Standards
Various standards exist for the issues around Information Security, including:
The ISO 27000 series of Standards
The ISO 27000 Standards
ISO/IEC 27002 is a code of practice for information security management. It is designed to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used. This code of practice started life as the UK standard BS 7799-1 in 1995 and was then released as an international standard (ISO 17799) in 2000 and revised in 2005 in line with normal ISO procedures. It was renumbered as ISO/IEC 27002 in July 2007.
ISO/IEC 27001 (previously BS 7799-2) provides a specification for an information security management system (ISMS). This includes a number of processes for designing, implementing, maintaining and updating an ISMS. ISO/IEC 27001 can be used for ISMS certification according to the European standard EN45012 and the accreditation guidelines standard ISO 27006 (previously EA 7/03). Further developments in information security standards are ongoing (some are mentioned later in this text) and a "family" of such standards now features in the ISO 27000 series.
Both ISO/IEC 27001 and ISO/IEC 27002 are based on an ISO/IEC risk management model from ISO Guide 72 and ISO/IEC 13335 Management of IT Security Parts 1 and 2. There are also useful guidelines from BSI (called the BIP 70 series of four ISO/IEC 27001 guides - previously the PD 3000 series) which provide help and advice on the implementation and auditing aspects of ISO/IEC 27001 and ISO/IEC 27002.
They also include 'gap analysis' templates for ISO/IEC 27002. ISO/IEC 13335 is a set of guidelines for the management of IT security. It covers aspects of policy, planning, risk assessment, risk reduction and control. ISO/IEC 13335 is being revised within ISO and will result in two new standards - ISO/IEC 27005 Information Security Risk Management (published June 2008) and ISO/IEC 27000 Overview and Vocabulary (under development).
Further information about the 27000 standards as well as the worldwide register of organisations which have gained accredited certification to ISO 27001 can be found at: http://www.iso27001certificates.com/
The UK ISO/IEC 27001 User Group exists to promote awareness of, and share good practice in relation to, ISO/IEC 27001 and information security management systems. Membership (the Group is free to join) benefits include workshops and newsletters. The Group’s website provides further information.
Where can I get a copy of the ISO Standards?
The standard is available from the BSI and ISO for a small fee. You can obtain copies from:
BSI IT Security Baselines
Bundesamt fur Sicherheit in der Informationstechnik (BSI) is a German organisation tasked with producing standards for IT security. They have an English version of the BSI Baselines, which are designed to:
Help solve common security problems rapidly
Raise the security level of IT systems and
Simplify the creation of IT security policies
The document provides in-depth guidance and baseline controls (extending over 1600 pages). The baselines have a strong technical bias, and are aimed at IT security professionals, although they do remain a good source of sound practice.
Baselines are regularly updated, and are available in many formats (download, hard copy, CD). Most are free, but check the website at www.bsi.de for details.
COBIT
The Control Objectives for IT (COBIT) were designed to act as a control framework that works with widely accepted control objectives and a supporting toolset.
COBIT has a range of products, including a Management Guide, Control Objectives and related support material.
COBIT was assembled by ISACA (Internal Audit Professional Representative body), and although aimed at audit professionals, provides a robust framework for larger organisations.
Most of the document set is freely available on the Internet in English.
There is no proposed certification process, as COBIT depends on ISACA, certified auditors (with the appropriate qualification) as the main controlling body.
For further information visit www.isaca.org.
GASSP
The Generally Accepted System Security Principles (GASSP) were assembled to meet US Government needs by the Computer Security Institute.
They are based on multiple sources, including OECD guidelines and BS 7799. They are aimed at general management as well as more specialist people, and are freely available in English on the Internet.
For further information visit:
http://web.mit.edu/ist/topics/security/
MICTS
ISO/IEC 13335 Management of ICT Security (previously known as GMITS), were designed to provide comprehensive guidance on information security management. They are a series of technical reports covering:
Concepts
Managing and planning
Techniques
Selection of safeguards
The guidelines are aimed at information security professionals, and were assembled using the normal ISO Committee structures. There is no current process for certification related to the MICTS. As noted earlier in the text, these guidelines are currently being revised within ISO and parts of the ISO 13335 series (ISO/IEC 13335-3 and ISO/IEC 13335-4) have now been withdrawn, replaced by ISO 27005.
Guidelines can be purchased from the ISO website - www.iso.org
Information Technology Infrastructure Library (ITIL)
ITIL was assembled and is promoted by the Central Computer & Telecommunications Agency (CCTA).
It provides a foundation for the management of IT infrastructure and for the management of information security.
It describes best practices in information security management and related practices. The CCTA is an executive agency of the UK Office of Public Service.
The standard provides a cohesive set of best practices, drawn from the public and private sectors internationally, supported by a comprehensive qualification scheme and accredited training organisations.
For further information visit www.itil.co.uk