Search in ISMS Guides


Sunday, July 6, 2008

ISMS Auditing Guideline [ Pdf File ]

This guideline has been written by members of the ISO27k Implementers' Forum, an international online community of neatly 1,000 practitioners actively using the ISO/IEC 27000-family of Information Security Management System (ISMS) standards known colloquially as "ISO27k", and base at Our primary aim is to contribute to the development of the new standard ISO/IEC 27007 by providing what we, as experienced ISMS implementers and IT/ISMS auditors, believe is worthwhile content. A secondary aim to provide a pragmatic and useful guideline for those involved in auditing ISMSs.

At the time of first writing this guideline (February-March 2008). ISO/IEC 27007 is currently at the first Working Draft stage ("ISO/IEC WD 27007") and has been circulated to ISO member bodies for study and comment by March 14 2008. Its working title is "Information Technology - Security techniques - Guidelines for information security management systems auditing".

The Proposed outline structure of ISO/IEC WD 27007 is presently as follows:
- Foreword and introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Principles of auditing
5. Managing an audit programme
6. Audit activities
7. Competence and evaluation of auditors
- Bibliography

In the proposed structure, section 6 should presumably explain how to go about auditing an ISMS. The current working draft has headings for a guide to audit process but little content on the actual audit tests to be performed, although in section 6.3.1 it identifies a list of items that are required by ISO/IEC 27001 and says that "Auditors should check that all these documents exist and conform to the requirements in ISO/IEC 27001"2005". This is probably the most basic type of ISMS audit test: are the specified ISMS documents present? We feel that a generic ISMS audit checklist (often called an "Internal Controls Questionnaire" by IT auditors) would be a very useful addition to the standard and producing one was a key aim of this guideline - in fact we have produced two (see the appendices). We also aim to contribute content draft 27007 and hope to track its development through future revisions.

Thursday, July 3, 2008

ISO/IEC 27005 Information technology -- Security techniques -- Information security risk management

This standard was published in June 2008.

“ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.”

ISO/IEC 27005 revises the Management of Information and Communications Technology Security (MICTS) standards ISO/IEC TR 13335-3:1998 plus ISO/IEC TR 13335-4:2000.
Some personal comments on ’27005

[These are just my personal perspective. They inevitably reflect my own prejudices and limited experience with information security risk management.]

At around 60 sides, ISO/IEC 27005 is a heavyweight standard although the main part is just 24 pages, the rest being mostly annexes with examples and further information for users. There is quite a lot of meat on the bones, reflecting the complexities in this area.

Although the standard defines risk as “a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event”, the risk analysis process outlined in the standard indicates the need to identify information assets at risk, the potential threats or threat sources, the potential vulnerabilities and the potential consequences (impacts) if risks materialize. Examples of threats, vulnerabilities and impacts are tabulated in the annexes; although incomplete, these may prove useful for brainstorming risks relating to information assets under evaluation. It is clearly implied that automated system security vulnerability assessment tools are insufficient for risk analysis without taking into account other vulnerabilities plus the threats and impacts.

The standard includes a section and annex on defining the scope and boundaries of information security risk management which should, I guess, be no less than the scope of the ISMS.

The standard deliberately remains agnostic about quantitative and qualitative risk assessment methods, essentially recommending that users choose whatever methods suit them best, and noting that they are both methods of estimating, not defining, risks. Note the plural - 'methods' - the implication being that different methods might be used for, say, a high-level risk assessment followed by more in-depth risk analysis on the high risk areas. The pros and cons of quantitative vs qualitative methods do get a mention.

The steps in the process are (mostly) defined to the level of inputs -> actions -> outputs, with additional “implementation guidance” in similar style to ISO/IEC 27002.

The standard incorporates some iterative elements e.g. if the results of an assessment are unsatisfactory, you loop-back to the inputs and have another run through. For those of us who think in pictures, there are useful figures giving an overview of the whole process and more detail on the risk assessment -> risk treatment -> residual risk bit.

AMS9000 Audit Management Software

The value of information within an organisation is enormous. But there are lots of threats that put this value at risk. How to protect it best? Typically individual solutions are used to respond to specific threats. However, to be successful you need a framework for information security. This is a management system as it is described in ISO 17799 and BS 7799. It allows to integrate individual solutions into one concept.

The PDCA model is already used in other management systems like quality management. And it works fine within the information security management system (ISMS):

* Plan: Establish the information security management system (ISMS).
* Do: Implement and operate the ISMS.
* Check: Monitor and review the ISMS.
* Act: Maintain and improve the ISMS.

Close the gaps with AMS9000 and protect the value of your information

AMS9000 assists you in establishing and maintaining your ISMS

As part of the JKT9000 family of management software modules, AMS9000 is the audit management software. This programme is designed to handle all aspects of an internal audit programme, from planning audits to the follow-up of corrective actions against deficiencies found.

AMS9000 can be used to verify compliance with any kind of standards including ISO 17799 or ISO 27001. Further you can use it to audit e.g. your quality management system (ISO 9000) or your environmental management system (ISO 14000).
The Workflow of the AMS9000-Navigator, ISMS Audit Software

AMS9000 uses a Navigator which includes a brief workflow of the steps being subject to audit management. To enter any of these steps the users just clicks the icon.
audi tmanagement software

Functions of AMS9000, Audit Management Software

* maintains the audit schedule, checklist preparation and all audit info.
* allows to enter own checklist items and/or text directly from own procedures.
* comes with checklist requirements derived directly from the 1994 and 2000 ISO9001 Standards
* stores pending files for follow-up items to be considered in future audits
* allows to take containment, corrective and preventive actions against deficiencies found in the audit
* tracks all nonconformances, including actions and verification
* comprises reports covering trend analysis and audit summaries and 'reminder' reports to track corrective action and implementations.
* Field names of the screens can be altered to suit your individual company language.
* provides user-definable fields.
* all users get their information relevant to their needs by email.

Reports in AMS9000, Audit Management Software

All reports mentioned below can be filtered by further criteria to meet the user's information needs.

* audit schedules
* audit history report
* print checklists
* internal audit Corrective Action Summary
* supplier audit Corrective Action Summary
* Corrective Actions not responded to yet
* NCs vs. ISO clause x-tab
* past due Corrective Action responses
* pending Corrective Action implementations.

Next to these standard system reports which might cover the basic needs the user has the option to create 'custom reports'.

When printing Corrective Action reports, there are the following options:

* prints Corrective Action Request on a single page
* prints Corrective Action Request on 3 pages minimum, but expands as required
* prints Corrective Action Request summary and attaches all activity logs.
* prints Corrective Action Request summary and attaches all subcase activity.
* prints blank page for manual use
* completed Corrective Action Request form shows more details on one page
* Corrective Action Request 7 Step (Chrysler) Style form
* Corrective Action Request 8D style single page form.

Module types of AMS9000, Audit Management Software

* Standalone & LAN Configurations
* WAN & Client Server Configurations
* Web-based Configuration

The standards ISO 17799/ISO27001 and BS 7799

ISO 17799 (ISO 27001 or BS 7799-1) is a code of practice for information security management. It gives recommendations for information security management, i.e. for initiating, implementing or maintaining security. ISO 17799 provides a comprehensive set of controls comprising best practices in information security. It is intended to provide a common basis for developing organisational security standards and effective security management practice. It provides recommendations and guidance that usually an organisation should address. This means that an organisation is requested to go ahead from this starting point or common basis. This has to be kept in mind when using general checklists to audit an ISMS. The specifics of an organisation always have to shine through the design of the ISMS including the audit checklist and audit procedures.

BS 7799-2 is concerned with the management system. The standard mentions four major areas:

* Information Security Management System (ISMS)
* Management Responsibility
* Management Review
* ISMS Improvement

Benefits for your information security management system

AMS9000 is an audit software tool to audit an information security management system. It supports the entire audit process.

It can be used to audit compliance with standards such as ISO 17799 / ISO 27001 and BS 7799.

Further benefits are:

* AMS9000 kann zum Auditieren nach ISO 17799 / SO 27001, BS 7799 und anderer Standards zur Informationssicherheit benutzt werden. Darüber hinaus kann es für andere Audit benutzt werden, wie sie etwa aus dem Qualitätsmanagement bekannt sind. Sie brauchen nicht für jeweils verschiedene Audits eine andere Auditsoftware.
* AMS9000 can be used to audit against ISO 17799 and BS 7799 or any other information security management standard. However, it can be used for other audits as well known from quality management. You do not need a different audit tool for each kind of audit.
* Get evidence of conformance with ISO 17799 or whatever checklist you apply. This can be helpful when you like to register to BS 7799 part 2.
* Efficient and quick analysis and report significantly reduces time and resources necessary.
* Low training needs through ease to use and intuitive handling of the software.
* Management of corrective actions assists you in improving your information security management.

AMS9000, Audit Management Software, is developed by

auditmanagement software

Monday, June 30, 2008

ISO 27001 Certification FAQ

What is certification?
ISO/IEC 27001 certification is the process by which an organization’s ISMS is examined against the ISO/IEC 27001 specification by an accredited certification body.

What is a certification body?
A certification body (also called a registration body, assessment and registration body, or registrar) is a third party that assesses and certifies that the ISMS of an organization meets the requirements of the standard.

Who accredits certification bodies?
Accreditation organizations accredit the competence of certification bodies to perform services in the areas of product and management system approval. These accreditation organizations are often, but not always national in scope.

What is the certification process?
The certification process includes:

1. Part 1 audit (also known as a desktop audit). Here the CB auditor examines the pertinent documentation.
2. Taking action on the results of the part 1 audit.
3. Part 2 audit (on site audit). Here the CB sends an audit team to examine your implementation of the reviewed, documented ISMS.
4. Correction of audit findings. Agreeing to a surveillance schedule.
5. Issuance of certificate. (Depending on the CB this can take a few weeks to several months.)

Following initial certification, the ISMS is subject to surveillance as specified by the CB, and then requires re-certification after three years.



Contrary to common belief, certification is applicable against ISO 27001, rather than ISO 17799. The certification itelf is international, in that National Accreditation Bodies have a mutual recognition model in place enabling certifications granted in one territory to be recognized in another. Clearly, this is essential for an international standard.

Common reasons to seek certification include: Organisational assurance; trading partner assurance; Competitive advantage (market leverage); reduction or elimination of trade barriers; reduced regulation costs; and so on.

To meet the certification requirements, an organization's ISMS must be audited by a 'Certification Body' (or strictly speaking, an assessor who works for a Certification Body). There is a clear segregation of dutues here: the assessor must be independent of consultancy and training.

A Certification Body must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’).

The following diagram may clarify this process:

Different certification bodies tend to adopt slightly different approaches to the exercise, with some being more 'hands on' than others. However, the following six step process is a fairly common one:

1 - Questionnaire (the Certification Body obtains details of your requirements)
2 - Application for Assessment (you complete the application form)
3 - Pre-assessment Visit or a ‘Gap Analysis’ (optional).
4 – The Stage 1 Audit (a ‘Document Review’). This is the first part of the audit proper.
5 - The Stage 2 Audit (otherwise called the ‘Compliance Audit’)
6 – Ongoing Audits

Monday, June 9, 2008

How to apply ISO 27002 to PCI DSS compliance

This tip is part of's Compliance School lesson, Building a risk-based compliance program. Visit the Building a risk-based compliance program main page for related materials, or check out the Security School Course Catalog for more learning content.

The PCI Data Security Standard (PCI DSS) consists of 12 mandatory high-level requirements for all organizations that store, transmit, or process payment cards. These 12 requirements are further subdivided into sections, describing activities that organizations must engage in while managing their networks, administering their systems, and, in general protecting the payment card data with which they have been entrusted.

While PCI DSS details compliance requirements in most areas, its directives make only passing reference (if at all) to an overall security framework into which the required actions must fit. If organizations simply follow the PCI DSS blindly, they may not achieve the overall security goals.

ISO 27002, also known as ISO 17799, is a security standard of practice. In other words, it is a comprehensive list of security practices that can be applied -- in varying degrees -- to all organizations. The benefit of such a standard to organizations attempting to comply with the PCI-DSS is twofold. First, it provides a framework that allows organizations to achieve their PCI security goals along with those from other sources, like industry or governmental regulations. Second, it provides guidance on how to fit some of PCI's governance and policy requirements into an organization's compliance program.

For example, ISO 27002 discusses the necessity of involving business, management, human resources and technology representatives in the security program. It also provides references for high-level policies for important areas such as data classification, data handling and access control. While PCI DSS describes specific technical practices and organizational activities, it doesn't talk about the overall program in which these activities exist or the specific policies that require these activities.

When a company establishes a program based on a broad standard like ISO 27002, it can treat the PCI-DSS requirements as a subset of those required by the ISO. Further, a program structured according to ISO 27002 will require organizations to employ critical support systems required by many regulations (and PCI DSS in particular). For example, ISO 27002 requires change control in network administration, system configuration, policy management, procedure management and software development. PCI DSS calls out the need for accurate diagrams and documentation for its network and systems as well as change control processes to ensure discipline in administration of the PCI DSS-related components.

ISO 27002's broad requirements for change control associated with all aspects of administration encourage a consistent approach across an enterprise. This kind of approach, when applied to PCI DSS, would help improve both the consistency, effectiveness and efficiency of change control across a company and increase the likelihood that an auditor would find a company's practices acceptable.

Another benefit of combining the structure of ISO 27002 and the specific requirements of PCI DSS is that the PCI DSS helps organizations define three of the most challenging aspects of ISO compliance: scope of compliance, data classification and data handling. Armed with these constraining requirements, organizations can define policies and procedures that are consistent with best practice as specified by ISO and directly address PCI DSS compliance. For example, PCI DSS defines what aspects of credit card data are sensitive. It describes access control requirements for credit card information, encryption requirements for transmission and storage, and even the testing necessary to verify effectiveness of controls. These specific requirements allow organizations to state how systems must be configured, how employees must treat data and how an organization monitors the effectiveness of its controls.

A growing number of organizations are building security programs according to standard frameworks like ISO 27002. These frameworks are allowing organizations to factor compliance with multiple regulations and contracts into their security programs in a consistent and effective manner.

The beauty of using the ISO standard with specific regulations is that the regulations fill in the necessary details that the framework lacks while the framework provides structure to address multiple sets of requirements consistently. The two concepts work hand in hand and provide effectiveness, efficiency and auditability.

About the author:
Richard E. "Dick" Mackey is regarded as one of the industry's foremost authorities on security and compliance. He is a frequent speaker and contributor to magazines and online publications. He has advised leading financial firms on compliance with PCI, GLBA and SOX. He has also provided guidance to a wide range of companies on enterprise security architectures, identity and access management and security policy and governance.

New Risk Assessment Tool for ISO27001 Consultants Simplifies and Accelerates Compliance Process for Clients

Following the successful launch of the vsRisk ISO27001 compliance tool at Infosecurity Europe 2007, Vigilant Software has launched a complementary software tool for IT consultants and information security specialists. vsRisk Consultant Edition (vsRCE) is a powerful new software product that will enable information security consultants to deploy vsRisk as their preferred risk assessment tool in up to 10 different clients.

Targeted at specialist consultants dealing with ISO27001 compliance, vsRCE is an affordable and intuitive risk assessment management tool for the IT consultant community that allows consultants the ability to directly support their clients' risk assessment activity from an off-site location. vsRCE allows clients to create and export risk assessment files that can be analysed on the consultants' own workstations or laptops, and then re-imported into the client's own software.

vsRCE allows IT consultants to manage up to ten separate risk assessments or risk assessment in up to ten different organisations, each of which must have purchased its own copy of vsRisk. By working in harmony with its sister application vsRisk, vsRCE will dramatically reduce the time and effort it takes for companies to achieve ISO27001 compliance, transferring an important element of the work to the consultant and ensuring that the work of the project team can be monitored more closely.

In addition to supporting ISO/IEC27001, vsRCE supports ISO/IEC27002 (17799); complies with BS7799-3:2006; conforms to ISO/IEC TR 13335-3:1998 and NIST SP 800-30; and complies with the UK's Risk Assessment Standard.

Vigilant Software is a joint venture between IT Governance Limited, the one-stop-shop for books, tools and information on ISO27001 compliance, and Top Solutions (UK) Limited, an award-winning developer of risk management software tools.

Alan Calder, Chief Executive of IT Governance, commented, "vsRCE is the perfect complement to vsRisk and offers a major enhancement to vsRisk users. By employing a consultant who uses vsRCE, companies can simplify and speed the process of achieving ISO27001 compliance. For consultants, it offers a means of providing greater added value and is therefore a powerful competitive advantage."


Saturday, January 19, 2008

Information Security Management Risks

By Anna Woodward

Of course, it is always clear that “risk” is a possibility that something unsuitable happens. What is not clear is how probable it is, what nature it has, and what harm it can do to an organization.

Betting on some event means the chance of financial loss: the unsuitable outcome. To decide if we want to take on this risk means calculating the chances of winning or the odds of losing. We can implement measures to reduce the chance of the danger, and put strategies in place to handle possible unpleasant outcomes.

Information security management is being aware of all elements involved in a specific risk and their relationship with your enterprise (company, web presence, etc). This is an essential basis for calculating the risk. Knowing about the threat means being able to assess it: we can choose if we want to accept it, wait and see, or plainly avoid taking it at all.

In the field of information security management, professionals should answer four main questions:

1. What can happen (threat)? Client private information (especially, but not only, credit card numbers) can be stolen through an insecure network, through cracked passwords, through flawed cryptography or through non-dependable employees.

Web-pages can be hacked and inappropriate content could be displayed. Business processes could be disrupted through web-attacks, blocking the normal operations of the company.

Identifying risk spots is the primary task for information security management professionals. Normally, due to the technical background of most professionals, there is a bias for focusing on technical problems. In fact, there are often a myriad of possibilities of attacking a computer system.

2. How bad can it get (impact)? Companies are responsible for keeping private information secure. Negligence in keeping this information secure can result in costly claims. Revealing intellectual property through negligence in security can result in an unduly competitive disadvantage.

The company’s reputation can be seriously damaged. Cash-flow can drop the entire time of a web-attack on the servers of the company and usually, for some time after the fact.

3. How often can it happen (frequency)? The short answer is: much more often than you believe. The absence of bad news in the newspapers should not allow you to a false sense of security.

Sometimes the victim doesn’t know that the company has been hacked. Of course, if some credit card has been charged without authorization, the holder will demand a refund. However, it is not always clear where the flaw in the security exists.

In some further cases, intellectual property of a company has been illegally copied and is used without consent. The lawful owner will in many cases not even have a hint of this problem.

4. How dependable are the answers to these three questions (uncertainty)? Although you can be sure that the risk exists, there is no simple way of calculating how often it happens. You can be sure that it happens, you cannot know when and where.

Consider the safety of your company’s virtual data, and have the flaws assessed by an information security management professional. If you take a “wait and see” approach, you risk an attack on your company’s documentation, private information databases, and perhaps, intellectual property.

Excel Partnership, Inc. wants to help your company review your information security management and tailor programs to secure your virtual data. Visit for more information on preventing attack on your documentation, private information databases, and intellectual property.


Managing Risk in Information Technology

As information technology increasingly falls within the scope of corporate governance, so management must increasingly focus on the management of risk to the achievement of its business objectives.

There are two fundamental components of effective management of risk in information and information technology: the first relates to an organization’s strategic deployment of information technology in order to achieve its corporate goals, the second relates to risks to those assets themselves. IT systems usually represent significant investments of financial and executive resources. The way in which they are planned, managed and measured should therefore be a key management accountability, as should the way in which risks associated with information assets themselves are managed.

Clearly, well managed information technology is a business enabler. Every deployment of information technology brings with it immediate risks to the organization and, therefore, every director or executive who deploys, or manager who makes any use of, information technology needs to understand these risks and the steps that should be taken to counter them.

ITIL has long provided an extensive collection of best practice IT management processes and guidance. In spite of an extensive range of practitioner-orientated certified qualifications, it is not possible for any organization to prove - to its management, let alone an external third party - that it has taken the risk-reduction step of implementing best practice.

More than that, ITIL is particularly weak where information security management is concerned - the ITIL book on information security really does no more than refer to a now very out-of-date version of ISO 17799, the information security code of practice.

The emergence of the international IT Service Management ISO 27001 and Information Security Management (ISO20000) standards changes all this. They make it possible for organizations that have successfully implemented an ITIL environment to be externally certificated as having information security and IT service management processes that meet an international standard; organizations that demonstrate - to customers and potential customers - the quality and security of their IT services and information security processes achieve significant competitive advantages.

Information Security Risk

The value of an independent information security standard may be more immediately obvious to the ITIL practitioner than an IT service management one. The proliferation of increasingly complex, sophisticated and global threats to information security, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is driving organizations to take a more strategic view of information security. It has become clear that hardware-, software- or vendor-driven solutions to individual information security challenges are, on their own, dangerously inadequate. ISO/IEC 27001 (what was BS7799) helps organizations make the step to sytematically managing and controlling risk to their information assets.

IT Process Risk

IT must be managed systematically to support the organization in achieving its business objectives, or it will disrupt business processes and undermine business activity. IT management, of course, has its own processes - and many of these processes are common across organizations of all sizes and in many sectors. Processes deployed to manage the IT organization itself need both to be effective and to ensure that the IT organization delivers against business needs. IT service management is a concept that embraces the notion that the IT organization (known, in ISO/IEC 20000Regulatory and Compliance Risk

All organizations are subject to a range of information-related national and international legislation and regulatory requirements. These range from broad corporate governance guidelines to the detailed requirements of specific regulations. UK organizations are subject to some, or all, of:

- Combined Code and Turnbull Guidance (UK)
- Basel2
- EU data protection, privacy regimes
- Sectoral regulation: FSA (1) , MiFID (2) , AML (3)
- Human Rights Act, Regulatation of Investigatory Powers Act
- Computer misuse regulation

Those organizations with US operations may also be subject to US regulations such as Sarbanes Oxley and SEC regulations, as well as sectoral regulation such as GLBA (4), HIPAA (5) and USA PATRIOT Act. Most organizations are possibly also subject to US state laws that appear to have wider applicability, including SB 1386 (California Information Practice Act) and OPPA (6) . Compliance depends as much on information security as on IT processes and services.

Many of these regulations have emerged only recently and most have not yet been adequately tested in the courts. There has been no co-ordinated national or international effort to ensure that many of these regulations - particularly those around personal privacy and data protection - are effectively co-ordinated. As a result, there are overlaps and conflicts between many of these regulations and, while this is of little importance to organizations trading exclusively within one jurisdiction, the reality is that many enterprises today are trading on an international basis, particularly if they have a website or are connected to the Internet.

Management Systems

A management system is a formal, organized approach used by an organization to manage one or more components of their business, including quality, the environment and occupational health and safety, information security and IT service management. Most organizations - particularly younger, less mature ones, have some form of management system in place, even if they’re not aware of it. More developed organizations use formal management systems which they have certified by a third party for conformance to a management system standard. Organizations that use formal management systems today include corporations, medium- and small-sized businesses, government agencies, and non-governmental organizations (NGOs).

Standards and Certifications

Formal standards provide a specification against which aspects of an organization’s management sytsem can be independently audited by an accredited certification body and, if the management system is found to conform to the specification, the organization can be issued with a formal certificate confirming this. Organizations that are certificated to ISO 9000 will already be familiar with the certification process.

Integrated Management Systems

Organizations can choose to certify their management systems to more than one standard. This enables them to integrate the processes that are common - management review, corrective and preventative action, control of documents and records, and internal quality audits - to each of the standards in which they are interested. There is already an alignment of clauses in ISO 9000, ISO 14001 (the environmental management system standard) and OHSAS 18001 (the health and safety management standard) that supports this integration, and which enables organizations to benefit from lower cost initial audits, fewer surveillance visits and which, most importantly, allows organizations to ‘join up’ their management systems.

The emergence of these international standards now enables organizations to develop an integrated IT management system that is capable of multiple certification and of external, third party audit, while drawing simultaneously on the deeper best-practice contained in ITIL. This is a huge step forward for the ITIL world.


(1) Financial Services Authority
(2) Markets in Financial Instruments Directive
(3) Anti-money laundering regulations
(4) Gramm-Leach-Bliley Act
(5) Health Insurance Portability and Accountability Act
(6) Online Personal Privacy Act

About the Author

Alan Calder is an international authority on IT Governance and information security management. He led the world’s first successful implementation of BS 7799, the information security management standard upon which ISO 27001 is based, and wrote the definitive compliance guide for this standard, IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799. The 3rd edition of this book is the basis for the UK Open University’s postgraduate course on Information Security. He has just written, for BSI, a management guide on integrating ISO 27001 and ISO 20000 Management Systems, drawing heavily on ITIL best practice. He is a consultant to companies around the world, including Cisco. as in ITIL, as the “service provider”) exists to deliver services to business users, in line with business needs, and to ensure the most cost-effective use of IT assets within that overall context. ITIL, the IT Infrastructure Library, emerged as a collection of best practices that could be used in various organizations. ISO/IEC 20000, the IT service management standard, provides a best-practice specification that sits on top of the ITIL.

Thursday, January 10, 2008

Create Your Own Security Audit

Every business, including yours, has valuable IT assets such as computers, networks, and data. And protecting those assets, requires that companies big and small conduct their own IT security audits in order to get a clear picture of the security risks they face and how to best deal with those threats.

The following are 10 steps to conducting your own basic IT security audit. While these steps won't be as extensive as audits provided by professional consultants, this DIY version will get you started on the road to protecting your own company.

1. Defining the Scope of Your Audit: Creating Asset Lists and a Security Perimeter

The first step in conducting an audit is to create a master list of the assets your company has, in order to later decide upon what needs to be protected through the audit. While it is easy to list your tangible assets, things like computers, servers, and files, it becomes more difficult to list intangible assets. To ensure consistency in deciding which intangible company assets are included, it is helpful to draw a "security perimeter" for your audit.

What is the Security Perimeter?
The security perimeter is both a conceptual and physical boundary within which your security audit will focus, and outside of which your audit will ignore. You ultimately decide for yourself what your security perimeter is, but a general rule of thumb is that the security perimeter should be the smallest boundary that contains the assets that you own and/or need to control for your own company's security.

Assets to Consider
Once you have drawn up your security perimeter, it is time to complete your asset list. That involves considering every potential company asset and deciding whether or not it fits within the "security perimeter" you have drawn. To get you started, here is a list of common sensitive assets:
  1. Computers and laptops
  2. Routers and networking equipment
  3. Printers
  4. Cameras, digital or analog, with company-sensitive photographs
  5. Data - sales, customer information, employee information
  6. Company smartphones/ PDAs
  7. VoIP phones, IP PBXs (digital version of phone exchange boxes), related servers
  8. VoIP or regular phone call recordings and records
  9. Email
  10. Log of employees daily schedule and activities
  11. Web pages, especially those that ask for customer details and those that are backed by web scripts that query a database
  12. Web server computer
  13. Security cameras
  14. Employee access cards.
  15. Access points (i.e., any scanners that control room entry)
This is by no means an exhaustive list, and you should at this point spend some time considering what other sensitive assets your company has. The more detail you use in listing your company's assets (e.g., "25 Dell Laptops Model D420 Version 2006", instead of "25 Computers") the better, because this will help you recognize more clearly the specific threats which face each particular company asset.

2. Creating a 'Threats List'

You can't protect assets simply by knowing what they are, you also have to understand how each individual asset is threatened. So in this stage you will compile an overall list of threats which currently face your assets.

What Threats to Include?
If your threat list is too broad, your security audit will end up getting focused on threats which are extremely small or remote. When deciding whether to include a particular threat on your 'Threat List' keep in mind that your test should follow a sliding scale. For example, if you are considering whether the possibility of a hurricane flooding out your servers you should consider both, how remote the threat is, but also how devastating the harm would be if it occurred. A moderately remote harm can still be reasonably included in your threat list if the potential harm it would bring is large enough to your company.

Common 'Threats' to Get you Started?
Here are some relatively common security threats to help you get started in creating your company's threat list:
  1. Computer and network passwords. Is there a log of all people with passwords (and what type). How secure is this ACL list, and how strong are the passwords currently in use?

  2. Physical assets. Can computers or laptops be picked up and removed from the premises by visitors or even employees?

  3. Records of physical assets. Do they exist? Are they backed up?

  4. Data backups. What backups of virtual assets exist, how are they backed up, where are the backups kept, and who conducts the backups?

  5. Logging of data access. Each time someone accesses some data, is this logged, along with who, what, when, where, etc.?

  6. Access to sensitive customer data, e.g., credit card info. Who has access? How can access be controlled? Can this information be accessed from outside the company premises?

  7. Access to client lists. Does the website allow backdoor access into the client database? Can it be hacked?

  8. Long-distance calling. Are long-distance calls restricted, or is it a free-for-all? Should it be restricted?

  9. Emails. Are spam filters in place? Do employees need to be educated on how to spot potential spam and phishing emails? Is there a company policy that outgoing emails to clients not have certain types of hyperlinks in them?

3. Past Due Diligence & Predicting the Future

At this point, you have compiled a list of current threats, but what about security threats that have not come on to your radar yet, or haven't even been developed? A good security audit should account not just for those security threats that face your company today, but those that will arise in the future.

Examining Your Threat History
The first step towards predicting future threats is to examine your company's records and speak with long-time employees about past security threats that the company has faced. Most threats repeat themselves, so by cataloging your company's past experiences and including the relevant threats on your threat list you'll get a more complete picture of your company's vulnerabilities.

Checking Security Trends
In addition to checking for security threats specific to your particular industry,'s recent white paper covers trends for 2007 as well as offering a regularly updated blog which will keep you abreast of all new security threat developments. Spend some time looking through these resources and consider how these trends are likely to affect your business in particular. If you're stumped you may want to Ask the IT Security Experts directly.

Checking with your Competition
When it comes to outside security threats, companies that are ordinarily rivals often turn into one another's greatest asset. By developing a relationship with your competition you can develop a clearer picture of the future threats your company will face by sharing information about security threats with one another.

