The security controls in operation today typically only address certain aspects of IT or data security, leaving non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable.
Security controls should not be chosen or implemented arbitrarily. They should flow out of an organisation’s risk management process, which begins with defining an overall IT security strategy, then its goals. This should be followed by defining specific control objectives - practical ways the organisation plans to effectively manage this risk. This is where ISO 27001 comes in.
Unfortunately, the security controls in operation today typically only address certain aspects of IT or data security, leaving non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable. Sometimes business continuity planning and physical security might be managed independently of IT or information security, whilst Human Resources practices may not recognise the need to define and assign information security roles and responsibilities throughout the organisation. The ISO 27001 standard was introduced to address these issues.
The basic bones of ISO 27001 requires that you:
Systematically examine your organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts.
Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
Adopt an overarching management process to ensure that the information security controls continue to meet your organisation’s information security needs on an on-going basis.
Yes, there is a lot of detail around the standard, but its essence is actually as simple as this.
What you’ll be doing when implementing ISO 27001
There are a series of core requirements in the standard, then the actual controls are detailed in an annex at the back of the standard, called Annex A. The idea with these controls is that you choose to implement them subject to the risk assessments and risk treatment work that you’ll have done in the first part of the standard.
So one of the fundamental core requirements in the main body of ISO 27001 is to identify, assess, evaluate and treat information security risks. Doing this risk management process will help determine which of the ISO 27001 Annex A controls may need to be applied in the management of those security-oriented risks:
Going back to the beginning of the process, you need to identify your control objectives as an organisation - what are the goals of your information security strategy?
Once you identify your control objectives, you can assess the risk to individual assets and business processes.
Finally, you then choose the most appropriate security controls to put in place.
One of the easiest and most straightforward models for classifying controls is by type: physical, technical, or administrative; and by function: preventative, detective, and corrective. Control Types Physical controls describe anything tangible that’s used to prevent or detect unauthorised access to physical areas, systems, or assets. This includes things like fences, gates, guards, security badges and access cards, biometric access controls, security lighting, CCTV, surveillance cameras, motion sensors, fire suppression, as well as environmental controls like HVAC and humidity controls. Technical controls (also known as logical controls) include hardware or software mechanisms used to protect assets. Some common examples are authentication solutions, firewalls, antivirus software, intrusion detection systems (IDSs), intrusion protection systems (IPSs), constrained interfaces, as well as access control lists (ACLs) and encryption measures. Administrative controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organisation’s security goals. These can apply to employee hiring and termination, equipment and internet usage, physical access to facilities, separation of duties, data classification, and auditing. Security awareness training for employees also falls under the umbrella of administrative controls. Control Functions Preventative controls describe any security measure that’s designed to stop unwanted or unauthorised activity from occurring. Examples include physical controls such as fences, locks, and alarm systems; technical controls such as antivirus software, firewalls, and IPSs; and administrative controls like separation of duties, data classification, and auditing. Detective controls describe any security measure taken or solution that’s implemented to detect and alert to unwanted or unauthorised activity in progress or after it has occurred. Physical examples include alarms or notifications from physical sensor (door alarms, fire alarms) that alert guards, police, or system administrators. Honeypots and IDSs are examples of technical detective controls. Corrective controls include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorised or unwanted activity. Examples of technical corrective controls include patching a system, quarantining a virus, terminating a process, or rebooting a system. Putting an incident response plan into action is an example of an administrative corrective control. The table below shows how just a few of the examples mentioned above would be classified by control type and control function:
The idea is that you implement a combination of security controls based on stated control objectives tailored to your organisation’s needs and regulatory requirements. Ultimately, the goal of both control objectives and controls is to uphold the three foundational principles of security: confidentiality, integrity, and availability - also known as the ‘CIA Triad’. This Triad of confidentiality, integrity and availability is considered the core underpinning of information security. Every security control and every security vulnerability can be viewed in light of one or more of these key concepts. For a security programme to be considered comprehensive and complete, it must adequately address the entire CIA Triad. Put simply, confidentiality means that data, objects and resources are protected from unauthorised viewing and other access. Integrity means that data is protected from unauthorised changes to ensure that it is reliable and correct. Availability means that authorised users have access to the systems and the resources they need when they need them - there’s no point in having a system so secure that the people who need the information can’t get at it. If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).
Article originated in The Ideas Distillery blog
ISO News is an aggregator of global media. All the content is available free on the internet, we have just arranged it in one platform for educational purposes only. In each article, the hyperlink to the primary source is included. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – ISOnews713@gmail.com and the content will be deleted within 24 hours.
