RESEARCH CATALYST
Several years in the works, the International Standards Organization (ISO) and IEC (International Electrotechnical Commission) released the revised ISO/IEC 17799 information security standard on June 20, 2005. (1)
REVISED ISO/IEC 17799 PROVIDES EXPANDED GUIDANCE FOR INFORMATION SECURITY
ISO/IEC 17799 has gained broad international acceptance and recognition across industries as a framework for managing information security. However, it has not been without its issues and controversies.
The Standard Has Been Mired In Turmoil
ISO 17799 originated from BSI (British Standards Institute) 7799: Part One, Code of Practice for Information Security Management. (2) It has had a contentious history as it:
Morphed from BSI to ISO . . .BS 7799:1 became an ISO standard in 2000 as ISO/IEC 17799:2000. The original British standard went through a fast track approval process to expedite its standardization within ISO as part of the ISO/IEC Joint Technology Committee (JTC) 1/SC 27. Its approval stemmed primarily from overwhelming support from the UK and a number of smaller countries that did not have their own standard. . . . became bogged down in a revision process . . .Immediately after becoming an ISO standard, it received strong scrutiny from large countries that had competing guidance (primarily the US and Canada). In fact, six of the G7 nations voted against it (the exception being the UK). It still passed because of the support from smaller nations thus it immediately went into a five-year revision process after the first version was accepted. (3). . . but its the most widely understood and adopted framework today. In the meantime, despite the issues identified by the large nations with competing standards, ISO/IEC 17799:2000 has received broad popularity and support from organizations and industries across the world. Revisions Strengthen The Standard Making It More Relevant
On June 20, 2005, ISO/IEC released the long-awaited second version of the standard, ISO/IEC 17799: 2005. The revised version keeps the majority of the structure and content of the previous versions but significantly expands information security guidance to provide a much more complete and well-rounded standard. The expanded guidance of ISO/IEC 17799:2005:
Supersedes commentary with control and implementation guidance. The revised standard changed the structure of how it discussed information security guidance. While it still keeps much of the vague language such as should as opposed to thou shalt, it changes the formatting context from one of commentary to control and implementation. Each detailed section has a control statement followed by implementation guidance. This makes the standard more actionable, as well as relevant to todays environment focused on controls for regulatory compliance. (4)Pays specific attention to risk assessment. The first version of ISO/IEC 17799 left you hanging: It asserted that a risk assessment was needed to identify what portions of the standard apply to an organization but gave no guidance on how to complete one. The revised version gives more detailed guidance on risk assessment, breaks risk assessment into its own section, and references other ISO risk assessment standards. (5)Provides incident management guidance details. The creation of a whole new section for incident management was the biggest change in the revised standard. Previously, incident management was inadequately addressed as a section under personnel security; the revised standard has a complete section dedicated to information security incident management. It details the reporting of information security events and weaknesses; the management of information security incidents, improvements, responsibilities, and procedures; lessons learned; and the collection of evidence.Integrates other ISO standards. The first version of ISO/IEC 17799 was an island unto itself. It operated independently of other ISO standards that focused on security. The revised standard addresses this deficiency by mapping to other ISO/IEC security standards for more detailed guidance. In addition, the revised standard has provided consistency in the use of terms and definitions between these standards. Addresses security in business partner relationships. Security has changed over the past several years. While security used to be focused on perimeters and borders, security now requires paying greater attention to internal systems and business partners. The 2005 version of 17799 addresses this shift by broadening its guidance for the security of information and systems in business partner relationships. The first version covered this in a basic fashion, but the second significantly expands on guidance in this area. (6) Expands asset classification guidance. The revised standard significantly expands its guidance on asset management to give more detailed control and implementation guidance on the inventory, ownership, classification, labeling, handling, and acceptable use of information assets. This is critical for organizations trying to protect regulated information and intellectual property.Repositions personnel security as human resources security. The section on personnel security in the first version has been completely overhauled in the new version and retitled human resources security. It now provides detailed guidance on control prior to employment (e.g., screening, roles and responsibilities, terms and conditions of employment, management responsibilities, security awareness and training, disciplinary process, and termination or change in employment).Expands security guidance to address increased mobility. When technology changes, the information security implications must also change. When the original version of 17799 was published in 2000, the issue of mobile technology and information was just becoming a challenge one that has grown much stronger over the past five years. The revised version addresses this by adding depth to the guidance for dealing with mobile information and technology security.Adds depth to audit trail and log file monitoring. Facing complex regulatory requirements, as well as legal requirements to disclose incidents involving personal information, organizations have felt the mandate for regular monitoring of audit trails and log files. Monitoring controls and implementation guidance expands to confront these issues in the revised standard.Provides guidance on technical vulnerability management. Organizations have been fighting the fires of security patch management for the past few years, so they need a defined process for vulnerability and exposure identification to established remediation workflow. The second version of 17799 now gives guidance on a process to help organizations reduce risks from technical vulnerabilities.ISO/IEC Will Continue To Shore Up 17799
The ISO/IEC JTC 1/SC 27 committee that is responsible for 17799 is crafting further guidance for information security management system requirements, risk management, metrics and measurement, and implementation. These publications will be published under a new series of numbers 27000. In 2007, what has been ISO/IEC 17799 will move to this scheme and be referred to as ISO/IEC 27002. The committee is also developing a certification standard to be published in November of 2005 by the title of ISO/IEC 277001, Information Security Management System (ISMS) Requirements.
RECOMMENDATIONS
USE ISO/IEC 17799:2005 The Best Choice for a Security Framework
Information security management is moving from a reactive firefight to a collection of defined and measured processes. Faced with regulatory requirements, the challenges of securing information in a distributed environment, and complex business partner access, organizations need a security framework.
ISO/IEC 17799:2005 is the best choice . . .Firms should use the standard for building an information security program because it provides a commonly accepted framework for security. The revisions have addressed critical areas of weakness and provided a solid standard for security but most importantly, the new standard is the most widely understood and adopted framework. Using it will provide a consistent benchmark for an organization and its entities/business partners to communicate and establish information security controls and requirements. . . . but it is just a framework. The goal of ISO/IEC 17799:2005 is to provide a security architecture framework for information security management. ISO/IEC 17799:2005 provides the structure for a firm to build its program around, but firms must provide the depth of specific controls for their environments to fill in the framework. Consider 17799:2005 as the framing of a house with it, you can see what the house looks like along with the rooms, but it is up to you to put in the drywall, carpeting, plumbing, and woodwork.WHAT IT MEANS
Other Standards Are Going to Be Hard-Pressed to Find Supporters
Before the revision, 17799 was already the most common security framework in use across industries and geographies. While one may find other security standards (e.g., ISF Standard of Good Practice) that offer as relevant or perhaps clearer guidance, they have not been as widely adopted or supported as 17799. With the revisions, many concerns about the standard have been laid to rest. While there is always room for improvement, Forrester fully expects 17799 to continue to be the clear leader in security standards/frameworks for information security management. Even BS 7799, the origin of 17799, will be hard-pressed to keep up as the standards now differ with the second version. Many have also pursued certification under the BS 7799:2, which will receive some significant competition when ISO/IEC releases its certification standard later this year. (7)
ENDNOTES
- Source: Improved ISO/IEC 17799 Makes Information Assets Even More Secure, International Organization for Standardization press release, June 20, 2005 (http://www.iso.org/iso/en/commcentre/pressreleases/2005/Ref963.html).
- The second part of the BSI certification standard never became part of the ISO standard.
- The controversies center on semantics, the standard's focus on large centralized organizations as opposed to small or decentralized organizations, the lack of guidance in risk management and analysis, and legislative incompatibilities in certain countries (e.g., privacy). See the July 19, 2002, IdeaByte ISO17799: Revisions Call For Adopters To Be Forward Looking.
Regulatory compliance is driving many IT organizations to adopt frameworks to manage compliance and accompanying controls. Sarbanes-Oxley (SOX), along with a host of other regulations, has created increased awareness and interest in control frameworks from the business perspective down into IT and information security. See the February 24, 2005, Best Practices IT Frameworks For Control And Compliance.
Good IT governance ensures that IT investments are optimized, aligned with business strategy, and delivering value within acceptable risk boundaries taking into account culture, organizational structure, maturity, and strategy. See the March 29, 2005, Best Practices IT Governance Framework.- While mandating risk assessment, neither BS 7799 nor ISO 17799 give detailed guidance in how risk assessments are to be conducted. This is one of the issues driving the current changes in ISO 17799 this year as it works its way throughout the revision process. The revisions to ISO 17799 are clarifying guidance for risk assessment by pointing to ISO 13335 for detailed guidance. See the March 28, 2003, IdeaByte Approaching Risk Analysis In BS7799/ISO17799.
- Organizations face a complex web of business partner relationships. This may be good for streamlining business, but it is hard to secure. While organizations focus on the technical controls around network connections, they forget about the people, process, policy, and contractual controls necessary to secure these relationships. The impact of legislation and regulation adds to this confusion by putting further requirements on business partner relationships. See the September 7, 2004, Best Practices Managing Information Risk In Business Partner Relationships.
- The ISMS International User Group maintains a listing of companies that have received BS 7799:2 certification. Source: ISMS International User Group (http://www.xisec.com/).
Copyright © 2005 IDG Communications, Inc.