4. Prioritizing Your Assets & Vulnerabilities

You have now developed a complete list of all the assets and security threats that your company faces. But not every asset or threat has the same priority level. In this step, you will prioritize your assets and vulnerabilities in order to know your company's greatest security risks, and so that you can allocate your company's resources accordingly.

Perform a Risk Calculation/ Probability Calculation
The bigger the risk, the higher priority dealing with the underlying threat is. The formula for calculating risk is:

Risk = Probability x Harm

The risk formula just means that you multiply the likelihood of a security threat actually occurring (probability) times the damage that would occur to your company if the threat actually did occur (harm). The number that comes out of that equation, is the risk that threat poses to your company.

Calculating Probability
Probability is simply the chance that a particular threat will actually occur. Unfortunately, there isn't a book that lists the probability that your website will be hacked this year, so you have to come up with those figures yourself.

Your first step in calculating probability should be to do some research into your company's history with this threat, your competitors' history, and any empirical studies on how often most companies face this threat. Any probability figure that you ultimately come up with is an estimate, but the more accurate the estimate, the better your risk calculation will be.

Calculating Harm
How much damage would a particular threat cause if it occurred? Calculating the potential harm of a threat can be done in a number of different ways. You might count up the cost in dollars that replacing the lost revenue or asset would cost the company. Or instead you might calculate the harm as the number of man-hours which would be lost trying to remedy the damage once it has occurred. But whatever method you use, it is important that you stay consistent throughout the audit in order to get an accurate priorities list.

Developing Your Security Threat Response Plan

When working down your newly developed priority list, there will be a number of potential responses you could make to any particular threat. The remaining six points in this article cover the primary responses a company can make to a particular threat. While these security responses are by no means the only appropriate ways to deal with a security threat, they will cover the vast majority of the threats your company faces, and as a result you should go through this list of potential responses before considering any alternatives.

5. Implementing Network Access Controls

Network Access Controls, or NACs, check the security of any user trying to access a network. So, for example, if you are trying to come up with a solution for the security threat of your competition stealing company information from private parts of the company's website, applying network access controls or NACs is an excellent solution.
Part of implementing effective NAC is to have an ACL (Access Control List), which indicates user permissions to various assets and resources. Your NAC might also include steps such as; encryption, digital signatures, ACLs, verifying IP addresses, user names, and checking cookies for web pages.

6. Implementing Intrusion Prevention

While a Network Access Control deals with threats of unauthorized people accessing the network by taking steps like password protecting sensitive data, an Intrustion Prevention System (IPS) prevents more malicious attacks from the likes of hackers.

The most common form of an IPS is a second generation firewall. Unlike first generation firewalls, which were merely content based filters, a second generation firewall adds to the content filter a 'Rate-based filter'.

  • Content-based. The firewall does a deep pack inspection, which is a thorough look at actual application content, to determine if there are any risks.

  • Rate-based. Second generation firewalls perform advanced analyses of either web or network traffic patterns or inspection of application content, flagging unusual situations in either case.

7. Implementing Identity & Access Management

Identity and Access Management (IAM) simply means controlling users' access to specific assets. Under an IAM, users have to manually or automatically identify themselves and be authenticated. Once authenticated, they are given access to those assets to which they are authorized.

An IAM is a good solution when trying to keep employees from accessing information they are not authorized to access. So, for instance, if the threat is that employees will steal customers credit card information, an IAM solution is your best bet.

8. Creating Backups

When we think of IT security threats, the first thing that comes to mind is hacking. But a far more common threat to most companies is the accidental loss of information. Although it's not sexy, the most common way to deal with threats of information loss is to develop a plan for regular backups. These are a few of the most common backup options and questions you should consider when developing your own backup plan:
  • Onsite storage. Onsite storage can come in several forms, including removable hard drives or tape backups stored in a fireproofed, secured-access room. The same data can be stored on hard drives which are networked internally but separated by a DMZ (demilitarized zone) from the outside world.

  • Offsite storage. Mission-critical data could be stored offsite, as an extra backup to onsite versions. Consider worst-case scenarios: If a fire occurred, would your hard-drives or digital tapes be safe? What about in the event of a hurricane or earthquake? Data can be moved offsite manually on removable media, or through a VPN (Virtual Private Network) over the Internet.

  • Secured access to backups. Occasionally, the need to access data backups will arise. Access to such backups, whether to a fireproofed room or vault, or to an offsite data center, physically or through a VPN, must be secure. This could mean issuing keys, RFID-enabled "smart pass cards", VPN passwords, safe combinations, etc.

  • Scheduling backups. Backups should be automated as much as possible, and scheduled to cause minimum disruption to your company. When deciding on the frequency of backups, be aware that if your backups aren't frequent enough to be relevant when called upon, they are not worth conducting at all.

9. Email Protection & Filtering

Each day, 55 billion spam messages are sent by email throughout the world. To limit the security risk that unwanted emails pose, spam filters and an educated workforce are a necessary part of every company's security efforts. So, if the threat you are confronting is spam emails, the obvious (and correct) response is to implement an email security and filtering system for your company.

While the specific email security threats confronting your company will determine the appropriate email protections you choose, here are a few common features:

  • Encrypt emails. When sending sensitive emails to other employees at other locations, or to clients, emails should be encrypted. If you have international clients, make sure that you use encryption allowed outside of the United States and Canada.

  • Try steganography. Steganography is a technique for hiding information discreetly in the open, such as within a digital image. However, unless combined with something like encryption, it is not secure and could be detected.

  • Don't open unexpected attachments. Even if you know the sender, if you are not expecting an email attachment, don't open it, and teach your employees to do the same.

  • Don't open unusual email. No spam filter is perfect. But if your employees are educated about common spam techniques, you can help keep your company assets free of viruses.

10. Preventing Physical Intrusions

Despite the rise of new generation threats like hacking and email spam, old threats still imperil company assets. One of the most common threats is physical intrusions. If, for example, you are trying to deal with the threat of a person breaking into the office and stealing company laptops, and along with them valuable company information, then a plan for dealing with physical intrusions is necessary.

Here are some common physical threats along with appropriate solutions for dealing with them:
  • Breaking into the office: Install a detection system. Companies like ADT have a variety of solutions for intrusion detection and prevention, including video surveillance systems.

