control, and governance
Are You Familiar With the Most Recent ISO/IEC 17799 Changes?
Becoming familiar with the most recent edition of the ISO/IEC 17799 Standard will help internal auditors stay on top of new regulatory compliance requirements.
Mark T. Edmead, CISSP, CISA
The International Standardization Organization (ISO) and International Electrotechnical Commission (IEC) 17799 Standard is an information security management code of practice that provides a broad, nontechnical framework to establish effective IT controls. What is unique about this standard is that it provides a high-level view of information security from different angles — known as security clauses — and a comprehensive set of information security best practices.
In June 2005, the ISO/IEC 17799 standard was updated to reflect changes in the field of information security. These new developments should be of particular importance to ISO-certified organizations that wish to enhance their information security controls, policies, and procedures. In addition, because many internal auditors use this standard to perform a baseline audit of an organization's security environment, becoming familiar with the standard, its new changes, current security clauses, and alignment with other regulations and laws could enhance a company's ISO/IEC 17799 certification process and the effectiveness and efficiency of IT security controls.
OVERVIEW OF THE 17799 STANDARD
ISO/IEC 17799 is designed for companies that wish to develop effective information-security management practices and enhance their IT security efforts. Among other things, the standard provides valuable information to senior managers on security-related issues that can be used prior to conducting a risk assessment, including best practices on how to identify critical assets. The standard also provides information on the role organizational structures play as part of the company’s information security efforts, such as the various types of controls used to mitigate risk — administrative, technical, and physical controls. For example, background checks performed by human resources (HR) departments are one of many administrative controls used to mitigate risk, while network perimeter security activities performed by IT departments serve as a technical control. Therefore, the HR and IT departments are both responsible for a portion of the company's overall security objectives, even though they perform two distinct functions on a daily basis.
The new version of ISO/IEC 17799 consists of 11 clauses that are divided into one or more security categories — each with a clear control objective — for a total of 39 security categories. When examined from a control-level perspective, the standard's structure has been improved: Where the previous version provided a control with supporting text, guidelines, and more supporting text, the new version provides supporting text subdivided by definitions, implementation guidelines, and information on how the specific control interfaces with other controls within the standard. Table 1 compares the security clauses of the earlier version released in 2000 and the updated 2005 edition.
Table 1: Comparison of security clauses in the 2000 and 2005 versions of the ISO/IEC 17799 Standard.
Besides featuring a new clause — Information Security Incident Management — the new version has 133 controls, up from 125, and provides information on security of external service deliveries; vulnerability issues, including patch management; how to handle security prior to, during, and after employment termination; incident risk and handling; and mobile, remote, and distributed applications. Finally, the new version provides additional information on legal agreements, business processes and relationships, and risk.
SECURITY CLAUSES IN THE UPDATED STANDARD
Security clauses define an organization's posture toward security and identify key areas businesses must consider when implementing IT controls. ISO/IEC 17799's 11 security clauses can help companies accomplish both objectives by providing a comprehensive set of information security best practices organizations can use to enhance their IT infrastructure. Below is a brief description of the security clauses in the 2005 version.
Security policies are the foundation of the security framework and provide direction and information on the company's security posture. This clause states that support for information security should be done in accordance with the company's security policy. For instance, auditors should determine if the company has a security policy, how it is maintained, and whether it is disseminated to all employees.
Organizing Information Security
This clause addresses the establishment and organizational structure of the security program, including the appropriate management framework for security policy, how information assets should be secured from third parties, and how information security is maintained when processing is outsourced.
This clause describes best practices for classifying and protecting assets, including data, software, hardware, and utilities. The clause also provides information on how to classify data, how data should be handled, and how to protect data assets adequately.
Human Resources Security
This clause describes best practices for personnel management, including hiring practices, termination procedures, employee training on security controls, dissemination of security policies, and use of incident response procedures.
Physical and Environmental Security
As the name implies, this clause addresses the different physical and environmental aspects of security, including best practices organizations can use to mitigate service interruptions, prevent unauthorized physical access, or minimize theft of corporate resources.
Communications and Operations
This clause discusses the requirements pertaining to the management and operation of systems and electronic information. Examples of controls to audit in this area include system planning, network management, and e-mail and e-commerce security.
This security clause describes how access to corporate assets should be managed, including access to digital and nondigital information, as well as network resources.
Information Systems Acquisitions, Development, and Maintenance
This section discusses the development of IT systems, including applications created by third-parties, and how security should be incorporated during the development phase.
Information Security Incident Management
This clause identifies best practices for communicating information security issues and weaknesses, such as reporting and escalation procedures. Once established, auditors can review existing controls to determine if the company has adequate procedures in place to handle security incidents.
Business Continuity Management
The 10th security clause provides information on disaster recovery and business continuity planning. Actions auditors should review include how plans are developed, maintained, tested, and validated, and whether or not the plans address critical business operation components.
The final clause provides valuable information auditors can use when identifying the compliance level of systems and controls with internal security policies, industry-specific regulations, and government legislation.
COMPATIBILITY WITH OTHER REGULATIONS
Senior managers working in organizations that are undertaking compliance efforts for the first time often wonder whether different compliance initiatives are compatible with one another. For instance, many companies have to adhere to more than one regulation, often spending a lot of money and time making sure they are compliant with each piece of legislation. The question senior managers often ask auditors is, "How does ISO/IEC 17799 relate to other regulations that address information security, such as the U.S. Sarbanes-Oxley Act of 2002 or U.S. Health Insurance Portability and Accountability Act of 1996?"
Standards in the ISO 27000 Series
Following is a description of current and future standards in the ISO 27000 series:
Therefore, if a company is compliant with the ISO/IEC 17799 Standard, it will most likely meet IT management requirements found in other laws and regulations. However, because different standards strive for different overall objectives, auditors should point out that compliance with 17799 alone will not meet all of the requirements needed for compliance with other laws and regulations.
Establishing an ISO/IEC 17799 compliance program could enhance a company's information security controls and IT environment greatly. Conducting an audit evaluation of the standard provides organizations with a quick snapshot of the security infrastructure. Based on this snapshot, senior managers can obtain a high-level view of how well information security is being implemented across the IT environment. In fact, the evaluation can highlight gaps present in security controls and identify areas for improvement.
In addition, organizations looking to enhance their IT and security controls could keep in mind other ISO standards, especially current and future standards from the 27000 series, which the ISO has set aside for guidance on security best practices (see "Standards in the ISO 27000 Series" above for additional information). To learn more about the recent changes to ISO/IEC 17799, auditors can visit the ISO Web site, www.iso.org or the ISO Directory Web page, www.27000.mobi.
Mark T. Edmead, CISSP, CISA, is president of MTE Advisors and has more than 25 years' experience in the areas of computer systems architecture, information security, project management, and IT and application audits. In the past, Edmead worked as a consultant for Fortune 500 and 1000 companies in the areas of information, system, and Internet security, as well as regulatory compliance. In addition, he has worked for many auditing and computer security firms, such as KPMG Information Risk Management Group, IBM's Privacy and Security Group, and Protiviti.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.