, however, just as easily been an accounting database he adjusted, or a number of financial databases, and the company could have been facing a substantial and embarrassing loss.

The golden rule of course is that auditors usually need only read access to audit, and not update.

From :


For an Information Security audit to be effective it must be planned and have adequate preparation. A common purpose of conducting the audit is to enable the Information Security Officer (or the person who is responsible for the security of information) to measure the level of compliance with the organization’s Information Security Policies and associated procedures.

At the highest level, the Information Security Officer should initially prepare an audit program which ensures that all key risk areas are audited and reviewed on a regular basis. The greater the threats, and the higher the risk or probability of an Information Security incident, the more often the audit should be conducted.

Once the risk area to be audited has been selected, the Information Security Officer should prepare a list of the INFORMATION that needs to be collected to carry out the audit.

As an example, if the audit chosen is regarding the Portable Computing Facilities, the documents to be considered for review are:

• Insurance documents.

• Hardware register.

• Software register.

• User Profile.

• Network Profile.

• Issue form.

• General terms of use.

• Removal of equipment authorization.

The Information Security Officer will also decide on which PERSONNEL need to be audited and arrange an interview schedule. In the same example, the following personnel would be audited:

• The issuers of portable computers.

• A sample of the user population who use portable computers.

• Ancillary staff.

As with many tasks, pre-planning is sometimes seen as a necessary evil, and there is temptation to shortcut. However, in most cases, there is little doubt that the quality of the planning is likely to go a long way in determining the quality of the audit.

From :


Our source list for recent purchases of the ISO17799 standard always proves to be a popular talking point. The up to date version of the most recent thousand or so is as follows:

Argentina 3

Australia 18

Austria 9

Barbados 2

Belgium 14

Bermuda 3

Brasil 11

Brunei 1

Canada 101

Chile 7

China 5

Colombia 6

Costa Rica 1

Croatia 2

Cyprus 3

Denmark 16

Egypt 5

Estonia 1

Faroe Islands 1

France 19

Germany 55

Gibraltar 1

Greece 5

Guatemala 1

Hong Kong 12

Hungary 4

Iceland 1

India 12

Indonesia 5

Ireland 27

Isle of Man 1

Israel 2

Italy 36

Jamaica 2

Japan 10

Jordan 2

Korea 1

Lebanon 2

Luxembourg 2

Malaysia 8

Malta 1

M้xico 22

Netherlands 39

New Zealand 5

Norway 19

Peru 1

Philippines 2

Poland 3

Portugal 6


Russia 4

Saudi Arabia 9

Singapore 15

Slovak Republic 1

Slovenia 3

South Africa 11

Spain 23

Sweden 11

Switzerland 48

Taiwan 5

Thailand 2

Tunisia 1

Turkey 3

UK 379

United Arab Emirates 5

USA 588

Venezuela 2

The same health warnings apply as usual: these are online credit card sales from a single source. As a consequence, those cultures that are less familiar with this form of commerce will be under represented.

From :

A Strategy and Approach for ISO 17799 / BS7799 / ISO 27001

There are actually a variety of way to approach the standard. The correct one for a specific organization will obviously depend upon the nature the organization itself. However, the following 'cycle' has been documented as one possible approach, and may be of use.

- Firstly, obtain a copy of the stand itself. Whilst this may seem rather obvious, it is surprising how often people attempt to judge suitability without actually every having studied the documents themselves. The documents can be obtained stand alone, or as part of the starter kit (The ISO 17799 Toolkit) from the sources given on the right hand panel.

- The merits of the standard itself are considered. Factors can include impact on confidence of new/existing customers/partners, enhancing the organization's security, etc.

- The decision is made to move forward with the standard. All options are available of course: from loose alignment with it, to compliance with it, to certification.

- The project is planned in terms of resourcing (ie: people and time). This could include external resources such as consultants.

- With the previous step the scope of the exercise is decided. In other words, the part(s) of the organization to be included are determined.

- A review of existing documentation is conducted. This will help establish extent and quality of th emeasures already in place (eg: security policies).

- An inventory is drawn up of all significant information assets.

- A 'gap analysis' is performed to identify the gaps between the existing situation, and those controls, processes and procedures documented in the standard.

- A risk analysis exercise is performed in order to determine the extent of risk to the organization through security breach. A Risk Assessment document is produced.

- The organization must determine how the identified risks are to be managed. Responsibilities for managing them assigned and documented.

- Controls to address the identified risks are slected, both from the standard and elsewhere. A "Statement of Applicability" is developed following selection.

- Security policies are created/adapted using the Statement of Applicability and other inputs. This is often based upon the template included in The ISO 17799 Toolkit.

- Appropriate policy based procedures are created.

- An awareness program is initiated to ensure employees and agents are familiar with the IS requirements of the organization.

- A method of compliance monitoring is introduced.

- At this point, the organization reviews its position. Commonly, certification is considered (which of course requires external audit by an accredited body).

From :

ISO 17799: Scope and implementation – Part 1 Security Policy.

By Gregory Yhan,, CISSP

As information security become increasingly important to the continue success for businesses,
many are seeking an appropriate security framework. The ISO 17799 standard is widely
becoming the choice for many. While this standard provides only a high-level description for
implementing and maintaining information security, it should be a starting point for any
organization trying to implement a comprehensive information security strategy. This is the first
article in a series of eleven devoted to reviewing this ISO 17799 standard. In part one, the
following information will be addressed. First, an overview of what the standard is and how it
should be used. Second, it will review the structure of the standard; this is vital for any successful
analysis. Last, it will examine the Security policy control clause, as outlined by the standard.
Subsequent articles will continue reviewing the other ten security control clauses mentioned in
the standard.

ISO 17799: What is it?
According to the ISO, the ISO 17779 ‘establishes guidelines and general principles for initiating,
implementing, maintaining and improving information security management in an organization.’
As mentioned, the standard simply offer guidelines, it does not contain indebt information on how
information security should be implemented and maintained.

The security controls, the means of managing risk, mentioned in this standard should not all be
implemented. The appropriate controls should be selected after an in dept risk assessment has
been completed. Only then should controls be selected to meet the specific needs of the
organization. Each organization is unique; therefore each will face different threats and
vulnerabilities. It is also important to understand that the controls mentioned in the standard are
not organized or prioritized according to any specific criteria. Each control should be given equal
importance and considered at the systems and projects requirements specification and design
stage. Failure to do this will result in less cost effective measures or even failure in achieving
adequate security.

The last point that should be highlighted about the standard is the ISO warning that no set of
controls will achieve complete security. The ISO encourages additional intervention from
management to monitor, evaluate and improve the effectiveness of security controls to support
the business objectives of the organization.

Security Policy
The Security Policy control clause is the first of eleven clauses that will be reviewed. As
mentioned earlier, the ISO 17799 is not a catalogue of indebt security procedures. The sole
objective of the security policy control clause, according to the standard, is to provide
management with direction and support for information security implementation. In essence it
demonstrates management commitment to security and provides high-level rules for protecting

The ‘main security category’ within the Security Policy clause is ‘Information security policy.’
This category has two controls listed, Information security policy document and Review of the
information security document (Figure 1). There are many resources available on how to
formulate security policies. The ISO 17799 offers a strong foundation on which to start.

Information security policy document: Control 1
The security policy document should be approved by management and communicated to all
employees and relevant external parties.
The ISO 17799 offers the following implementation guidelines on what a policy document should
a) a definition of information security, its scope and objectives
b) a statement of management’s support for security in conjunction with business objectives
c) a framework for setting control objectives and controls
d) an explanation of policies, principles, standards and compliance requirements:
e.g. legislative requirements, security education requirements, consequences of security
policy violations
e) references to documentation supporting the policy
The information security policy may be apart of a general policy document; however if distributed
outside the organization, care should be taken not to disclose sensitive information.
The second main security category within the Security Policy control clause is ‘Review of the
information security policy.

