Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 51/144 Other definitions related to information security: ISO/IEC 27000, clause 3.27 Information processing facilities Any information processing system, service or infrastructure, or the physical location housing it ISO/IEC 27000, clause 3.30 Information security event Identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that can be security relevant ISO/IEC 27000, clause 3.31 Information security incident Single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security ISO/IEC 27000, clause 3.32 Information security incident management Set of processes for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents ISO/IEC 27000, clause 3.35 Information system Set of applications, services, information technology assets, or other information-handling components ISO/IEC 27000, clause 3.48 Non-repudiation Ability to prove the occurrence of a claimed event or action and its originating entities ISO/IEC 27000, clause 3.55 Reliability Property of consistent intended behaviour and results Annex A of ISO/IEC 27001 includes controls related to the classification of information: ISO/IEC 27001, Annex A 5.12 Classification of information
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 52/144 Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. ISO/IEC 27001, Annex A 5.13 Labelling of information An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 53/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 54/144 For example, the personal data of employee salaries must be accessible only by the authorized Human Resources Department personnel. Several types of access controls can ensure the confidentiality of information. Encryption is an example of such an access control. Access controls can be applied at different levels of an information security management system: At the physical level (e.g., locks on doors, locking filing cabinets, safes, etc.) At the logical level (e.g., access controls to information)
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 55/144 For example: Accounting data must be authentic (complete and exact). The accuracy of information is ensured by avoiding unjustified modifications of such information. Many devices manipulating data, including disk drives and other media, as well as telecommunications systems, contain devices for automatic data integrity verification. Data integrity controls are essential in operating systems, software, and applications. They allow the avoidance of intentional or involuntary corruption of programs and data. Integrity controls must be included in an organization’s procedures. These contribute to the reduction in the risk of error, theft, and fraud. Data validation controls, user trainings, as well as certain controls at the operational level, are good examples. Integrity must be analyzed from three perspectives: Prevent someone with authority from modifying data, that is from making an error in data or incorrectly changing data Prevent someone without modification permission from making any changes Prevent any program or application that interacts directly with the “target” information from making any unauthorized changes Data that is previously stored must remain unchanged during data transportation.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 56/144 Availability implies that information must be easily accessible by individuals who need it and are authorized to access it. For example, data related to customers must be accessible in the Marketing Department. In practice, the availability of information requires a control system, such as, for example, data backup, capacity planning, maintenance and testing of equipment, incident management procedures, information processing procedures, and procedures to control the usage of systems.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 57/144 Each block on the left shows a factor that influences information availability. Physical security If physical security is not provided in an organization, the access of unauthorized persons is sure to happen. This means that, if information is not protected through physical security, the organization would be subject to the threat of theft, natural disasters, or other incidents. On the other hand, the physical security of hardware and communication pathways is important to provide the availability of the system because persons that want to harm the safety of an organization’s information can also do it physically. Physical security addresses reliability and accessibility. Auditing and system effectiveness evaluation Auditing is a systematic and independent investigation of an organization’s processes to check if the existing controls are implemented successfully. A type of audit which is very important for availability is the system effectiveness evaluation, which shows to what extent the system meets the needs of the organization. Auditing and system effectiveness evaluation address reliability and timeliness. Security policy The security policy of a system should set the user privileges. Current and future decisions should be based on the organization’s security policy. Security policy addresses reliability, timeliness, and accessibility. System monitoring and operational controls Operational controls are the rules that should be implemented and regularly monitored in order to protect the information. They help in the implementation of the security policy and, in this way, provide a way to enforce the security policy. This enforcement can be done if system monitoring and operational controls work together. System monitoring and operational controls address reliability, timeliness, and accessibility.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 58/144 Business continuity Business continuity is a very important component in maintaining operations in cases of network attack or natural disasters. Without a tested business continuity plan, the organization will not be sure that the lost information will ever be restored. Business continuity addresses timeliness and accessibility. Backups A backup is a copy of all the information, applications, or operating system settings that are stored within a computer. Backups reduce the amount of loss and provide maximum restorable capability to the organization. Backups address timeliness and accessibility. Reliability Reliability is a software or hardware attribute that allows the components of the organization’s system to perform according to its specifications. Users cannot rely on a system which is not trusted in executing their requests. For example, an organization may address reliability by combining the system’s specifications, network planning, information security, and disaster recovery plans. Accessibility Accessibility is the degree to which a system is usable by as many people as possible without modification. For example, an organization may address accessibility by access controls (RBAC — role-based access control) and a leading information management system (IMS). Timeliness Timeliness refers to the responsiveness of a system or resource to a user request. For example, an organization may address timeliness by measuring the time between the request of information or resources from a user and the time when it is available for use. Source: Martin, Andrew and Deepak Khazanchi. Information Availability and Security Policy. Omaha: University of Nebraska, 2006.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 59/144 The assessment of vulnerabilities can be complicated by a common misperception that weaknesses or shortcomings are always associated with negative characteristics. Many vulnerabilities have indeed negative characteristics, as in an information system where “patches” are not updated. We can accept certain vulnerabilities because of the positive outcomes associated with the risks we take. An example of this can be purchasing laptop computers in contrast to desktop computers, which improve the mobility of workers but increase the chances of theft. Vulnerabilities can be divided into two groups: extrinsic and intrinsic. Intrinsic vulnerabilities are related to the characteristics of the asset. Extrinsic vulnerabilities, on the other hand, are the external factors that might impact the asset. Example: A server located in an area that is prone to seasonal flooding is considered an extrinsic vulnerability. The inability of a server to process data is considered an intrinsic vulnerability.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 60/144 ISO/IEC 27005, Annex A.2.5.2 Examples of vulnerabilities Table A.11 gives examples for vulnerabilities in various security areas, including examples of threats that can exploit these vulnerabilities. The lists can provide help during the assessment of threats and vulnerabilities, to determine relevant risk scenarios. In some cases, other threats can exploit these vulnerabilities as well.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 61/144 ISO/IEC 27005, Annex A.2.5.3 Methods for assessment of technical vulnerabilities Security testing and evaluation (STE) is another technique that can be used in identifying ICT system vulnerabilities during the risk assessment process. It includes the development and execution of a test plan (e.g. test script, test procedures, and expected test results). The purpose of system security testing is to test the effectiveness of the security controls of an ICT system as they have been applied in an operational environment. The objective is to ensure that the applied controls meet the approved security specification for the software and hardware and implement the organization’s security policy or meet industry standards.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 62/144 ISO/IEC 27005, Annex A.2.5.3 Methods for assessment of technical vulnerabilities Penetration testing can be used to complement the review of security controls and ensure that different facets of the ICT system are secured. Penetration testing, when used in the risk assessment process, can be used to assess an ICT system’s ability to withstand intentional attempts to circumvent system security. Its objective is to test the ICT system from the viewpoint of a threat source and to identify potential failures in the ICT system protection schemes.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 63/144 By definition, a threat has the potential to harm assets, such as information, processes, and systems and consequently harm the organization. Threats are associated with the negative aspect of risk, and as such refer to undesirable occurrences. In interviews, a simple language should be used to facilitate the discussion on the threats. For example, one can ask the interested parties for which events they wish to preserve the resources of the organization and provide for this purpose a list of examples.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 64/144 ISO/IEC 27005, Annex A.2.5.1 Examples of threats Table A.10 gives examples of typical threats. The list can be used during the threat assessment process. Threats considered as risk sources can be deliberate, accidental or environmental (natural) and can result, for example, in damage or loss of essential services. The list indicates for each threat type where D (deliberate), A (accidental), E (environmental) is relevant. D is used for all deliberate actions aimed at information and assets related to information, A is used for all human actions that can accidentally damage information and assets related to information, and E is used for all incidents that are not based on human actions. The groups of threats are not in priority order.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 65/144 The presence of a vulnerability itself does not produce damage; a threat must exist to exploit it. A vulnerability that does not correspond to a threat may not require the implementation of a control, but it must be identified and monitored in case of changes. Note that the incorrect implementation, inappropriate use, or malfunction of a control could, in itself, represent a threat. A control can be effective or ineffective based on the environment in which it operates.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 66/144 The following is a list of potential impacts that can affect availability, integrity, or confidentiality, or a combination of them: 1. Financial losses 2. Loss of assets or their value 3. Loss of customers and suppliers 4. Lawsuits and penalties 5. Loss of competitive advantage 6. Loss of technological advantage 7. Loss of efficiency or effectiveness 8. Violation of the privacy of users or customers 9. Service interruption 10. Inability to provide service 11. Loss of reputation 12. Disruption of operations 13. Disruption of third party operations (suppliers, customers, etc.) 14. Inability to fulfill legal obligations 15. Inability to fulfill contractual obligations 16. Endangering safety of personnel or users
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 67/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 68/144 ISO/IEC 27000, clause 3.57 Residual risk Risk remaining after risk treatment Note 1 to entry: Residual risk can contain unidentified risk. Note 2 to entry: Residual risk can also be referred to as “retained risk”. ISO/IEC 27000, clause 3.61 Risk (cont’d) Effect of uncertainty on objectives Note 1 to entry: An effect is a deviation from the expected — positive or negative. Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. Note 3 to entry: Risk is often characterized by reference to potential “events” and “consequences” or a combination of these. ISO/IEC 27000, clause 3.62 Risk acceptance Informed decision to take a particular risk Note 1 to entry: Risk acceptance can occur without risk treatment or during the process of risk treatment. Note 2 to entry: Accepted risks are subject to monitoring and review. ISO/IEC 27000, clause 3.63 Risk analysis Process to comprehend the nature of risk and to determine the level of risk Note 1 to entry: Risk analysis provides the basis for risk evaluation and decisions about risk treatment. Note 2 to entry: Risk analysis includes risk estimation.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 69/144 ISO/IEC 27000, clause 3.64 Risk assessment Overall process of risk identification, risk analysis and risk evaluation
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 70/144 ISO/IEC 27000, clause 3.66 Risk criteria Terms of reference against which the significance of risk is evaluated Note 1 to entry: Risk criteria are based on organizational objectives, and external context and internal context. Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements. ISO/IEC 27000, clause 3.67 Risk evaluation Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable Note 1 to entry: Risk evaluation assists in the decision about risk treatment. ISO/IEC 27000, clause 3.68 Risk identification Process of finding, recognizing and describing risks Note 1 to entry: Risk identification involves the identification of risk sources, events, their causes and their potential consequences. Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ needs. ISO/IEC 27000, clause 3.69 Risk management Coordinated activities to direct and control an organization with regard to risk ISO/IEC 27000, clause 3.70 Risk management process Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risk Note 1 to entry: ISO/IEC 27005 uses the term “process” to describe risk management overall. The elements within the risk management process are referred to as “activities.”
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 71/144 ISO/IEC 27000, clause 3.71 Risk owner Person or entity with the accountability and authority to manage a risk ISO/IEC 27000, clause 3.72 Risk treatment Process to modify risk Note 1 to entry: Risk treatment can involve: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changing the consequences; sharing the risk with another party or parties (including contracts and risk financing); retaining the risk by informed choice.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 72/144 Exercise 1: Identification of threats, vulnerabilities, and impacts Upon reading the sections in the case study called “Company background” and “Recent facts and events,” determine the threats and vulnerabilities associated with the following scenarios and indicate the possible impacts. Then, indicate if the impacts would affect the confidentiality, integrity, or availability of the organization’s data. 1. Ian Kovalev and Katie Harper were hired by BankIT’s competitor, EverNet. 2. The software delivered to BankIT’s clients in Brazil had some serious flaws and made the clients vulnerable to external attacks. 3. Julia Robinson, the website designer, was ill for one month. 4. Customer information (names, addresses, and credit card numbers) is kept in a database that does not have a proper encryption or access control in place. Complete the matrix below and prepare to discuss your answers. Duration of the exercise: 20 minutes Comments: 20 minutes
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 73/144 ISO/IEC 27000, clause 3.14 Control Measure that is modifying risk ISO/IEC 27000, 3.15 Control objective Statement describing what is to be achieved as a result of implementing controls Controls for information security include any process, policy, procedure, guideline, practice, or organizational structure that can be administrative, technical, management, or legal in nature, and that can modify information security risk. Note: An administrative control is more related to the structure of the organization as a whole without being applied by a particular person, while a managerial control is to be applied by managers. The differences between the types of security controls are explained only for understanding. An organization does not need to determine the nature of the security controls it implements.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 74/144 Security controls can be classified into preventive, detective, and corrective. Several information security reference frameworks use classifications with more categories. Important note: These different types of controls are connected with one another. For example, the implementation of an antivirus program is a preventive control because it provides protection against malware. At the same time, the antivirus serves as a detective measure when it detects a potential virus. Simultaneously, it provides a corrective measure when a suspicious file is quarantined or deleted.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 75/144 1.Preventive control Goal: avoid or prevent the occurrence of incidents Detect incidents before they occur Control operations Prevent errors, omissions, or malicious acts Examples: Separate the development, testing, and operating equipment Secure offices, rooms, and equipment Use clearly defined procedures (to prevent errors and mistakes) Use cryptography Use an access control software that only allows authorized personnel to access sensitive files
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 76/144 2.Detective controls aim at searching for and identifying problems and incidents by: Using controls that detect and report the occurrence of an error, omission, or malicious act Examples: Integration of checkpoints in production applications Echo control in telecommunications Alarms to detect heat, smoke, fire, or risks related to water Verification of duplicate calculations in data processing Detect break-ins with video cameras Detection of potential intrusions on networks with an intrusion detection system (IDS) Review of user access rights Technical review of applications after a modification of the operating system 3.Corrective controls aim at overcoming the problems discovered and prevent their recurrence by: Minimizing the impact of a threat Overcoming problems discovered by detection controls Identifying the causes of the problem Correcting errors arising from a problem Modifying the processing system to reduce the presence of future problems to a minimum Examples: Review of the security policy after the integration of a new division to the organization Appeal to authorities to report a computer crime Change all passwords of all systems when a successful computer network intrusion has been detected Recover the transactions with the backup procedure after the discovery that some data has been corrupted Implementation of patches following the identification of technical vulnerabilities
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 77/144 1. Assets and controls can present vulnerabilities that can be exploited by threats. 2. It is the combination of threats and vulnerabilities that can increase the potential effect of the risk. 3. Controls allow the reduction of vulnerabilities. An organization has a few alternatives to act against threats. For example, controls can be implemented to provide protection against system intrusions, but it is difficult for an organization to take action to reduce the number of hackers on the internet. Note: The relation descriptors are valid for the two components which they interconnect to — they are not intended to be read as a “story” from end to end or through a sequence of components and relationships.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 78/144 1. According to ISO 9000, what is an asset? A. Item or entity that has potential or actual value to an organization B. Meaningful data for an organization C. Document which states requirements for an organization 2. What is the difference between specifications and records? A. Specifications are documents that state requirements, whereas records are documents that state achieved results B. Specifications refer to information and the medium on which it is contained, whereas records are documents that state requirements C. Specifications and records are both forms of documents, so they can be used interchangeably 3. A former employee of Company A has gained unauthorized access to the company’s sensitive information. What does this present? A. A threat that has the potential to harm the assets of the organization, such as information or systems B. A vulnerability in the monitoring system of the organization that does not have corresponding threats C. A security control incorrectly implemented by the organization that is not vulnerable 4. With which of the following principles does an organization comply if it ensures that only authorized users have access to their sensitive data? A. Confidentiality B. Integrity C. Availability 5. What does the integrity principle entail? A. That information is available to authorized individuals B. That information is accurate and safe from unauthorized access C. That information is accessible when needed
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 79/144 6.Which of the options below represents an example of a vulnerability? A. Unencrypted data B. Unauthorized access by persons who have left the organization C. Data input error by personnel 7.What can have an impact on the availability of information? A. Incorrect results B. Deliberate change of information C. Performance degradation 8.An organization has clearly defined the security procedures and uses an access control software to avoid unauthorized access of the personnel to its confidential data. What is the function of these security controls? A. To prevent the occurrence of incidents B. To correct errors arising from a problem C. To report the occurrence of a malicious act 9.To which classification of security controls does the implementation of patches after the identification of system vulnerabilities belong? A. Preventive by function and managerial by type B. Corrective by function and technical by type C. Detective by function and administrative by type
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 80/144 Section summary: ISO/IEC 27000, clause 3.77 defines vulnerability as the “weakness of an asset or control that can be exploited by one or more threats.” Classification by type of security controls includes technical controls, legal controls, administrative controls, and managerial controls. Classification by function of security controls includes preventive controls, detective controls, and corrective controls.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 81/144 This section will elaborate on the main steps in implementing an information security management system (ISMS) and the mandatory clauses tied to these steps. An ISMS aims to ensure the adequate and balanced selection of security controls that protect assets and reduce vulnerabilities. An auditor must have general knowledge of the functioning of a management system, as well as the process approach, to be able to effectively perform an ISO/IEC 27001 audit.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 82/144 Organizations implement management systems to improve their operations and enhance their business performance, while also increasing customer satisfaction. An organization may have several management systems in place, such as a quality management system, information security management system, business continuity management system, etc. Note: What is implemented must be controlled and measured, and what is controlled and measured must be managed. The “Performance evaluation” clause is an essential component of any management system because without the evaluation of the effectiveness of processes and controls in place, it is impossible to check if the organization has reached its objectives. ISO/IEC Directives, Part 1, Annex L.2.2 Management system standard MSS Standard for management systems Note 1 to entry: For the purposes of this document, this definition also applies to other ISO and IEC deliverables (e.g. TS, PAS).
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 83/144 ISO publications range from traditional activities, such as agriculture and construction, to the most recent developments in information technologies, such as the digital coding of audiovisual signals for multimedia applications. ISO 9000 and ISO 14000 families of standards are among the best known. ISO 9001 has become an international reference with regard to quality. ISO 14001, on the other hand, helps organizations enhance their environmental performance. Both standards are generic and applicable to any organization, regardless of size or complexity of processes. For detailed information on each relevant standard, please visit www.pecb.com or www.iso.org. If you would like to purchase any of the standards, PECB offers discounted prices to all trainees that purchase them via PECB Store.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 84/144 As organizations manage several compliance frameworks simultaneously, it is recommended to implement an integrated management system (IMS). An IMS is a management system which integrates all the components of a business into a coherent system so as to enable the achievement of its purpose and mission. The table on the slide presents the requirements that are common to all management systems which allow for integration. There are several good reasons for integration, including to: Harmonize and optimize practices Formalize informal systems Reduce duplication and therefore costs Reduce risks and increase profitability Shift focus toward achieving business goals Create and maintain consistency Improve communication
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 85/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 86/144 As defined in ISO/IEC 27001, the establishment and implementation of an organization’s ISMS is influenced by the organization’s needs and objectives, security requirements, the organizational processes used, and the size and structure of the organization.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 87/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 88/144 Controls are used to ensure that the conduct of the business processes is performed in a secure manner in terms of information processing. These security processes and controls are dependent on the business processes because they are part of them. For example, security measures relating to human resources should be integrated into an organization’s existing processes for human resources management. This will allow the human resources management processes to be more secure by ensuring that: The organization has clearly defined everyone’s responsibilities in terms of information security. Background checks of applicants are performed according to the criticality of the information they will have to process. The organization has a formal disciplinary process in case of information security breaches. The organization has a formalized process to remove the access rights of employees leaving the organization. ISO 19011, Annex A.2 Process approach to auditing The use of a “process approach” is a requirement for all ISO management system standards in accordance with ISO/IEC Directives, Part 1, Annex SL. Auditors should understand that auditing a management system is auditing an organization’s processes and their interactions in relation to one or more management system standard(s). Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 89/144 An organization seeking certification against ISO/IEC 27001 must comply with the requirements set out in clauses 4 to 10 of the standard.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 90/144 ISO/IEC 27001, clause 4.1 Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. NOTE Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.4.1 of ISO 31000:2018. ISO/IEC 27001, clause 4.2 Understanding the needs and expectations of interested parties The organization shall determine: a. interested parties that are relevant to the information security management system; b. the relevant requirements of these interested parties; c. which of these requirements will be addressed through the information security management system. NOTE The requirements of interested parties can include legal and regulatory requirements and contractual obligations. ISO/IEC 27001, clause 4.3 Determining the scope of the information security management system The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organization shall consider: a. the external and internal issues referred to in 4.1; b. the requirements referred to in 4.2; c. interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 91/144 ISO/IEC 27001, clause 4.4 Information security management system The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 92/144 The information security risk management process can be applied to the whole organization or to a subset defined in terms of: 1. Organizational units: Department, office, project, branch, etc. 2. Processes: Sales management, procurement, hiring process, etc. 3. Location: Headquarters, server room, or any place geographically defined by a specific perimeter 4. Assets: Customer file, database, payroll, trademark, furniture, etc. 5. Technologies: Server, application, network, wireless internet, etc.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 93/144 ISO/IEC 27001, clause 5.1 Leadership and commitment Top management shall demonstrate leadership and commitment with respect to the information security management system by: a. ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; b. ensuring the integration of the information security management system requirements into the organization’s processes; c. ensuring that the resources needed for the information security management system are available; d. communicating the importance of effective information security management and of conforming to the information security management system requirements; e. ensuring that the information security management system achieves its intended outcome(s); f. directing and supporting persons to contribute to the effectiveness of the information security management system; g. promoting continual improvement; and h. supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that arecore to the purposes of the organization’s existence.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 94/144 Through its leadership and actions, the organization’s top management can create an environment in which all actors are fully involved and the management system can operate effectively in synergy with the objectives of the organization. The top management can demonstrate leadership through the following: a. Establishment of guidelines and organization’s objectives b. Promotion of policies and objectives at all levels of the organization to increase awareness, motivation, and involvement c. Assurance that the requirements of interested parties (customers, partners, shareholders, legislators, etc.) are a priority at all levels of the organization d. Implementation of the appropriate processes and controls to comply with requirements e. Establishment, implementation, and maintenance of an efficient and effective management system f. Provision of the necessary resources g. Assurance that internal audits are being conducted h. Establishment of management reviews at least once a year i. Decisions on actions concerning the policy and objectives j. Decisions on actions to improve the management system
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 95/144 ISO/IEC 27001, clause 5.3 Organizational roles, responsibilities and authorities Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization. Top management shall assign the responsibility and authority for: a. ensuring that the information security management system conforms to the requirements of this document; b. reporting on the performance of the information security management system to top management. NOTE Top management can also assign responsibilities and authorities for reporting performance of the information security management system within the organization.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 96/144 ISO/IEC 27001, clause 6.1 Actions to address risks and opportunities 6.1.1 General When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: a. ensure the information security management system can achieve its intended outcome(s); b. prevent, or reduce, undesired effects; c. achieve continual improvement. The organization shall plan: d.actions to address these risks and opportunities; and e.how to 1. integrate and implement the actions into its information security management system processes; and 2. evaluate the effectiveness of these actions.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 97/144 ISO/IEC 27005, clause 7 Information security risk assessment process 7.1 General (cont’d) Risk assessment consists of the following activities: a. risk identification, which is a process to find, recognize and describe risks (further details on risk identification are provided in 7.2); b. risk analysis, which is a process to comprehend the types of risk and to determine the level of risk. Risk analysis involves consideration of the causes and sources of risk, the likelihood that a specific event occurs, the likelihood that this event has consequences and the severity of those consequences (further details on risk analysis are provided in 7.3); c. risk evaluation, which is a process to compare the results of risk analysis with risk criteria to determine whether the risk and/or its significance is acceptable and to prioritize the analysed risks for risk treatment. Based on this comparison, the need for treatment can be considered (further details on risk evaluation are provided in 7.4). The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. The organization should ensure that its information security risk management approach aligns with the organizational risk management approach, so that any information security risks can be compared with other organizational risks and not only considered in isolation. ISO/IEC 27001 does not mandate a particular approach to be used to fulfil the requirements invISO/IEC 27001:2022, 6.1.2. Nevertheless, there are two main approaches for assessment: an eventbased approach and an asset-based approach. They are discussed in more detail in 7.2.1.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 98/144 ISO/IEC 27001, clause 6.1.2 Information security risk assessment The organization shall define and apply an information security risk assessment process that: a. establishes and maintains information security risk criteria that include: 1. the risk acceptance criteria; and 2. criteria for performing information security risk assessments; b. ensures that repeated information security risk assessments produce consistent, valid and comparable results; c. identifies the information security risks: 1. apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and 2. identify the risk owners; d. analyses the information security risks: 1. assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; 2. assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and 3. determine the levels of risk; e. evaluates the information security risks: 1. compare the results of risk analysis with the risk criteria established in 6.1.2 a); and 2. prioritize the analysed risks for risk treatment. The organization shall retain documented information about the information security risk assessment process.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 99/144 Any risk assessment methodology that complies with the minimum ISO/IEC 27001 criteria is acceptable, even a methodology developed internally. The following is a list of several recognized risk assessment methodologies: OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) allows to evaluate the values threatened, the most formidable risks, as well as the vulnerability of the defense based on a standardized knowledge base (standard catalogue of information) included in the method. From these results, the method allows the development and implementation of a strategy for risk reduction. OCTAVE is structured in three phases: profile of security needs regarding the values of the organization, vulnerability study, and development of the strategy and security plan. CRAMM (CCTA Risk Analysis and Management Method) was created in 1987 by the Central Computing and Telecommunications Agency (CCTA) of the United Kingdom government. CRAMM is a three-phase structure: definition of values threatened, risk and vulnerability analysis, and definition and selection of security measures. MICROSOFT also released a guide for managing security risks, based on several industry-recognized standards, which is accompanied by tools to perform a comprehensive assessment of risk. The overall process of risk management has four main phases: risk assessment, the decision support, the implementation of security controls, and measuring program effectiveness. TRA (Harmonized Threat and Risk Assessment Methodology) is a publication issued under the authority of the Chief, Communications Security Establishment Canada (CSEC) and the Commissioner, Royal Canadian Mounted Police (RCMP). This methodology has four steps: 1. Establish the scope of assessment and identify employees and assets to be safeguarded 2. Determine the threats to employees and assets and assess the likelihood and impact of their occurrence 3. Assess vulnerabilities based on the adequacy of safeguards and compute the risk 4. Implement additional safeguards, if necessary, to reduce risk to an acceptable level
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 100/144 EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité) allows to evaluate and act on risks related to information systems security and proposes a security policy adapted to the needs of an organization. This method has been created by ANSSI (Agence nationale de la sécurité des systèmes d'information) (former DCSSI). This agency is placed under the authority of the Prime Minister and is attached to the Secretary General for National Defense. The five steps of the EBIOS method are: circumstantial study, security requirements, risk study, identification of security objectives, and determination of security requirements. MEHARI (Méthode Harmonisée d'Analyse des Risques — “Harmonized method of risk analysis”) is developed by the CLUSIF in 1995 and derives from the Melissa and Marion methods. The MÉHARI global approach consists of: the analysis of the security issues and the preliminary classification of information security entities based on three basic security criteria (confidentiality, integrity, and availability). These issues express the dysfunctions having a direct impact on the activity of the organization. Audits identify the information security vulnerabilities and the risk analysis is subsequently conducted. Note: ENISA (European Network and Information Security Agency) has established an inventory of several risk management/risk assessment methods available on the market including a comparison by 22 attributes. See http://rm-inv.enisa.europa.eu/rm_ra_tools.html