Name/Title: ISO27001 Analysis

Reviewer: DavidGiaretta

Editor(s)/Preparing Organization: JTC 1/SC27

Registration ID (optional): ISO/IEC 27001:2005

Scope:

Quoting the document scope:
specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof

ISMS stands for Information Security Management System

Applicability:

Claims to cover all types of organisations e.g. e.g. commercial enterprises, government agencies, non-profit organizations

Proposed Relevance Level to this RAC effort:

(1 = Lowest, 5=Highest) 3 - but limited to short term more or less bit-level preservation.

Organisation of document:

Foreword........................................................................................................................................................... iv
0 Introduction .......................................................................................................................................... v
0.1 General.................................................................................................................................................. v
0.2 Process approach................................................................................................................................ v
0.3 Compatibility with other management systems ............................................................................... vi
1 Scope .....................................................................................................................................................1
1.1 General...................................................................................................................................................1
1.2 Application ............................................................................................................................................1
2 Normative references ............................................................................................................................1
3 Terms and definitions ...........................................................................................................................2
4 Information security management system .........................................................................................3
4.1 General requirements...........................................................................................................................3
4.2 Establishing and managing the ISMS..................................................................................................4
4.2.1 Establish the ISMS................................................................................................................................4
4.2.2 Implement and operate the ISMS .........................................................................................................6
4.2.3 Monitor and review the ISMS................................................................................................................6
4.2.4 Maintain and improve the ISMS............................................................................................................7
4.3 Documentation requirements...............................................................................................................7
4.3.1 General...................................................................................................................................................7
4.3.2 Control of documents ...........................................................................................................................8
4.3.3 Control of records.................................................................................................................................8
5 Management responsibility ..................................................................................................................9
5.1 Management commitment ....................................................................................................................9
5.2 Resource management .........................................................................................................................9
5.2.1 Provision of resources.........................................................................................................................9
5.2.2 Training, awareness and competence.................................................................................................9
6 Internal ISMS audits............................................................................................................................10
7 Management review of the ISMS........................................................................................................10
7.1 General.................................................................................................................................................10
7.2 Review input........................................................................................................................................10
7.3 Review output .....................................................................................................................................11
8 ISMS improvement..............................................................................................................................11
8.1 Continual improvement......................................................................................................................11
8.2 Corrective action.................................................................................................................................11
8.3 Preventive action ................................................................................................................................12
Annex A (normative) Control objectives and controls..................................................................................13
Annex B (informative) OECD principles and this International Standard ...................................................30
Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard........................................................................................................................31
Bibliography .....................................................................................................................................................34

Summary Description:

From our point of view the stress of ISO27001 is the impact on the business, rather than the impact on the usability and understandability of the information held in trust as part of long-term preservation.

Information security is defined as preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved

business in this International Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization's existence

The risks which are identified include:

  • Identify the impacts that losses of confidentiality, integrity and availability may have on the assets

which is then analysed/assessed in terms of:

  • the business impacts upon the organization that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets

Annex A (which is normative) is entitled "Control objectives and controls" and is directly derived from and aligned with ISO 17799:2005.

Looking in detail at the topics there is nothing to do with understandability by external users.

Other comments:

It is stated that ISO 27001 is
aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistent and integrated implementation and operation with related management standards. One suitably designed management system can thus satisfy the requirements of all these standards

It may be that we could include this type of statement in our document.

Thinking again about the "information" vs "bits" issue, ISO27001 refers to "information", and this can be understood in terms of the Designated Community being the organisation itself. The organisation has its own Representation Information associated with the bits - embodied in the various pieces of software employed by the organisation. Taking this interpretation one can then see that ISO 27001 is very restricted in terms of long-term preservation of digitally encoded information, and indeed covers just section D of the draft RLG/NARA document - sections A, B and C are not covered by ISO 27001. More importantly, although the standard talks in terms of "information" security, it is, in the broader sense, really concerned with "bit" preservation within the organisation.

My conclusion is that what we are seeking is NOT a minor addition to ISO 27001, but rather a fundamental change in its direction, and so what we seek to do cannot be done by a small addition to ISO 27001 audits.

-- DavidGiaretta - 06 Mar 2007

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2007-03-08 - DavidGiaretta
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback