Name/Title: ISO 27000 information security series analysis (2nd draft)

Reviewer: ChrisRusbridge

Editor(s)/Preparing Organization: JTC 1/SC27

Registration ID (optional): ISO/IEC 27001:2005

ISO 27001 links to parts of ISO 17799, and both grew out from different parts of British Standard BS 7799, plus other work. In particular, ISO 27001:2005 replaces BS 7799-2:2002, which was the basis of information security auditing and certification. Apparently, to audit against ISO 27001 you still need to use ISO 17799:2005, the Code of Practice, which expands the list of security controls in 27001. ISO 17799 may become ISO 27002, but is not expected to change much in doing so. Additional 27000 series standards are expected, including ISO 27000 Principles and vocabulary, 27003 Implementation Guidelines, 27004 Metrics and Measurements, 27005 Risk Management, and 27006 Accreditation requirements for certification bodies.

The remainder of this page is mostly about ISO 27001:2005.

Scope:

Information security is defined in this standard as "preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved." The definition does NOT refer only to the bits, but talks about information; it is never explicit, but it seems likely that the "understandability" of a digital object over the long term would be seen as a part of the integrity and availability of that information.

There's quite a readable introduction to ISO 27001 at http://www.praxiom.com/iso-27001-intro.htm; Google will find you other documents no doubt (for example at http://www.itgovernance.co.uk/page.bs7799). The standard itself is of course copyright, which some may see as a problem (but we are involved in an ISO process, so we can't really complain!).

Applicability:

(describe where and/or to whom the document is applicable, such as types of systems or organizations; may be multiple)

Broadly applicable to all types of organisations that seek to improve their information security and/or demonstrate to others that they have done so. Some organisations (for example universities) may find its controls hard to implement, but this is likely to be less of an issue for repositories and archives. For example, I suspect that the physical controls in BS 5454 (physical archives of documents) would find matches in 27001's physical controls [check?].

Proposed Relevance Level to this RAC effort: 5

(1 = Lowest, 5=Highest)

Organisation of document: ISO/IEC 27001:2005

(e.g. table of Contents)

Section 4: Information Security Management System (ISMS... this section describes the Plan-Do-Check-Act approach) Section 5: Management Responsibilities Section 6: Internal ISMS auditing Section 7: Management Review of the ISMS Section 8: ISMS improvement Appendix A (normative): Control objectives and controls (expanded in 17799).

Summary Description:

(text describing summary of important points to justify proposed relevance)

One interesting feature of ISO 27001 (which it shares with ISO 9001, the quality standard) is that it is based around a continuous quality improvement model, referred to as PDCA (for Plan-Do-Check-Act). So to get conformance with the standard you not only have to meet the controls, but must have in place a quality improvement system along the lines mentioned.

A second interesting feature is that it is fundamentally based around a risk assessment approach. It's not just a question of unthinkingly implementing security controls, you have to perform a risk assessment, identifying your assets and the risks to those assets, their vulnerabilities and impacts, and the options for treating those risks, which include applying security controls, accepting the risks, avoiding them, or transferring them to some other party (eg finding a trusted digital repository to look after your stuff for you!). With the ability to indicate that you are accepting certain risks and therefore not applying certain controls, the standard becomes applicable to a wider range of audiences than just the heavyweight institutions (which may opt out of none and apply them all). In the US, I believe the Federal Information Security Act requires a risk-based approach to information security.

A third interesting feature is that the standard comes with a ready-made system of accredited auditors in place. They would not be fully equipped to audit trusted digital repositories, but they would already be equipped to audit some of the required elements. A member has reported that ISO 27001-accredited auditors feel the standard equips them to do most of the auditing required for the TDR case; yet to be proven, perhaps. (Note: some other security standards also have established audit and certification systems in place.)

For digital preservation (careful choice of term, rather than TDR) confidentiality, integrity and availability over the long term are among the key requirements. Information security should be seen as a required subset of digital preservation. These standards are the ISO standards for information security, so there is a prima facie case for them being extremely relevant, if not required elements for that part of our standard that refers to information security. The alternatives are to find an alternative information security standard to refer to, or to hand-stitch our own information security requirements into our standard.

Are there alternatives? One which has the advantage of being free is the Information Security Forum's standard, see http://www.isfsecuritystandard.com/index_ns.htm. It is perhaps more explicitly IT rather than information-based (a critical difference). The NIST page at http://csrc.nist.gov/ lists some requirements placed by the US Government; as far as I can tell, their Special Publication 800-100 (information Security Handbook: A Guide for Managers) at http://csrc.nist.gov/publications/nistpubs/800-100/sp800-100.pdf at least uses the ISO standards as part of its sources, though it may add other requirements. There is also version 4 of Cobit, at http://www.isaca.org/cobit/; registration neede to get a copy. From some of the freely accessible documents, it also looks as if Cobit may also be more IT security than information security. Others may have a clearer view on this. Other alternatives may be listed at http://www.infosyssec.org/infosyssec/security/secpol1.htm.

However, if this group is primarily aiming at ISO standardisation, it is hard to recommend anything other than the ISO information security standard. The fact that it is charged for is insufficient argument against the ISO standard (if we don't accept their policy we should not aim for ISO standardisation in the first place).

Other comments:

The draft RLG/NARA/TRAC document has several references to ISO 17799, including this quote: "In fact, it is all but ensured that if an organisation is ISO 17799 certified, it will completely meet all the criteria found in section D of the Audit and Certification Criteria...".

Looking more at the detail, some further work will be needed to match the TDR, RLG/NARA or nestor requirements against those of ISO 27001/17799. More analysis is needed to see how good a fit it might be; it's tricky since we don't know which of these is the best benchmark to compare against.

What does seem clear is that there are important information security controls MISSING from RLG/NARA/TRAC section D; we could work to add them, ie duplicate the 27001 effort, or we could find a way to subsume that effort. The former is wasteful and a perpetual catchup game.

A tabular cross-walk between the 27001 Appendix A security controls and the Draft RLG/NARA/TRAC section D controls will be added to (or linked from) these pages; from existing reading, it is clear that this is not a 1:1 matching, and that there will be ambiguity and interpolations both ways. It is also clear that ISO 27001 specifies a framework in which controls are selected through a risk-based analysis. We may be suggesting that in the particular case of digital preservation, these other issues need to be taken into account.

The following suggested approach was largely agreed at the meeting on 21 February 2007:

a) the proposed standard should use a continuous quality improvement model

b) the quality improvement model should be based on the PDCA approach used in ISO 27001 and 9001

c) the proposed standard should use a risk assessment approach rather than a fully mandated approach

d) the information security elements of the proposed standard should link to the ISO information security standards, rather than any other non-ISO information security standard, and rather than attempting to build our own information security controls (perhaps this one did not get full agreement at this stage).

-- ChrisRusbridge - 15 Feb 2007

-- ChrisRusbridge - 21 Feb 2007

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2007-02-21 - ChrisRusbridge
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback