Updates from August, 2013

  • Difference between ISO 27001: 2013 and ISO 27001:2005 

    ISO 27001: 2013 was released in September 2013

    Here are some of the high-impact changes:

    Change 1 – Standard is closer to enterprise risk management. The fact that information protection cannot remain aloof from organisation risk is well articulated in the new standard and is reflected in almost each management section clauses.

    Change 2 – There is an insistence on understanding information from a business perspective. References of enterprise ‘context’ in the new standard means that you see information from a business success or failure. Equally important is identification of external and internal issues in the success and failure of information security management.

    Change 3 – Scope definition is derived from organisation context rather than merely  a physical or a logical boundary. In the iso 27001 – 2005  standard you could chose a subset of the organisation as a scope (such as Information technology team) but in the new standard merely picking up a team for scope may be difficult as thus has to be aligned with business strategy. Leaving a strategic team facing customer may not therefore be easy and therefore MUST be included in the scope statement.

    Change 4 – Replacement of ‘Management commitment’ with ‘ Leadership’ – again an alignment with ISO 31000. In the past certain organizations have has CIOs signing the information security policy, this would be a thing of the past with the new standard.

    Change 5 – Risk assessment and risk treatment – the foundation of the subject – are clearer, elaborate and more objective. A section of information security objectives is very specific:

    ‘When planning how to achieve its information security objectives, the organization shall determine:

    what will be done
    what resources will be required
    who will be responsible
    when it will be completed
    how the results will be evaluated

    Change 6 – clause 9 – performance evaluation covers three essential topics, namely

    9.1 Monitoring, measurement, analysis and evaluation
    9.2 Internal audit
    9.3 Management review

    The alignment of this three issues is unique and gives more teeth to the implementation. For clause 9.1 the organisation needs to define what they need to measure and monitor as the management system level. Clause 9.2 – internal audit then focuses on those specific measurements, and clause 9.3 – management review is further aligned to review the performance based on the  audit results.

    Change 7 – Changes in domains, control objectives and detail controls

    In Annex A there will be 14 domains, 35 control objectives and 114 detail controls. The number of domains have increased however the total number of controls have reduced, the latter is an optimisation effort. The grouping of earlier clauses seems to make a lot more sense.

    Some of the main clauses which are either new or are more specific in the new standard:

    A.6.1.4 Information security in project management – this is a new clause, consider security every time you do a project;
    A.6.2.1 Mobile device policy – more specific in ISO 27001: 2013 compared to ISO 27001: 2005
    A.8.3.3 Physical media transfer – more specific in ISO 27001: 2013 compared to ISO 27001: 2005
    A.9.2.1 User registration and de-registration – more specific in ISO 27001: 2013
    A.9.2.3 Management of secret authentication information of users – this focuses on handling sensitive authentication data such as a password
    A.9.2.5 Removal or adjustment of access rights – considers ‘adjustment’ of access
    A.9.3.1 Use of secret authentication information – insistence on a procedure and awareness
    A.9.4.4 Use of privileged utility programs – new name to the older clauses ‘use of system utilities’ in the previous standard
    A.13.2.1 Information transfer policies and procedures – new name to the older clause ‘policy on exchange of information’
    A.14.1.1 Security requirements analysis and specification – more elaborate clause description compared to the previous standard
    A.14.1.2 Securing applications services on public networks – more specific in ISO 27001: 2013 compared to ISO 27001: 2005
    A.14.1.3 Protecting application services transactions – more specific in ISO 27001: 2013 compared to ISO 27001: 2005
    A.14.2.1 Secure development policy – seeks to cover security in the entire development lifecycle, clearer more specific
    A.14.2.6 Secure development environment – this is a new clause
    A.14.2.8 System security testing – this is a new clause
    A.15 Supplier relationships – this is a new domain
    A.15.1.1 Information security policy for supplier relationships – this is a new clause
    A.15.1.2 Addressing security within supplier agreements – this is a new clause
    A.15.1.3 ICT supply chain – this is a new clause
    A.16.1.4 Assessment and decision of information security events – part of incident management this section is clearer
    A.16.1.5 Response to information security incidents – part of incident management this section is more specific to an escalation procedure
    A.17.1 Information security continuity – removes the ambiguity of the previous standard – clearly focuses on protection during continuity
    A.17.2.1 Availability of information processing facilities – part of A.17 Redundancy clause – this is a new requirement


    Some of the major changes seem to be ‘alignment with business strategy’, a comprehensive ‘measurable framework’, ‘inclusion of supply chain management’, ‘secure development life cycle’ and a focused incident response process.

    ISO 27001: 2013 is released in September 2013, consider migrating for implementing the best practices. If you are currently certified to iso 27001 – 2005 you have time till September 2015 to migrate.

    Hope this helps!

    Considering migrating to iso 27001 – 2013?

  • Thinking of BCP? Start with Business Impact Analysis(BIA)! 

    Every organisation needs a business continuity plan. Very few often go for a formal ISO 22301.

    How many times did you come across a statement like this  – “we have a BCP but I am not sure whether it really covers every part of the business”. Well if  this is not an unfamiliar statement, the flaw lies in not having a good business impact analysis (BIA). BIA is a comprehensive exercise that brings every part of your business together to establish what is really urgent to be recovered in case of an outage.

    Most organisations build their BCMS around IT – well it is a good investment made but that does not guarantees full return on investment. If you wish to get a good return on investment consider Business impact analysis. You will be surprised that a good BIA can reduce your overall budget and save costs.

    Business Impact Analysis (BIA) is the analysis of identifying and prioritizing an organization’s services (internal and external) that should be up and running in the event of disaster. Combined with maximum tolerable period of disruption(MTPOD), Recovery time objective (RTO), return point objective (RPO) and minimum business continuity objectives (MBCO), it gives the CEO the ‘requirement’ for the Business continuity plan. Note that this is not IT strategy, it is business strategy first.

    Here are the key steps:

    Take a look at your organization structure (some call it organogram) and identify the teams.

    For each team identify whether they are revenue generating service (RGS) , and/or a supporting team. Easier than said, you need to have a specific questionnaire that helps you identify this. One of the the way to identify an RGS is to ask – does your discontinuity results in cash loss? If the answer is Yes, the team is RGS. All other teams are supporting services.

    Assess how long the RGS team can afford to be ‘completely out of work’ resulting in no loss – this will give the MTPOD value; A team which can afford to be out for 7 days cannot be (in my experience) a RGS.

    Assess how many resources – people, applications, information systems, internal support teams and external service providers needed to resume (not restore) operations. This will give you RTO, RPO and MBCO. Note that this a temporary readiness, you also need a questionnaire for ‘how long can you remain in MBCO?’.

    Now classify the pending teams/services as either essential infrastructure or delayed start service. EIS is a service that needs to be restored before a RGS teams comes into play. Whereas a DSS team is the last to be restored. I dont wish to write any team as an example here as it is ‘unique in every organization’. Classifying a team such as Human resources as DSS without knowing what they actually do will be a big mistake.

    Now you have a list for RGS, EIS and DSS in the organization.

    Having this in place now you can design risk assessment questionnaire which can reveal either single point of failures (SPOF) on one side, and readiness for different outage scenario on the other.

    In order to identify single point of failures, you need to verify what within each of the list of services has no redundancy. This can be a role, network infrastructure, physical location and/or an external services provider. What you derive is a list of weaknesses which if implemented makes your business inherently stronger and more resilient.

    In order to identify outage-preparedness you need to then verify preparedness. Site outage, people outage, network/IT infrastructure outage and external service provider outage are sample outages that you need to check and verify the readiness.

    This whole exercise could have taken anywhere between two weeks to two months depending the scale and complexity of your organization.

    ISO 22301 BIA will then get formally closed when you have the following in place:

    1. Organisation list of services – internal and external
    2. Classification of organisation services as RGS, EIS and DSS
    3. Inherent vulnerability in the business processes such as single point of failures
    4. Readiness against each identified outage.

    Each of the above points should be summarised and presented to management for further action. The inputs so given will help the management then decide the scope of business continuity. Your business continuity strategy can be ‘lets prepare for site outage’ across the organisation. Such decisions are taken because you have a limited budget.

    Whether you are seeking ISO 22301 compliance or not for your Business Continuity Management System (BCMS), business impact analysis (BIA) is the foundation of the BCMS.

    Next time someone says that “we have a BCP but I am not sure whether it really covers every part of the business”‘  you now know what went wrong.

    Hope this helps!

  • Risk Assessment – What is the ‘ideal’ approach? 

    The benefit of performing risk assessment far outweighs the cost or impact that an organization may have to suffer in case an incident takes place.

    Thanks to implementation of international standards such as ISO 27001, ISO 31000, ISO 22301, ISO 20000, SSAE 16, COBIT, PCI-DSS, HIPAA, DPA (not exhaustive) there is more and more interest in understanding risk assessment methodologies and how it can benefit an organizations’ business.

    The need for understanding the finer nuances is increasing but is far from maturity levels demanded by any of the international standards. If you are certified to any of the management system certifications, one common flaw that most auditors find in any organization, they will surely respond “I wish they had a better risk assessment..”.

    What is going wrong with risk assessments today?

    The absence and maturity of the formal risk assessment is contributed by some of the following key factors:

    • International standards are sometimes confusing to the layman – if you search for the word ‘risk’ you will several interpretations for the same key word risk; ISO 31000 defines risk closer to a (positive) opportunity whereas ISO 22301/ISO 27001/ISO 20000  reflects a negative interpretation of the word risk.
    • Lack of management interest and what it can do for them – Most management do not see it as a constructive activity, it is seen as related to an event such as ISO 27001 (or any other) certification. Management says “get it somehow done, and we should be compliant..”. If implemented correctly, risk assessment can be part of each business activity and it pays to be ‘risk-aware’.
    • Inability to correlate internal and external events with risk assessment methodology – Owners of risk assessment, people who perform risk assessment, in the organization are often at pain to discuss internal and external events with their risk assessment. It is generally something that someone does and only he knows how it is done. Ideally the response should be “we are all involved”.

    What can be done to ensure completeness?

    Consider the following key parameters for your risk assessment approach to make it successful and beneficial to the business(not exhaustive).

    Agree on Terms and definitions: Risk is a function of asset, business impact, threat, vulnerability, probability. Define each one of  them, and explain how this correlates in the risk valuation of the asset.

    Agree on rating methodology:  Methodology includes valuation. Valuation can be quantitative as well as qualitative. While measuring provide a range 1-4 or 1-10, 1 being lowest, and 4 being highest. The focus of rating should be based on your organization valuation not someone else. If you rate Availability as 4 for an asset it needs to reflect that the asset’s unavailability can hinder continuity of the business, in other other words make it contextually relevant.

    Make it simple, provide a guidance: Provide support to suggest how something is to be rated as 4(Very High). An asset containing salary data may be rated as Very High, and it encompasses all forms of that assets and teams.

    Agree on context: Context is the scope of risk that you wish to address. Is it service risk, information risk or business risk? Since most risk assessments are driven by compliance objectives define the context in terms of assets/service/function that needs to be covered. Once you see the value you can increase the context itself.

    Start from the top: Starts from the CEO. We have found that those we started with the CEO were much more successful. If the CEO is not involved, it is a sure shot failure, i doubt it will the light of the day.

    Involve department heads (if not everybody) and make them ‘own': Explain and involve the head of departments/business process owners, they will appreciate and help you evolve. Again this is not just IT or security teams, it involves everyone. if you explain a team such as R&D how risk assessment helps reduce the assets of R&D, they will surely participate.

    Consider trigger points for reassessment/change: Once you decide the context, also decide the trigger point for change. Change can be in methodology, rating, new assets, new threats, new weakness, new events – internal and external, to name a few.

    Consider a Target and period of measurement: Management is interested in numbers, we all know that. Define a risk target. Also apply this by showing how your risks improved for a given period of time. Note the true objective is to reduce risk at optimum level that supports business.

    Consider the above as a guideline for your risk assessment process and I am sure your risk assessment will improve manifold.

    Hope this helped, let me know your reactions!

  • Which international ‘risk’ standard is right for my organization? 

    Most organizations are flooded with international standards and it is often difficult to choose the right one. In most cases the standard selection is driven by customer and/or regulatory pressure.

    If you are not driven by any of external pressures and your main question is “which one is right for us?” here is an attempt to demystify the following 4 international standards.

    • ISO 31000:2009 – risk management – Principles and Guidelines
    • ISO/IEC 27001: 2013 – information security management system
    • ISO/IEC 20000-1: 2011 – (IT) service management system
    • ISO 22301: 2012 – ‘societal’ business continuity management system

    The aim of this article is to give you an independent perspective of why you should go for anyone of them. (If you are already compliant to one of these, then your question can be ‘what we can do more?”, and the article may help you give some direction.)

    Since each standard demands a formal risk assessment, lets also refer the name given to the risk register if you pursue each of them independently.