  • Stolen laptop: Encrypt hard drive. Microsoft offers an Encrypt File System, or EFS, which can be used to encrypt sensitive files on a laptop.

  • Stolen screaming smart phones. A new service from Synchronica protect smartphones and PDAs, should they be stolen. Once protected, a stolen phone cannot be used without an authorization code. If this is not given correctly, all data is wiped from the phone and a high-pitch "scream" is emitted. Once your phone is recovered, the data can be restored from remote servers. Currently, this particular service is limited to the UK, but comparable services are available throughout the world.

  • Kids + Pets = Destruction: Prevent unauthorized access. For many small-business owners, the opportunity to work from home is an important perk. But having children and/or pets invading office space and assets can often be a greater risk that that posed by hackers. By creating an appropriate-use policy and sticking with it small business owners can quickly deal with one of their most significant threats.

  • Internal Click Fraud: Education and Blocks. Many web-based businesses run advertising such as Google AdSense or Chitika to add an extra revenue stream. However, inappropriate clicking of the ads by employees or family can cause your account to be suspended. Make employees aware of such things, and prevent the company's live website from being viewed internally.


These 10 steps to conducting your own IT Security Audit will take you a long way towards becoming more aware of the security threats facing your company as well as help you begin to develop a plan for confronting those threats. But it is important to remember that security threats are always changing, and keeping your company safe will require that you continually assess new threats and revisit your response to old ones.

For further research, visit IT Security's Security Audit Resource Center.

BS7799-2 - the ISMS concept

An idealised structured for an ISMS is shown in opposite. It shows the traditional approach to risk management augmented by the addition of a new feedback loop. In scoping the problem, BS7799-2 implies an "information-centric" view of the world, to avoid the trap of failing to take account of less obvious vulnerabilities such as people, cell phones and laptops. It further implies information policies that clearly identify the business priorities concerning information, and why, and in addition, risk assessments that identify what networks really are, not what people think they are!

Diagram of the original (1999) concept of an ISMS showing that a feedback loop is required from the step called "managing the risks" to the previous step called "perform the risk assessment".  Dr. Brewer referred to the original ISMS specification as a weak specification because this feedback loop was missing.  The 2002 revision (as in the case of the 2005 ISO/IEC standard) this feedback loop is included by adoption of the Deming cycle (plan-do-check-act).

BS7799-2 requires management to identify vulnerabilities and select the safeguards with a priority that matches the business priorities specified in the security policy. Reiteration is encouraged, choosing alternate safeguards until management is satisfied with the residual risks and costs involved. Once the chosen safeguards have been implemented, the ideal ISMS monitors their effectiveness; it does not assume that they will work as intended. Management should regularly re-appraise the situation. Even if nothing is supposed to have changed, the risk assessment should be regularly repeated (this is the new feedback loop). Management should assume, for example, that their networks have changed - most networks do with time! In any case, doubtless someone will have identified new vulnerabilities. Of course, if the business requirements have changed, there will be a need to re-scope the problem and revise the security policy accordingly.

Source :

ISMS Implementation Guide [White Paper]

ISMS Implementation Guide

Usage note
Note: The intent of this document is to help you recognize the activities related to establishing an ISMS. This document should not be considered as professional consulting for establishing or implementing an ISMS. Use of this guide does not guarantee a successful implementation nor an implementation that is ready for certification. If you want to implement an ISMS, consider hiring a professional consultant who specializes in ISMS implementation.

Table of contents
Overview of an ISMS ............................................................................................................................. 4
1 Purchase a copy of the ISO/IEC standards .................................................................................. 5
2 Obtain management support ......................................................................................................... 5
3 Determine the scope of the ISMS .................................................................................................. 7
4 Identify applicable legislation........................................................................................................ 8
5 Define a method of risk assessment............................................................................................. 9
6 Create an inventory of information assets to protect ............................................................... 12
7 Identify risks ................................................................................................................................. 13
8 Assess the risks........................................................................................................................... 14
9 Identify applicable objectives and controls ............................................................................... 16
10 Set up policy and procedures to control risks .......................................................................... 20
11 Allocate resources and train the staff......................................................................................... 21
12 Monitor the implementation of the ISMS.................................................................................... 22
13 Prepare for certification audit...................................................................................................... 23
14 Ask for help .................................................................................................................................. 24
Appendix A Documents and Records........................................................................................... 25

Overview of an ISMS
Information security is the protection of information to ensure:
• Confidentiality: ensuring that the information is accessible only to those authorized to access it.
• Integrity: ensuring that the information is accurate and complete and that the information is not
modified without authorization.
• Availability: ensuring that the information is accessible to authorized users when required.
Information security is achieved by applying a suitable set of controls (policies, processes, procedures,
organizational structures, and software and hardware functions).
An Information Security Management System (ISMS) is way to protect and manage information based on
a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and
improve information security. It is an organizational approach to information security.
ISO/IEC publishes two standards that focus on an organization’s ISMS:
• The code of practice standard: ISO/IEC 27002 (ISO/IEC 17799). This standard can be used as a
starting point for developing an ISMS. It provides guidance for planning and implementing a program
to protect information assets. It also provides a list of controls (safeguards) that you can consider
implementing as part of your ISMS.
• The management system standard: ISO/IEC 27001. This standard is the specification for an ISMS.
It explains how to apply ISO/IEC 27002 (ISO/IEC 17799). It provides the standard against which
certification is performed, including a list of required documents. An organization that seeks
certification of its ISMS is examined against this standard.
These standards are copyright protected text and must be purchased. (For purchasing information, refer to
section 1, “Purchase ISO standards.”)
The standards set forth the following practices:
• All activities must follow a method. The method is arbitrary but must be well defined and
• A company or organization must document its own security goals. An auditor will verify whether these
requirements are fulfilled.
• All security measures used in the ISMS shall be implemented as the result of a risk analysis in order
to eliminate or reduce risks to an acceptable level.
• The standard offers a set of security controls. It is up to the organization to choose which controls to
implement based on the specific needs of their business.
• A process must ensure the continuous verification of all elements of the security system through
audits and reviews.
• A process must ensure the continuous improvement of all elements of the information and security
management system. (The ISO/IEC 27001 standard adopts the Plan-Do-Check-Act [PDCA] model as
its basis and expects the model will be followed in an ISMS implementation.)
These practices form the framework within which you

Read This White Paper

Protecting your information assets

In a world where information is both the currency and the key asset of many major organisations, effective information security is well-recognised as both a business and risk management priority.

What is less well understood – in particular in an environment characterised by constant change and an ever-expanding web of critical interdependencies – is how best to achieve information security.

According to SAI Global Information Security Management Systems Program Manager, Mr Brahman Thiyagalingham: “Within many leading corporates there is a fair understanding that the failure to maintain the confidentiality of information, the integrity of information and the availability of information may present an unacceptable risk.”

According to Mr Thiyagalingham, fast-moving technology, the emergence of relatively new information-based businesses and, until recently, a lack of widely accepted information security management guidelines, has led to something of an ad hoc approach to information security management.

One common approach taken by major corporates has been to have their information security needs addressed by external consultants, who also assist with the maintenance and assessment of the systems.

“Certainly there are merits to this approach in terms of creating and implementation of a management system,” said Mr Thiyagalingham. “Where a system can fall down, however is when the management system developer and implementer is also the person who carries out regular assessments (internal audits) to determine compliance with information security objectives. If we have learned anything from some of the more spectacular collapses and corporate scandals of recent years, it is that the integrity of governance arrangements must be beyond reproach to preserve the integrity of the whole. When information integrity is such a critical resource, the same principles should apply. And, as is the case with corporate governance, meaningful assurance is best provided by independent, arm’s length assessors such as an independent accredited certification body.”

According to Mr Thiyagalingham, a number of recent developments would indicate that major corporations will soon be travelling the independent assurance route to information security.

One is the release of the most recent Standard for Information Security Management, AS/NZ 7799.2:2003, providing an internationally recognised framework for developing an effective Information Security Management System (ISMS).

“The latest release enhances the original 2000 Standard,” said Mr Thiyagalingham. “It has now been around long enough for business to be aware of it and get their heads around it. It’s an invaluable tool that can help navigate a notoriously difficult terrain. The fact that a resulting ISMS can be assessed by independent experts, and that the resulting certification is internationally recognised offers businesses major advantages that they are coming to appreciate.”

Another indicator of the growing emergence of – and demand for – certified information security management systems is its increased uptake by the telecommunications, banking, data management and public sectors.

“This will necessarily have a flow-on effect for suppliers, tenders and partnership relationships. The integrity of interdependent systems is only as sound as its weakest link: there’s no point safeguarding your own information if the next link, or the previous link, were not secure. Organisations are beginning to understand and come to grips with this fact, and to see the value of using certified ISMS' along the chain.”

Information Security Management Systems: the bare facts

The world of information security management is coming out of the too-hard basket and landing in the in-boxes of a wide range of business and other organisations.

This brief guide answers some of the more frequently asked questions about information security management systems, and outlines the steps involved in establishing an ISMS.

A more extensive fact sheet is also available from SAI Global.

Q: What types of organisations need an ISMS?

An ISMS is needed wherever inappropriate use, disposal or disclosure of organisational information may negatively impact on the privacy of customers or other stakeholders, diminish the standing of the organisation or its stakeholders, reveal critical competitor or trading partner information or cause liability under regulation or legislation.

As the availability, volume and interdependencies of information within and between different organisations expands, so does the risk of the above occurring. That’s why demand for a certified ISMS is no longer confined to information technology or records-keeping organisations: it can benefit any industry sector that is subject to risk.

Q: Which part of an organisations should take ownership of the ISMS?

The team managing and implementing an ISMS should be drawn from all levels of management identified as custodians of critical information. Although this will usually integrally involve members of the IT team, an ISMS is emphatically not the sole responsibility of IT.

Q: How do I define the scope of an ISMS?

This is a critical component of creating an effective ISMS. The first step when considering the implementation of an information security system is to define the ‘scope’ of the system. As a starting point, draw a circle around the assets you think should be included, then review what is out of scope.

The test as to scope is whether the organisations can continue operations and maintain an adequate level of security even without the entities out of scope. If this is not possible, it may be wise to rework the scope to include that entity.

The scope of an ISMS can be based around physical sites, functional units (such as IT, HR etc.) or by systems. Wherever a specific scope is drawn, the unit, site or system concerned must be able to demonstrate that they are complying with all the requirements of the broader ISMS.

For a visual explanation of this process refer to the diagram entitled, ‘Scoping your ISMS System’.

Q: How do I determine which clients and suppliers should also operate within the scope of an ISMS?

In the inextricably linked supply chain environment that defines so many business relationships, reliance and sharing of information assets is common place. Information Security Manages must then determine how these ‘partners’ fit in the ISMS equation. Essentially, the ‘scoping’ test is a matter of risk. If suppliers’ or clients’ activities come into the primary scope, the security of the information at hand is at unacceptable risk unless they too can demonstrate their compliance. The integrity of the information concerned is only as sound as the weakest link in the chain.

Q: What are the usual steps to implement an ISMS?

In the context of AS/NZS 7799.2:2003 an organisations should consider nine specific steps when implementing and ISMS. These include:

  • determining the scope of the system
  • identifying key information assets
  • conducting an asset risk assessment
  • developing a risk mitigation strategy
  • developing a Statement of Applicability
  • preparing a security policy, procedures and work instructions
  • implementing the policies and procedures and ensuring compliance
  • conducting continual maintenance and improvements on the system
  • seeking independent assessment by an ISMS accredited certification body

In operational terms these nine steps could be summarised into four documents:

  • Asset Register
  • Risk Assessment Documentation
  • Statement of Applicability
  • Security Policy

Refer to the flowchart entitled ‘ISMS: Steps to Implementation’ which outlines some of these key stages when developing and implementing an ISMS.

Want to know more?

SAI Global is Australia’s leading ISMS certification specialist. It has been accredited to deliver ISMS certification services by JAS-ANZ. To find out more about the SAI Global ISMS program, or for more detailed information about the steps involved in setting up an ISMS, including gap analysis and self evaluation, auditing, costs, copies of the particular standards involved and so forth email: or visit