June 2006

Are You Familiar With the Most Recent ISO/IEC 17799 Changes?

Becoming familiar with the most recent edition of the ISO/IEC 17799 Standard will help internal auditors stay on top of new regulatory compliance requirements.

Mark T. Edmead, CISSP, CISA
President
MTE Advisors

The International Standardization Organization (ISO) and International Electrotechnical Commission (IEC) 17799 Standard is an information security management code of practice that provides a broad, nontechnical framework to establish effective IT controls. What is unique about this standard is that it provides a high-level view of information security from different angles — known as security clauses — and a comprehensive set of information security best practices.

In June 2005, the ISO/IEC 17799 standard was updated to reflect changes in the field of information security. These new developments should be of particular importance to ISO-certified organizations that wish to enhance their information security controls, policies, and procedures. In addition, because many internal auditors use this standard to perform a baseline audit of an organization's security environment, becoming familiar with the standard, its new changes, current security clauses, and alignment with other regulations and laws could enhance a company's ISO/IEC 17799 certification process and the effectiveness and efficiency of IT security controls.

OVERVIEW OF THE 17799 STANDARD

ISO/IEC 17799 is designed for companies that wish to develop effective information-security management practices and enhance their IT security efforts. Among other things, the standard provides valuable information to senior managers on security-related issues that can be used prior to conducting a risk assessment, including best practices on how to identify critical assets. The standard also provides information on the role organizational structures play as part of the company’s information security efforts, such as the various types of controls used to mitigate risk — administrative, technical, and physical controls. For example, background checks performed by human resources (HR) departments are one of many administrative controls used to mitigate risk, while network perimeter security activities performed by IT departments serve as a technical control. Therefore, the HR and IT departments are both responsible for a portion of the company's overall security objectives, even though they perform two distinct functions on a daily basis.

Key Changes
The new version of ISO/IEC 17799 consists of 11 clauses that are divided into one or more security categories — each with a clear control objective — for a total of 39 security categories. When examined from a control-level perspective, the standard's structure has been improved: Where the previous version provided a control with supporting text, guidelines, and more supporting text, the new version provides supporting text subdivided by definitions, implementation guidelines, and information on how the specific control interfaces with other controls within the standard. Table 1 compares the security clauses of the earlier version released in 2000 and the updated 2005 edition.

2000 Version

2005 Version

  • Security
  • Organizational Security
  • Asset Classification and Control
  • Personnel Security
  • Physical and Environmental Security
  • Communications and Operations
  • Access Control
  • Systems Development and Maintenance
  • Business Continuity Management
  • Compliance
  • Security
  • Organizing Information Security
  • Asset Management
  • Human Resources Security
  • Physical and Environmental Security
  • Communications and Operations
  • Access Control
  • Information Systems Acquisition, Development, and Maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Compliance

Table 1: Comparison of security clauses in the 2000 and 2005 versions of the ISO/IEC 17799 Standard.

Besides featuring a new clause — Information Security Incident Management — the new version has 133 controls, up from 125, and provides information on security of external service deliveries; vulnerability issues, including patch management; how to handle security prior to, during, and after employment termination; incident risk and handling; and mobile, remote, and distributed applications. Finally, the new version provides additional information on legal agreements, business processes and relationships, and risk.

SECURITY CLAUSES IN THE UPDATED STANDARD

Security clauses define an organization's posture toward security and identify key areas businesses must consider when implementing IT controls. ISO/IEC 17799's 11 security clauses can help companies accomplish both objectives by providing a comprehensive set of information security best practices organizations can use to enhance their IT infrastructure. Below is a brief description of the security clauses in the 2005 version.

Security Policy
Security policies are the foundation of the security framework and provide direction and information on the company's security posture. This clause states that support for information security should be done in accordance with the company's security policy. For instance, auditors should determine if the company has a security policy, how it is maintained, and whether it is disseminated to all employees.

Organizing Information Security
This clause addresses the establishment and organizational structure of the security program, including the appropriate management framework for security policy, how information assets should be secured from third parties, and how information security is maintained when processing is outsourced.

Asset Management
This clause describes best practices for classifying and protecting assets, including data, software, hardware, and utilities. The clause also provides information on how to classify data, how data should be handled, and how to protect data assets adequately.

Human Resources Security
This clause describes best practices for personnel management, including hiring practices, termination procedures, employee training on security controls, dissemination of security policies, and use of incident response procedures.

Physical and Environmental Security
As the name implies, this clause addresses the different physical and environmental aspects of security, including best practices organizations can use to mitigate service interruptions, prevent unauthorized physical access, or minimize theft of corporate resources.

Communications and Operations
This clause discusses the requirements pertaining to the management and operation of systems and electronic information. Examples of controls to audit in this area include system planning, network management, and e-mail and e-commerce security.

Access Control
This security clause describes how access to corporate assets should be managed, including access to digital and nondigital information, as well as network resources.

Information Systems Acquisitions, Development, and Maintenance
This section discusses the development of IT systems, including applications created by third-parties, and how security should be incorporated during the development phase.

Information Security Incident Management
This clause identifies best practices for communicating information security issues and weaknesses, such as reporting and escalation procedures. Once established, auditors can review existing controls to determine if the company has adequate procedures in place to handle security incidents.

Business Continuity Management
The 10th security clause provides information on disaster recovery and business continuity planning. Actions auditors should review include how plans are developed, maintained, tested, and validated, and whether or not the plans address critical business operation components.

Compliance
The final clause provides valuable information auditors can use when identifying the compliance level of systems and controls with internal security policies, industry-specific regulations, and government legislation.

COMPATIBILITY WITH OTHER REGULATIONS

Senior managers working in organizations that are undertaking compliance efforts for the first time often wonder whether different compliance initiatives are compatible with one another. For instance, many companies have to adhere to more than one regulation, often spending a lot of money and time making sure they are compliant with each piece of legislation. The question senior managers often ask auditors is, "How does ISO/IEC 17799 relate to other regulations that address information security, such as the U.S. Sarbanes-Oxley Act of 2002 or U.S. Health Insurance Portability and Accountability Act of 1996?"

Standards in the ISO 27000 Series

Following is a description of current and future standards in the ISO 27000 series:

  • ISO 27001. This standard is equivalent to the current 7799-2 standard from the British Standard Institute. Both state the requirements needed for an information security management system (ISMS). For more information on ISO 27001, auditors can read "Key Strategies for Implementing ISO 27001" by K.K. Mookhey and Khushbu Jithra.
  • ISO 27002. This number is being earmarked for the ISO 17799 Standard, which will be renamed in 2007.
  • ISO 27003. This number is set aside for a new standard that will provide guidance on implementing information security management systems. The standard is currently being prepared.
  • ISO 27004. This standard will provide best practices on information security management measurements (e.g., how, what, and when to measure ISMS processes and controls). The standard is not expected to be completed until 2007 and is linked to a new requirement in ISO 27001 that mandates the measurement of ISMS controls.
  • ISO 27005. This is the proposed standard for information security risk management. Once the standard is completed, it is expected that British Standard 7799-3 will evolve into ISO 27005.
Because ISO/IEC 17799 points the way to a strong security infrastructure, its best practices provide a basis organizations can use to implement a consistent approach for aligning all security initiatives and best practices. Implementing the standard's best practices also enables organizations to assure that established controls are meeting defined compliance objectives. For instance, ISO/IEC 17799 compliance covers areas much wider than similar Sarbanes-Oxley requirements. Companies that have to comply with both regulations could use ISO/IEC 17799 compliance requirements as the foundation for overlapping Sarbanes-Oxley mandates.

Therefore, if a company is compliant with the ISO/IEC 17799 Standard, it will most likely meet IT management requirements found in other laws and regulations. However, because different standards strive for different overall objectives, auditors should point out that compliance with 17799 alone will not meet all of the requirements needed for compliance with other laws and regulations.

LOOKING FORWARD

Establishing an ISO/IEC 17799 compliance program could enhance a company's information security controls and IT environment greatly. Conducting an audit evaluation of the standard provides organizations with a quick snapshot of the security infrastructure. Based on this snapshot, senior managers can obtain a high-level view of how well information security is being implemented across the IT environment. In fact, the evaluation can highlight gaps present in security controls and identify areas for improvement.

In addition, organizations looking to enhance their IT and security controls could keep in mind other ISO standards, especially current and future standards from the 27000 series, which the ISO has set aside for guidance on security best practices (see  "Standards in the ISO 27000 Series" above for additional information). To learn more about the recent changes to ISO/IEC 17799, auditors can visit the ISO Web site, www.iso.org or the ISO Directory Web page, www.27000.mobi.

Mark T. Edmead, CISSP, CISA, is president of MTE Advisors and has more than 25 years' experience in the areas of computer systems architecture, information security, project management, and IT and application audits. In the past, Edmead worked as a consultant for Fortune 500 and 1000 companies in the areas of information, system, and Internet security, as well as regulatory compliance. In addition, he has worked for many auditing and computer security firms, such as KPMG Information Risk Management Group, IBM's Privacy and Security Group, and Protiviti.


COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:


To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

 

Subscribe_June 2014 

IIA_AllStar_July2014

 IIA_AllStar_July2014

IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University

 

 Twitter

facebook IAO 

IA APP