Review of the information security policy: Control 2
This control requires a review of security policy at ‘planned intervals’ or if ‘significant’ changes
occur, to ensure suitability and effectiveness.
According to the implementation guidelines for this control, the following should be implemented:
a) a policy should have an owner
b) the management approved owner is responsible for the development, review, and
evaluation of security policy
c) a review should consider opportunities for improvement
A review of the security policy should consider results from management reviews. Management
reviews should also be scheduled and contain inputs from sources such as:
a) feedback from interested parties
b) feedback from independent reviews
c) trends related to threats and vulnerabilities
d) reported security incidents
e) recommendations provided by relevant authorities
Outputs from management reviews should include:
a) improvement to the organization’s approach to managing information security
b) improving control objectives
c) improving available resources/responsibilities
Any revision to the policy should obtain management approval.

The ISO 17799 is widely becoming a framework for many organizations seeking to implement a
comprehensive information security framework. This article reviewed one of eleven control
clauses. A Security Policy provides management with direction and support for information
security. They Security Policy clause has one ‘main security category’, followed by two controls.
The security policy document should be approved by management and communicated to all
employees. Lastly, there should be a planned review of the policy.

Monday, July 30, 2007

Security Policies

The following represents a template for a set of policies aligned with the standard. Note that these are headings, to assist with policy creation, rather than policy statements. However, similar policy sets are in use in a substantial number of organizations.

Chapter Title

Information Security Policy

Information Security policy
Senior Management Support
Information Security Policy Review
Inter-departmental collaboration

Information Security Organization

Independent Review of Information Security Policy
Sharing Information with other Organizations


Setting Classification Standards

Defining Information
Classifying Information
Accepting Ownership for Classified Information
Labeling Classified Information
Storing and Handling Classified Information
Isolating Top Secret Information
Managing Network Security


Controlling Access to Information and Systems

Managing Access Control Standards
Managing User Access
Securing Unattended Workstations
Management Duties
Third Party Service Management
Managing Network Access Controls
Controlling Access to Operating System Software
Managing Passwords
Securing Against Unauthorized Physical Access
Access Control Framework
Access Policy
Restricting Access
Monitoring System Access and Use
Giving Access to Files and Documents
Managing Higher Risk System Access
Controlling Remote User Access
Types of Access Granted to Third Parties
Why access is granted to third parties
Controlled pathway
Node authentication
Diagnostic and Configuration Port Controls
Granting Access to Customers
Acceptable Usage of Information Assets
Monitoring Third Party Services
Third Party Service Changes



Configuring Networks
Managing the Network
Network Segregation
Controlling Shared Networks
Routing Controls
Network Security
Accessing your Network Remotely
Defending your Network Information from Malicious Attack
Time-out Facility
Exploitation of Covert Channels
Authentication of Network Connecting Equipment

System Operations and Administration

Appointing System Administrators
Administrating Systems
Controlling Data Distribution
System Utilities
System Use Procedures
Internal Processing Controls
Permitting Third Party Access
Managing Electronic Keys
Managing System Operations and System Administration
Managing System Documentation
Synchronizing System Clocks
Monitoring Error Logs
Scheduling Systems Operations
Scheduling Changes to Routine Systems Operations
Monitoring Operational Audit Logs
Responding to System Faults
Managing or Using Transaction / Processing Reports
Commissioning Facilities Management - FM
Third Party Service Delivery
Log-on Procedures
Corruption of Data
Corrupt Data Controls
Controlling On-Line Transactions

