14. “PRESCRIPCIONES” CONTRA TODAS LAS HEREJÍAS

The ISO/IEC 2700x series of standards deals with information security management. It is composed of a set of standards providing information for setting up an Information Security Management System (ISMS).

Introduction to ISO management systems

The ISO standards providing requirements and guidance about best management prac- tices are part of the most well-known standards. The most popular management sys- tem series of standards are the ISO 900x series about quality management systems

2.4 Security risk management standards 31

[ISO00] and ISO 1400x series about environmental management systems [ISO04a]. Many other domains have followed this initiative and have proposed an adapted man- agement system based on the same generic model (Table 2.1).

Table 2.1: Management standards and related sectors

Sector Standard or series of standards Automotive ISO/TS 16949:2002

Education IWA 2:2007 Environment ISO 14001:2004 Food safety ISO 22000:2005 Health care IWA 1:2005

Information security ISO/IEC 27001:2005 IT service management ISO/IEC 20000:2005 Local government IWA 4:2005

Quality ISO 9001:2000 Medical devices ISO 13485:2003 Petroleum and gas ISO 29001:2003 Ship recycling ISO 30000 Supply chain security ISO 28000:2007

A management system is dened as the framework of processes and procedures used to ensure that an organisation can fulll all tasks required to achieve its objectives [Wik08b]. Within the set of common principles shared by the management systems, the main one is the application of the Plan-Do-Check-Act paradigm, also called Deming wheel or PDCA cycle [LNN+_{96]. This cycle is composed of the four following steps}

to be performed iteratively [ISO05b, ISO00, ISO04a]:

• PLAN

Establish the objectives and processes necessary to deliver results in accordance with the specications.

• DO

Implement the processes.

• CHECK

Monitor and evaluate the processes and results against objectives and specica- tions.

• ACT

Apply actions to the outcome for necessary improvement.

The main purpose of a management system is always to put the organisation in a continuous improvement for the concerned domain.

Overview of the ISO/IEC 2700x series of standards

The ISO/IEC 2700x series of standards is currently expected to be composed of 8 main standards (Figure 2.4), dedicated to information security. Some other standards,

Figure 2.4: The ISO/IEC 2700x series of standards

numbered ISO/IEC 27001x, are reserved to sector-specic requirements or guidelines standards. The following are expected: Information security management guidelines for telecommunications based on ISO/IEC 27002, and Sector-Specic ISMS Standards for the World Lottery Association and for the Automotive Industry based on ISO/IEC 27001.

ISO/IEC 27000: Overview and vocabulary. This rst standard denes the basic principles and the terminology concerning an ISMS. It will supersede the rst part of ISO/IEC 13335 [ISO04b]. Publication is expected for 2009.

ISO/IEC 27001: ISMS Requirements. The ISO/IEC 27001 standard [ISO05b] pro- vides the requirements necessary to establish and manage an ISMS. It was the rst standard of the ISO/IEC 2700x series to be published (October 2005) and the whole series is built around this standard. Organisations can obtain an ISO/IEC 27001 certi- cation with regards to their compliance with the requirements of this standard. The standard comes from a British Standard (BS 7799-2) that is now obsolete.

ISO/IEC 27002: Code of Practice for Information Security Management. The ISO/IEC 27002 [ISO05c] standard is only the renaming (in April 2007) of the already existing ISO/IEC 17799 standard. ISO/IEC 17799 was the rst ISO standard dealing with information security and its objective was to dene a set of good practices for insuring information security management. This standard published in 2000 was then

2.4 Security risk management standards 33

reviewed in 2002 and 2005. The content of ISO/IEC 27002 is currently similar to the one of ISO/IEC 17799:2005 and the security controls it proposes are part of the ISO/IEC 27001 requirements.

ISO/IEC 27003: ISMS implementation guidance. The ISO/IEC 27003 standard aims at providing implementation guidelines for establishing and implementing an ISMS. It is focused on how to eectively perform the PDCA cycle and complete the requirements of an ISMS. Publication is expected for 2009

ISO/IEC 27004: Information security management measurements. Amongst the ISO/IEC 27001 requirements, some require to measure the eciency of the ISMS. The ISO/IEC 27004 standard provides guidelines for helping organisations to observe and measure the eciency of their ISMS implementation. Publication is expected for 2009 ISO/IEC 27005: Information security risk management. The ISO/IEC 27005 stan- dard [ISO08] proposes a process to follow for performing security risk management, required by the ISO/IEC 27001. It was published in June 2008. It is an evolution of ISO/IEC 13335 part 3 and 4.

ISO/IEC 27006: Requirements for bodies providing audit and certication of ISMS. The ISO/IEC 27006 standard species requirements and provides guidance for bodies providing audit and certication of an ISMS. It is primarily intended to support the accreditation of certication bodies providing ISMS certication. It was published in February 2007.

ISO/IEC 27007: ISMS Auditor Guidelines. The ISO/IEC 27007 standard is pro- viding guidance on conducting ISMS audits. A part is dedicated to the competences needed by ISMS auditors. This guide will be complementary with the ISO 19011 [ISO02a] standard, providing guidelines for quality and environmental management systems audit (and generic enough to be used as a reference for an ISMS audit). No publication date has currently been suggested.

ISO/IEC 27005: Information security risk management

The objective of the ISO/IEC 27005 standard is to describe the information security risk management process and its tasks. As mentioned in the scope of the standard, it supports the general concepts specied in ISO/IEC 27001 and is designed to satisfy the requirement of having an information security based on a risk management approach. Indeed ISO/IEC 27001 requires a systematic approach to information security risk management. For each task of the process, the inputs and outputs are given by the standard. Then, the action describing the task is dened and some implementation guidance is provided. The process proposed is an evolution of the one proposed in the AS/NZS 4360 standard (Figure 2.2).

The ISO/IEC 27005 information security risk management process consists of con- text establishment, risk assessment, risk treatment, risk acceptance, risk communica- tion, and risk monitoring and review. This process should be iterative and continuous.

Figure 2.5: The ISO/IEC 27005 information security risk management process (as appears in [ISO08])

Once context establishment and risk assessment have been conducted, it is necessary to evaluate if sucient information is available to take decision about risk treatment. If not, a new iteration (maybe partial) with updated context and risk assessment, is conducted. Otherwise, risk treatment task is performed (cf. Figure 2.5, Risk Decision Point 1).

Several iterations of the risk treatment task could be needed to reach the best state in terms of residual risk and ROSI. Moreover, since the eectiveness of the risk treatment depends on the results of the risk assessment, it is possible that no acceptable level of residual risk can be reached. In this case, a revision of the process starting from the context establishment can be necessary to update the dierent parameters (cf. Figure 2.5, Risk Decision Point 2).

After risk treatment, the risk acceptance task has the objective to ensure that residual risks are explicitly accepted by the managers of the organisation. Finally, risk communication is a task to be performed throughout the process, to be sure to have all of the relevant information at each task of the process. Thereby, the whole process should be clearly documented.

2.4 Security risk management standards 35