    International Standard Coverage Why should I choose this one? What is the name of the risk register /record?
    ISO 31000 – risk management standard This standard aims to cover almost all areas of organization risk. So it covers strategic, personnel, operations, information, and financial. What is missing in this standard? Specifics! This is not a certification standard, and organization use it compare best practices. Unlike other standard the degree of implementation interpretation is left to users and advisers/consultants/internal auditors used by the organization. Chose this standard if you typically don’t have a certification requirement but you wish to raise and bring an organizational culture of ‘risk’ across all areas all functions. Most organizations applying ISO 31000 has inherent reason to bring culture of risk in their business life cycle. Enterprise risk register/record should be the name if you seek to implement ISO 31000.
    ISO 27001 – information security management system ISO 27001 standard is focused on the keyword “information” protection. What is information asset? The answer is ‘anything that has a business value”. In other words it is just not Information Technology (IT) infrastructure. So if your organization is seeking to protect all forms of information against unauthorized access (Confidentiality), unauthorized modification (integrity), and protection against loss and destruction (Availability), the standard provides a series of controls that enables you to pick and chose those that are relevant to you based on a formal asset-wise risk assessment. ISO 27001 certification involves 114 controls which aims are a combined secure architecture, preventive, detective controls and several controls and encompass procedural, physical, technical and most importantly personnel controls. The most popular “risk” standard with highest number of certifications, chose this one if you are concerned about your protection of information.How is it different from ISO 31000? The difference lies in the specifics; you can pinpoint and measure how a specific control is working unlike several other generic standards. As part of the analysis you would be required to perform an asset-wise risk valuation which should clearly articulate the state of an asset and its control environment. Information risk register – where for every asset you can see the risk value.
    ISO 20000-1 – (IT ) service management system The latest in the standard family (in terms of inclusion of the word ‘risk’) ITSM – ISO 20000 certification is aimed at making traditional IT organization/department as free from service risk. Although it has been associated with IT ‘process’ best practices, inclusion of the word “service risk” gives you a different view of the ISO 20000 now. Aimed at making IT as a ‘service’ department the standard has best practices aligned with ITIL. You would choose this if you wish to make your IT a “service” organization. A “service” catalog is a starting point for this and makes your organization aligns with business objectives. IT (service) risk register. In ISO 20000: 2005 there was a reference to service improvement plan – which indirectly focuses on all weaknesses.
    ISO 22301 – ‘societal’ business continuity management system An upgraded version of BS 25999, the new ISO 22301 gives more meaning to the scope of business continuity. ISO 22301 certification is your ability to demonstrate your ability to deliver in case of a disaster.In my view most organizations used ISO 27001 between 1993 to 2007 to show their continuity maturity. In 2007 BS 25999 came into existence. Words like maximum tolerable period of disruption (MTPOD), return time objective (RTO), minimum service levels (MSL) forced the business to speak and define their continuity strategies and prioritize the business that demand quick recovery. Go for this if you need to demonstrate your maturity of continuity processes. One of the key features of this compliance is your demonstration of continuity through tests –and nothing more pleases any continuity professional than the range of test to demonstrate their continuity strategy. Continuity risk register – list of issues/items that are considered gaps in the continuity of the business.

    To summarize the choice of a risk management standard is often driven where you see the most of the risk really lies. You chose ISO 31o00 when each and every area of the organization should be covered under risk management, whereas your focus should be ISO 20000 when it is limited IT service delivery.

    There is another risk management standard – ISO 28000 for the Supply chain management (Specification for security management systems for the supply chain), I will keep that for perhaps another day.

    Please do not hesitate to call us for an in house session to help understand the nuances of each of these standards.

    Did this help? Let me know your views!

    • avatar

      Clynton 5:27 PM on August 7, 2012 Permalink

      Another Good, Simple, Relevant, to the Point Article…. :-)

  • ISO 27001 certification – key business benefits 

    Implementation of Information Security management System (ISMS) in line with ISO 27001: 2013 demonstrates management commitment to protect information assets, and getting certified to ISO 27001: 2013 is a third-party endorsement that an organisation has fulfilled baseline requirements.

    Lets analyzes what happens to the organisation which is not certified; They are my top 5, needless to state there are many more:

    1) You will realise the true value of your own ‘information’ assets – Yes this is true, in most organizations what truly is their OWN asset and its TRUE Value is revealed as a part  of this initiative. When the CEO answers the question ‘what is the most important information asset?’ – it reveals what is really most important. One of the key exercises in assessments including valuation of assets on a per-determined levels (such as 3 point rating) that helps identify assets that require protections, and assets that do not.

    2) You will know your vulnerabilities. Lets put it this way – “Do you know exactly how many people can cause theft of your intellectual property of how they can do it”? OR ” Do you know how many security vulnerabilities that you presently have?”. Only a formal assessment will show what your real weaknesses are. In the absence of a formal assessment you are far away from understanding your own information risks.

    3) You will know your security strengths – you may believe that your controls are working, but in most of our assessment we find that most controls are either non-existent, or implemented loosely that they do not work against a specific threat. ISO 27001 certification ensures that they are tested, and measured;

    4) You will test accountability, coordination in incident response: Accountability is neither understood or not enforced, both leading to confusion in terms of completeness. So if you have an incident personnel are looking at each other to establish who should act first. In a formal implementation the incident management process is well defined and tested.

    5)Management will have a clear visibility of security operation and responsibility: Management plays key role in information protection, as they sign policies at the apex level. They sign documents that shows ‘information protection = business protection”. In the absence of ISO 27001 this is generally falls within IT responsibility, where information protection is driven “by IT, for IT and of IT”, instead of “by organization, for organization, and of organization”.

    Not sure where to start? consider a quick iso 27001 gap analysis to know where you are.

    Hope this helps!