E-mail and the Worldwide Web

Downloading Files and Information from the Internet
Electronic Business Communications
Policy on Electronic Business Communications
Using and Receiving Digital Signatures
Sending Electronic Mail (E-mail)
Receiving Electronic Mail (E-mail)
Retaining or Deleting Electronic Mail
Developing a Web Site
Receiving Misdirected Information by E-mail
Forwarding E-mail
Using Internet for Work Purposes
Giving Information when Ordering Goods on Internet
Setting up Intranet Access
Setting up Extranet Access
Setting up Internet Access
‘Out of the Box’ Web Browser Issues
Using Internet ‘Search Engines’
Maintaining your Web Site
Filtering Inappropriate Material from the Internet
Certainty of File Origin
Cryptographic Keys
Key Management Procedures
Controlling Mobile Code

Telephones & Fax

Making Conference Calls
Recording of Telephone Conversations
Receiving Misdirected Information by Fax
Giving Information when Ordering Goods on Telephone
Persons Giving Instructions over the Telephone
Using Video Conferencing Facilities
Persons Requesting Information over the Telephone
Receiving Unsolicited Faxes

Data Management

Transferring and Exchanging Data
Permitting Emergency Data Amendment
Receiving Information on Disks
Setting up a New Folder / Directory
Amending Directory Structures
Sharing Data on Project Management Systems
Archiving Documents
Information Retention Policy
Setting up New Spreadsheets
Setting up New Databases
Linking Information between Documents and Files
Updating Draft Reports
Deleting Draft Reports
Using Version Control Systems
Updating Customer Information
Using Meaningful File Names
Managing Data Storage
Managing Databases
Using Headers and Footers
Using and Deleting ‘Temp’ Files
Using Customer and Other Third Party Data Files
Saving Data / Information by Individual Users

Backup, Recovery and Archiving

Restarting or Recovering your System
Archiving Information
Backing up Data on Portable Computers
Managing Backup and Recovery Procedures
Archiving Electronic Files
Recovery and Restoring of Data Files

Document Handling

Managing Hard Copy Printouts
The Countersigning of Documents
Checking Document Correctness
Approving Documents
Verifying Signatures
Receiving Unsolicited Mail
Style and Presentation of Reports
Photocopying Confidential Information
Filing of Documents and Information
Transporting Sensitive Documents
Shredding of Unwanted Hardcopy
Using Good Document Management Practice

Securing Data

Using Encryption Techniques
Sending Information to Third Parties
Maintaining Customer Information Confidentiality
Handling of Customer Credit Card Details
Fire Risks to Your Information
Sending Out Reports
Sharing Information
Dealing with Sensitive Financial Information
Deleting Data Created / Owned by Others
Protecting Documents with Passwords
Printing of Classified Documents

Other Information Handling and Processing

Using Dual Input Controls
Loading Personal Screen Savers
Speaking to the Media
Speaking to Customers
Need for Dual Control / Segregation of Duties
Using Clear Desk Policy
Misaddressing Communications to Third Parties
Using External Disposal Firms
Using Photocopier for Personal Use
Verifying Correctness of Information
Traveling on Business
Checking Customer Credit Limits


Purchasing and Installing Software

Specifying User Requirements for Software
Implementing New / Upgraded Software
Selecting Business Software Packages
Selecting Office Software Packages
Using Licensed Software
Technical Vulnerability Management

Software Maintenance & Upgrade

Applying ‘Patches’ to Software
Responding to Vendor Recommended Upgrades to Software
Interfacing Applications Software / Systems
Supporting Application Software
Operating System Software Upgrades
Upgrading Software
Support for Operating Systems
Recording and Reporting Software Faults

Other Software Issues

Disposing of Software


Purchasing and Installing Hardware

Specifying Information Security Requirements for New Hardware
Specifying Detailed Functional Needs for New Hardware
Installing New Hardware
Testing Systems and Equipment

Cabling, UPS, Printers and Modems

Supplying Continuous Power to Critical Equipment
Using Centralized, Networked or Stand-Alone Printers
Managing and Maintaining Backup Power Generators
Using Fax Machines / Fax Modems
Using Modems / ISDN / DSL connections
Installing and Maintaining Network Cabling


