Structured analysis of ISO 27001 by section

The aim of this page is for people to add comments on the relevance of specific sections of ISO 27001 to the general needs of digital repository audit and certification.

(Chris Rusbridge) A re-reading of ISO 27001 indicates that ALL of 27001 applies to an OAIS. The requirements of 27001 are NECESSARY, although not SUFFICIENT, for the operation of an OAIS. I was not able to find a single optional requirement. Some 27001 controls are better specified, and a close reading of 27001 points out weaknesses in the TRAC document; for example, there is in TRAC (extraordinarily!) no control or set of controls that adequately matches the controls in A.10.1 (although sections C1.7 to C1.10 of TRAC do address aspects). In effect I believe that TRAC specifies a set of additional controls that should be applied to a business claiming to be an OAIS. However, most of the controls in section C of TRAC are incomplete in comparison to those specified in 27001, and we would be better to completely remove them from any standard. The exceptions would include TRAC sections C1.3 and C1.4, for instance, which address specific controls that relate to the long term nature of an OAIS.

3.4 (Chris Rusbridge) Information Security definition. Long term understandability of information should be added. A corresponding definition of understandability should be added.

4. Information security management system

4.1 General requirements

(Barbara Sierman) reference to "Common Services"in OAIS terminology

(Barbara Sierman) business activities = mission statement? (Chris Rusbridge) It is surely clear that an OAIS is a business, with business planning etc; these terms even appear in the TRAC document. The business activities for an OAIS should mean the "business" of preserving information for the long term.

(Chris Rusbridge) The statement at the start of 4.1 applies exactly to an OAIS: "The organization shall establish, implement, operate, monitor, review, maintain and improve a documented ISMS within the context of the organization?s overall business activities and the risks it faces."

(Barbara Sierman) reference to internationally accepted standards, procedures and controls in long term preservation environments

4.2 Establishing and managing the ISMS

4.2.1 Establish the ISMS

(Barbara Sierman) (c & d) need some specification in regards of the risks of long term preservation

(Barbara Sierman) (f.4) not applicable? (Chris Rusbridge) Unless perfect certainty can be arrived at, then all options in the treament of risk should be allowed, including transferring risk to other parties such as insurers, other archives, etc.

(Barbara Sierman) Annex A to be investigated

4.2.2 Implement and operate the ISMS

4.2.3 Monitor and review the ISMS

4.2.4 Maintain and improve the ISMS

4.3 Documentation requirements

4.3.1 General

(Barbara Sierman) Extra reference to the fact that this documentation also need to be stored for the long term

(Barbara Sierman) Extra: documentation on error, incidents etc. that happened in the repository

4.3.2 Control of documents

4.3.3 Control of records

5. Management responsibility

5.1 Management commitment

5.2 Resource management

5.2.1 Provision of resources

5.2.2 Training, awareness and competence

6. Internal ISMS audits

7. Management and review of the ISMS

7.1 General

7.2 Review input

7.3 Review output

8. ISMS improvement

8.1 Continual improvement

8.2 Corrective action

8.3 Preventive action

A. Control objectives

(Chris Rusbridge) This section matches numbering from 17799. References to TRAC documentation will be preceded by T, eg TA1.1 refers to section A1.1 of TRAC. Matches are complex since terminology and granularity both differ between the two documents, and some judgement is required. Not all correspondences have been identified in what follows.

A.5 Security policy

A.5.1 Information security policy document

See TA1.1, TA3.1, TA3.2, TA3.3

A.5.2 Review of the information security policy

See TA3.2, TA3.4

A.6 Organisation of information security

A.6.1.1 Management commitment to information security
See TA2.1, TA2.2
A.6.1.4 Authorization process for informaiton processing facilities
See TA3.3??
A.6.1.7 Contact with special interest groups
See TA3.5
A.6.1.8 Independent review of information security
See TA3.4, TA3.9

A.6.2 External parties

See TA5?

A.7 Asset management

A.7.1 Responsibility for assets

See TC3.1?

A.7.2 Information classification

See TB

A.8 Human resources security

See TC3.3, TA2
A.8.2.2 Information security awareness, education and training
See TA2.3

A.9 Physical and environmental security

A.10 Communicaitons and operations management

A.10.1.1 Documented operating procedures
See TC1.7, TC1.9 but these are not complete in the sense meant by this control
A.10.1.2 Change management
See TC1.8, TC1.10
A.10.3.1 Capacity management (part of System planning and acceptance)
See TC2.1??
A.10.3.2 System acceptance
See TC1.9

A.10.4 Protection against malicious and mobile code

See TC1.10??? This issue and related ones not specifically addressed by TRAC!

A.10.5 Back-up

See TC1.2

A.10.7 Media Handling

See TC1.7
A.10.10.1 Audit logging
See TC1.5?

A.11 Access control

See TB6, but 27001 includes many more essential controls

A.11.5 Operating system access control

See TC1.1?

A.12 Information systems acquistion, development and maintenance

A.12.1 Security requirements of information systems

See TC1.1?
A.12.2.1 Input data validation
See TB1.4
A.12.2.2 Control of internal processing
See TB 4.4, TB2.12
A.12.2.3 Message integrity
See TB2.12
A.12 2.4 Output data validation
See TB6.7

A.12.3 Cryptographic controls

(Chris Rusbridge) I did not notice any treatment of this incredibly important issue in TRAC, other than perhaps in "gain adequate control"!
A.12.5.1 Change control procedures
See TC1.8

A.13 Information security incident management

A.13.1.1 Reporting information security events
See TB6.6 (Chris Rusbridge) I'm sure I noticed others!

A.14 Business continuity management

See TC3.4

A.15 Compliance

-- SimonLambert - 04 Apr 2007 -- ChrisRusbridge - 11 Apr 2007

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2007-04-11 - ChrisRusbridge
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback