Gary Hinson on ISO/IEC 27000

Few doubt that a major consequence of the current economic meltdown will be more regulations for the private sector to follow. New regulations almost always mean more spending on security and privacy controls. For a glimpse of what to expect, CSO turned to Gary Hinson, a New Zealand-based IT governance specialist and CEO of IsecT Ltd.

Hinson says to expect changes in the coming year, but they won’t necessarily be tied to new regulations born of the financial crisis. Instead, his focus is on changes for the ISO/IEC 27000 family of standards. His efforts to help security pros understand the standards include a regularly-updated website: ISO27001security.com. Hinson spoke with CSOonline.com Senior Editor Bill Brenner about the nature and timing of updates to these important standards.

Where do you see the most significant regulatory changes in 2009?

There are a number of planned changes to the ISO/IEC 27000 family of Information Security Management System (ISMS) standards (collectively “ISO27k”) over the next year or so, with several additional standards currently under development, several standards about to be released and earlier releases undergoing planned revision.

Let’s start with the planned revisions.

Work is under way within JTC1/SC27, the ISO/IEC committee responsible for ISO27k, to review and where necessary adapt ISO/IEC 27001 and 27002. Both standards are being actively used around the world of course, making it likely that changes will be relatively limited in order to avoid disrupting the existing implementations and particularly the certification processes. I believe that in Japan, for instance, ISO/IEC 27002 is specifically recommended if not required to satisfy the Japanese privacy/data protection laws, with organizations being compliance-assessed against the code of practice although it was not originally intended by ISO/IEC to be used in that manner. No one really knows how many organizations have adopted ISO/IEC 27002 globally but I would guess it must be in the hundreds of thousands by now.

In revising ISO/IEC 27002, what are you pressing the committee to focus on?

1. Address and resolve the confusion around “information security policy” versus “ISMS policy” — the latter being closer to strategy, as far as I can see.
2. Expand on the concept of personal accountability versus responsibility and clarify what is meant by “information asset.”
3. Expand on typical computer room controls, for example environmental monitoring with local and remote alarms for fire, water, intrusion, power problems etc.
4. Update section 10.8 “Exchange of information” to improve coverage of mobile code, Web 2.0/Software As A Service etc. Technical advances are a tricky area for ISO27k since publication of the standards is such a long, slow process They try as far as possible to keep the standards technology-neutral but this can result in them lacking guidance in some areas].
5. Expand section 11.2 on “User access management” to include more on identification and especially authentication of remote users.
6. Provide pragmatic guidance on security testing of new/changed application systems in section 12.
7. Expand section 14 on “Business continuity management” to cover resilience as well as disaster recovery. This section would also benefit from more explanation of “contingency.”
8. Update section 15 to reflect legal and regulatory changes such as the rise of e-discovery, document/e-mail retention and increasing use of computer data as evidence in court.
9. Emphasize the value of IT auditing processes in section 15.3.

With around 4 or 5,000 organizations having been certified compliant with ISO/IEC 27001, the official ISMS certification standard, changes there seem likely to be restricted to relatively minor editorial updates. I do not anticipate major revision.

What’s the timetable for some of these changes?

I believe publication of ISO/IEC 27000 is imminent. It will help bind ISO27k together by explaining the structure and purpose of the standards, and providing a glossary of common terms. A lot of painstaking work has gone into this standard, wherever possible re-using definitions from existing standards and clarifying or changing things only where necessary. The recently-released risk management standard ISO/IEC 27005 will helpfully bring some commonality to the way various organizations assess their information security risks, prior to selecting and implementing suitable security controls. Risk assessment was arguably the weakest area of ISO/IEC 27002 with very limited guidance provided in section 4. The new standard does not mandate a particular risk assessment method or approach, in fact suggesting that organizations should choose methods that suit their purposes. There is no shortage of methods from which to choose, and it is implied that organizations may need several for different situations.

New ISO27k standards will hopefully emerge over the next year or two providing pragmatic ISMS implementation advice, both generic and tailored to specific market segments (such as governments) and aspects of information security (such as application security and IT forensics). A metrics standard, ISO/IEC 27004, is edging closer to release [although personally I have serious misgivings about that particular one, it being too academic and complex for my liking.

What are your specific concerns?

I feel if released in its present form it will actually be a retrograde step – a license to print money for consultants but with little prospect of achieving the goal of helping management understand, manage and improve their ISMS. Worse still, there is a risk that botched metrics implementations will discredit the value of security metrics as a whole and set the field back 10 years.

You’ve suggested some changes are also afoot regarding the auditing process. Please explain.

There is work under way on ISO27k auditing standards with an interesting divergence of opinion over the need for guidance on auditing information security controls. At present, certification audits (covered by ISO/IEC 27006) focus on the management system elements of ISMS and, to a large extent, ignore the information security aspects. An organization that has a marvelous management framework and associated management processes but has made little real effort to implement information security controls could potentially still be certified compliant with ISO/IEC 27001 yet be patently insecure. This places great faith in management’s ability to complete continuous security improvements that will – eventually, hopefully – bring things up to par. As a pragmatic IT auditor, I would place far more confidence in an organization’s ISO/IEC 27001 certificate if I knew their information security controls had been independently reviewed against both the requirements specified by their risk assessment and the guidance in ISO/IEC 27002.

The problem with going down this route is that there appears to be a global shortage of certification auditors with sufficient experience and expertise to assess information security controls. The certification bodies are cross-training auditors familiar with quality assurance and environmental management to perform ISMS audits, but I doubt they are all sufficiently competent to probe information security controls in depth. However, ISACA is now involved in this work and the substantial body of CISA and CISM-qualified ISACA members presents a significant pool of competent resources. There’s hope!