Controlling IT Consumables
Using Removable Storage Media including Diskettes and CDs

Working Off Premises or Using Outsourced Processing

Contracting or Using Outsourced Processing
Using Mobile Phones
Using Business Centre Facilities
Issuing Laptop / Portable Computers to Personnel
Using Laptop/Portable Computers
Working from Home or Other Off-Site Location (Tele-working)
Moving Hardware from One Location to Another
Day to Day Use of Laptop / Portable Computers

Using Secure Storage

Using Lockable Storage Cupboards
Using Lockable Filing Cabinets
Using Fire Protected Storage Cabinets
Using a Safe

Documenting Hardware

Managing and Using Hardware Documentation
Maintaining a Hardware Inventory or Register

Other Hardware Issues

Disposing of Obsolete Equipment
Recording and Reporting Hardware Faults
Clear Screen Policy
Logon and Logoff from your Computer
Dealing with Answering Machines / Voice Mail
Taking Equipment off the Premises
Maintaining Hardware (On-site or Off-site Support)
Using Speed Dialing Telephone Options
Cleaning of Keyboards and Screens
Damage to Equipment
Insuring Hardware
Insuring Laptops / Portables for use Domestically or Abroad


Combating Cyber Crime

Defending Against Premeditated Cyber Crime Attacks
Minimizing the Impact of Cyber Attacks
Collecting Evidence for Cyber Crime Prosecution
Defending Against Premeditated Internal Attacks
Defending Against Opportunistic Cyber Crime Attacks
Safeguarding Against Malicious Denial of Service Attack
Defending Against Hackers, Stealth-and Techno-Vandalism
Handling Hoax Virus Warnings
Defending Against Virus Attacks
Responding to Virus Incidents
Collecting Evidence for Cyber Crime Prosecution
Installing Virus Scanning Software


E-Commerce Issues

Structuring E-Commerce Systems including Web Sites
Securing E-Commerce Networks
Configuring E-Commerce Web Sites
Using External Service Providers for E-Commerce


Controlling Software Code

Managing Operational Program Libraries
Controlling Software Code during Software Development
Controlling Program Listings
Controlling Program Source Libraries
Controlling Old Versions of Programs
Managing Program Source Libraries

Software Development

Software Development
Establishing ownership for System Enhancements
Justifying New System Development
Managing Change Control Procedures
Making Emergency Amendments to Software
Separating Systems Development and Operations

Testing & Training

Controlling Test Environments
Using Live Data for Testing
Testing Software before Transferring to a Live Environment
Capacity Planning and Testing of New Systems
Parallel Running
Training in New Systems


Documenting New and Enhanced Systems

Other Software Development

Acquiring Vendor Developed Software


Premises Security

Preparing Premises to Site Computers
Securing Physical Protection of Computer Premises
Challenging Strangers on the Premises
High Security Locations
Delivery and loading areas
Duress Alarm
Ensuring Suitable Environmental Conditions
Physical Access Control to Secure Areas
Environmental and other external threats

Data Stores

Managing On-Site Data Stores
Managing Remote Data Stores

Other Premises Issues

Electronic Eavesdropping
Cabling Security
Disaster Recovery Plan


Contractual Documentation

Preparing Terms and Conditions of Employment
Using Non Disclosure Agreements (Staff and Third Party)
Misuse of Organization Stationery
Lending Keys to Secure Areas to Others
Lending Money to Work Colleagues
Complying with Information Security Policy
Establishing Ownership of Intellectual Property Rights
Employing / Contracting New Staff
Contracting with External Suppliers / other Service Providers
Employees' Responsibility to Protect Confidentiality of Data

Confidential Personnel Data

Respecting Privacy in the Workplace
Handling Confidential Employee Information
Giving References on Staff
Checking Staff Security Clearance
Sharing Employee Information with Other Employees
Sharing Personal Salary Information

Personnel Information Security Responsibilities

Using the Internet in an Acceptable Way
Keeping Passwords / PIN Numbers Confidential
Sharing Organization Information with Other Employees
Signing for the Delivery of Goods
Signing for Work done by Third Parties
Ordering Goods and Services
Verifying Financial Claims and Invoices
Approving and Authorization of Expenditure
Responding to Telephone Enquiries
Sharing Confidential Information with Family Members
Gossiping and Disclosing Information
Spreading Information through the Office ‘Grape Vine’
Using E-Mail and Postal Mail Facilities for Personal Reasons
Using Telephone Systems for Personal Reasons
Using the Organization’s Mobile Phones for Personal Use
Using Organization Credit Cards
Playing Games on Office Computers
Using Office Computers for Personal Use

HR Management

Dealing with Disaffected Staff
Taking Official Notes of Employee Meetings

Staff Leaving Employment

Handling Staff Resignations
Completing Procedures for Terminating Staff or Contractors
Obligations of Staff Transferring to Competitors

HR Issues Other

Recommending Professional Advisors



Delivering Awareness Programmes to Permanent Staff
Drafting Top Management Security Communications to Staff
Third Party Contractor : Awareness Programmes
Delivering Awareness Programmes to Temporary Staff
Providing Regular Information Updates to Staff


Information Security Training on New Systems
Information Security Officer : Training
User : Information Security Training
Technical Staff : Information Security Training
Training New Recruits in Information Security


Complying with Legal Obligations

Being Aware of Legal Obligations
Complying with Copyright and Software Licensing Legislation
Complying with the Data Protection Act or Equivalent
Complying with General Copyright Legislation
Complying with Database Copyright Legislation
Legal Safeguards against Computer Misuse

Complying with Policies

Managing Media Storage and Record Retention
Complying with Information Security Policy

Avoiding Litigation

Safeguarding against Libel and Slander
Using Copyrighted Information from the Internet
Sending Copyrighted Information Electronically
Using Text directly from Reports, Books or Documents
Infringement of Copyright

Other Legal Issues

Recording Evidence of Incidents (Information Security)
Reviewing System Compliance Levels
Renewing Domain Name Licenses – Web Sites
Insuring Risks
Recording Telephone Conversations
Admissibility of Evidence
Adequacy of Evidence
Collection of Evidence


Reporting Information Security Incidents

Reporting Information Security Incidents
Reporting IS Incidents to Outside Authorities
Reporting Information Security Breaches
Software Errors and Weaknesses
Notifying Information Security Weaknesses
Witnessing an Information Security Breach
Being Alert for Fraudulent Activities
When and How to Notify Authorities

Investigating Information Security Incidents

Investigating the Cause and Impact of IS Incidents
Collecting Evidence of an Information Security Breach
Recording Information Security Breaches
Responding to Information Security Incidents

Corrective Activity

Establishing Remedies to Information Security Breaches

Other Information Security Incident Issues

Ensuring the Integrity of IS Incident Investigations
Analyzing IS Incidents Resulting from System Failures
Monitoring Confidentiality of Information Security Incidents
Breaching Confidentiality
Establishing Dual Control / Segregation of Duties
Using Information Security Incident Check Lists
Detecting Electronic Eavesdropping and Espionage Activities
Risks in System Usage
Reviewing System Usage


Business Continuity Management

Initiating the Business Continuity Project
Assessing the Business Continuity Security Risk
Developing the Business Continuity Plan
Testing the Business Continuity Plan
Training and Staff Awareness on Business Continuity
Maintaining and Updating the Business Continuity Plan
Realistic Testing Environment for Business Continuity Plans
Impact of the Pace of change on the Business Continuity Plan

From :


Contrary to common belief, certification is applicable against ISO 27001, rather than ISO 17799. The certification itelf is international, in that National Accreditation Bodies have a mutual recognition model in place enabling certifications granted in one territory to be recognized in another. Clearly, this is essential for an international standard.

Common reasons to seek certification include: Organisational assurance; trading partner assurance; Competitive advantage (market leverage); reduction or elimination of trade barriers; reduced regulation costs; and so on.

To meet the certification requirements, an organization's ISMS must be audited by a 'Certification Body' (or strictly speaking, an assessor who works for a Certification Body). There is a clear segregation of dutues here: the assessor must be independent of consultancy and training.

A Certification Body must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’).

The following diagram may clarify this process:

Different certification bodies tend to adopt slightly different approaches to the exercise, with some being more 'hands on' than others. However, the following six step process is a fairly common one:

1 - Questionnaire (the Certification Body obtains details of your requirements)
2 - Application for Assessment (you complete the application form)
3 - Pre-assessment Visit or a ‘Gap Analysis’ (optional).
4 – The Stage 1 Audit (a ‘Document Review’). This is the first part of the audit proper.
5 - The Stage 2 Audit (otherwise called the ‘Compliance Audit’)
6 – Ongoing Audits

From :

Risk Assessment

The risk assessment is a very significant and time consuming element of the ISMS implementation programme. A slight error in the risk assessment strategy may delay a critical implementation programme by many months. The structure provided in ISO27001 is rather prescriptive, and if a certification/ registration assessment is to be conducted against this standard, it is crucial that the process of risk assessment can be evidenced as closely following these requirements. The steps are outlined as follows:-

1) Identify the information assets and information handling assets within the scope of the ISMS and identify the asset owner of each of these assets. A good way of identifying the assets is to map the business processes which fall within scope and list the assets required for the input, execution and output of these processes.

2) Identify the impacts of loss of confidentiality, availability or integrity of these assets. This impact could be financial, loss of reputation or loss of material ability to perform some aspect of business operations.

3) Identify the threats to those assets which could lead to the loss in confidentiality, availability or integrity of the asset.

4) For each of the identified threats, identify the vulnerabilities which can be exploited by the threat. It is very important that everyone involved in the risk assessment (which may well be all asset owners) is very clear of the definition of a threat (e.g. malicious code) as opposed to the vulnerability (e.g. lack of regularly updated virus protection software).

5) Assess the levels of business impact whch could potentially arise from the loss of confidentiality, availability or integrity of the assets as defined in point 2 above.

6) Assess the likelihood of occurrence of the threat, and the level of vulnerability. This will yield the likelihood of a particular threat exploiting a particular vulnerability and impacting the confidentiality, availability or integrity of a particular asset, known as the Risk of Exposure.

7) Estimate the level of risk based on the level of business impact and the risk of exposure.

8) Identify those risks which fall outside the criteria stipulated by management as input into the risk treatment plan

risk treatment plan

The risk treatment plan is the immediate output of the RiskAssessment. It defines how, based on the criteria established by senior management, each risk is to be handled. The options are to:

1) Knowingly accept the risk as it falls within the organisation's "risk appetite", in other words management deem the risk acceptable, compared to the cost of improving controls to mitigate it;

2) Implement a suitable control or combination of controls to reduce (mitigate) the risk to a more acceptable level. Controls may be selected from the best practices defined in ISO 17799 and/or from other sources;

3) Avoid the risk i.e. do not undertake the associated business activity;

4) Transfer the risk to another organisation (e.g. through insurance or by contractual arrangements with a business partner).

asset owner

The asset owner is the person or group of people who have been identified by management as havng responsibility for the maintenance of the confidentiality, availability and integrity of that asset. The asset owner may change during the lifecycle of the asset.

The owner does not normally or necessarily personally own the asset. In most cases the employing organisation, its customers or suppliers will be the entity with property rights to the asset.

ISO 17799 and information security awareness

by Gary Hinson.

Security awareness is very much an integral part of an ISO 17799-compliant information security management system. A recurring theme throughout the standard is that people in an organization must be made aware of the security policies, procedures and control requirements that they are expected to uphold.

ISO 17799:2005 section 8.2.2 (Information security awareness, education and training) is the most directly relevant section, recommending that ?All employees of the organization and, where relevant, contractors and third parties should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function? It goes on to recommend ?a formal induction process?and ?ongoing training? It suggests the need to educate employees on known threats and who to contact in the event of a security incident.

As with many other important topics, ISO 17799?s coverage of security awareness is not limited to this one section but is distributed throughout the text:
-Information security awareness, training and education is one of seven common practice controls listed in section 0.6 (Information security starting point);
-In section 0.7 (Critical success factors), ?Effective marketing of information security to all managers, employees, and other parties to achieve awareness?and ?providing appropriate awareness, training, and education?are two of the ten critical success factors;
-Section 5.1.1 (Information security policy document) acknowledges that raising security awareness and informing employees about management requirements is an important function of policies;
-Section 6.1.1 (Management commitment to information security) tells management to ?initiate plans and programs to maintain information security awareness?
-Section 6.1.2 (Information security co-ordination) says one of the duties of the information security management/co-ordination function is to ?effectively promote information security education, training and awareness throughout the organization?
-Section 6.2.1 (Identification of risks related to external parties) notes ?It should be ensured that the external party is aware of their obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating, or managing the organization?s information and information processing facilities?
-Section 6.2.3 (Addressing security in third party agreements) recommends ?ensuring user awareness for information security responsibilities and issues? It further recommends ?user and administrator training in methods, procedures, and security?
-The control objective stated in section 8.2 ([Human resources security] during employment) is ?To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error? It continues ?An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks.?
-Section 8.2.1 (Management responsibilities) advises management to ensure that employees, contractors and third party users ?achieve a level of awareness on security relevant to their roles and responsibilities within the organization?[because] ?If employees, contractors and third party users are not made aware of their security responsibilities, they can cause considerable damage to an organization. Motivated personnel are likely to be more reliable and cause less information security incidents?
-Section 9.2.7 (Removal of property) says ?Individuals should be made aware if spot checks are carried out?
-Section 10.4 (Protection against malicious and mobile code) says very directly that ?Users should be made aware of the dangers of malicious code. Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented?
-Section 10.8.1 (Information exchange policies and procedures) warns ?Information could be compromised due to lack of awareness, policy or procedures on the use of information exchange facilities?
-Section 11.3 (User responsibilities) states that ?The co-operation of authorized users is essential for effective security. Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment?
-Section 11.3.2 (Unattended user equipment) recommends ?All users should be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection?
-Section 11.7.1 (Mobile computing and communications) says ?Training should be arranged for personnel using mobile computing to raise their awareness on the additional risks resulting from this way of working and the controls that should be implemented?
-Section 12.6.1 (Control of technical vulnerabilities) states ?if no patch is available, other controls should be considered, such as ... raising awareness of the vulnerability?
-The control objective in section 13.1 (Reporting information security events and weaknesses) mentions that ?All employees, contractors and third party users should be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of organizational assets?
-Section 13.1.1 (Reporting information security events) continues ?All employees, contractors and third party users should be made aware of their responsibility to report any information security events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact? It also notes that ?information security incidents can be used in user awareness training?
-?Appropriate education of staff in the agreed procedures and processes, including crisis management?is one of the purposes of continuity plans listed in section 14.1.3 (Developing and implementing continuity plans including information security);
-Section 14.1.4 (Business continuity planning framework) advises that a BCP framework should include, amongst other things, ?awareness, education, and training activities which are designed to create understanding of the business continuity processes and ensure that the processes continue to be effective?
-Section 15.1.2 (Intellectual property rights) includes the guideline ?maintaining awareness of policies to protect intellectual property rights?
-Section 15.1.4 (Data protection and privacy of personal information) notes ?Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations?
-Section 15.1.5 (Prevention of misuse of information processing facilities) advises that ?All users should be aware of the precise scope of their permitted access and of the monitoring in place to detect unauthorized use?

However you look at it, information security awareness is an essential component of an ISO 17799-compliance information security management system.