Category Archives: Thoughts

ISO 27001 Why Bother?

It’s a right royal pain to get audited.  So why bother?

Here are some reasons why your business should invest:

  • Certificate on the wall.  Certification is bid candy and supports the bid process.  It helps provide credibility in the company to stakeholders.
  • Customer perception.  Some customers audit the company; having a set of policies and formal certification helps the audit process.
  • Raise the bar internally.  Forcing external certification helps to ensure that some of the basic information security controls are present.  While a 27001-compliant framework could be followed, having an external audit helps to encourage senior management support.
  • Raise the bar with suppliers. Formal certification is a useful lever to ensure that suppliers comply with good security practice, particularly where the contract is weak in this area.
  • Reputation protection. If something goes wrong and information is inappropriately compromised ISO 27001 certification can be one of the mitigation factors to demonstrate proper governance was in place.

All parties recognise that compliance is not security and that simply obtaining certification does not mean that all risks are managed or that information systems are secure.  The position taken is that certification is a small step in the overall information security strategy.

The costs

The company does not have a dedicated budget to secure information systems; its business priorities are not to secure information systems and senior management do not see information security as a top business risk.  The company management has agreed to this certification budget:

  • Annual external audit    £5,000
  • Internal resource             Half FTE
  • Management time          One meeting every two months

ISO 27001 The Horror Show

Lots of movement in the ISO 27001 : 2013 controls, with some new ones.

Fortunately, most of the changes don’t require anyone to actually do anything.

Unfortunately some work is required and some policies will need to be changed.

Here is a list of horrors in the show.

Section Title Text Old Reference Change
5 Information security policies 5 Policy singular
5.1 Management direction for information security Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. 5.1
5.1.1 Policies for information security Control A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. 5.1.1
5.1.2 Review of the policies for information security Control The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. 5.1.2
6 Organization of information security 6
6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. 6.1
6.1.1 Information security roles and responsibilities Control All information security responsibilities shall be defined and allocated. 8.1.1
6.1.2 Segregation of duties Control Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. 10.1.3
6.1.3 Contact with authorities Control Appropriate contacts with relevant authorities shall be maintained. 6.1.6
6.1.4 Contact with special interest groups Control Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. 6.1.7
6.1.5 Information security in project management Control Information security shall be addressed in project management, regardless of the type of the project. New
6.2 Mobile devices and teleworking Objective: To ensure the security of teleworking and use of mobile devices. 11.7
6.2.1 Mobile device policy Control A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. 11.7.1
6.2.2 Teleworking Control A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. 11.7.2
7 Human resource security 8
7.1 Prior to employment Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. 8.1
7.1.1 Screening Control Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. 8.1.2
7.1.2 Terms and conditions of employment Control The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security. 8.1.3
7.2 During employment Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities. 8.2
7.2.1 Management responsibilities Control Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. 8.2.1
7.2.2 Information security awareness, education and training Control All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. 8.2.2
7.2.3 Disciplinary process Control There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. 8.2.3
7.3 Termination and change of employment Objective: To protect the organization’s interests as part of the process of changing or terminating employment. 8.3
7.3.1 Termination or change of employment responsibilities Control Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.
8 Asset management 7
8.1 Responsibility for assets Objective: To identify organizational assets and define appropriate protection responsibilities. 7.1
8.1.1 Inventory of assets Control Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. 7.1.1
8.1.2 Ownership of assets Control Assets maintained in the inventory shall be owned. 7.1.2
8.1.3 Acceptable use of assets Control Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. 7.1.3
8.1.4 Return of assets Control All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. 8.3.2
8.2 Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. 7.2
8.2.1 Classification of information Control Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. 7.2.1
8.2.2 Labelling of information Control An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. 7.2.2 Separated
8.2.3 Handling of assets Control Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. 7.2.2 Separated
8.3 Media handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. 10.7
8.3.1 Management of removable media Control Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. 10.7.1
8.3.2 Disposal of media Control Media shall be disposed of securely when no longer required, using formal procedures. 10.7.2
8.3.3 Physical media transfer Control Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. 10.8.3
9 Access control 11
9.1 Business requirements of access control Objective: To limit access to information and information processing facilities. 11.1
9.1.1 Access control policy Control An access control policy shall be established, documented and reviewed based on business and information security requirements. 11.1.1
9.1.2 Access to networks and network services Control Users shall only be provided with access to the network and network services that they have been specifically authorized to use. 11.4.1
9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. 11.2
9.2.1 User registration and de-registration Control A formal user registration and de-registration process shall be implemented to enable assignment of access rights. 11.2.1 Expanded
9.2.2 User access provisioning Control A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. 11.2.1 Expanded
9.2.3 Management of privileged access rights Control The allocation and use of privileged access rights shall be restricted and controlled. 11.2.2
9.2.4 Management of secret authentication information of users Control The allocation of secret authentication information shall be controlled through a formal management process. 11.2.3
9.2.5 Review of user access rights Control Asset owners shall review users’ access rights at regular intervals. 11.2.4
9.2.6 Removal or adjustment of access rights Control The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. 8.3.3
9.3 User responsibilities Objective: To make users accountable for safeguarding their authentication information. 11.3
9.3.1 Use of secret authentication information Control Users shall be required to follow the organization’s practices in the use of secret authentication information. 11.3.1
9.4 System and application access control Objective: To prevent unauthorized access to systems and applications. 11.5
9.4.1 Information access restriction Control Access to information and application system functions shall be restricted in accordance with the access control policy. 11.6
9.4.2 Secure log-on procedures Control Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. 11.5.1
9.4.3 Password management system Control Password management systems shall be interactive and shall ensure quality passwords. 11.5.3
9.4.4 Use of privileged utility programs Control The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. 11.5.4
9.4.5 Access control to program source code Control Access to program source code shall be restricted. 12.4.3
10 Cryptography 12.3 New level 1 control
10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. 12.3
10.1.1 Policy on the use of cryptographic controls Control A policy on the use of cryptographic controls for protection of information shall be developed and implemented. 12.3.1
10.1.2 Key management Control A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. 12.3.2
11 Physical and environmental security 9
11.1 Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. 9.1
11.1.1 Physical security perimeter Control Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. 9.1.1
11.1.2 Physical entry controls Control Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. 9.1.2
11.1.3 Securing offices, rooms and facilities Control Physical security for offices, rooms and facilities shall be designed and applied. 9.1.3
11.1.4 Protecting against external and environmental threats Control Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. 9.1.4
11.1.5 Working in secure areas Control Procedures for working in secure areas shall be designed and applied. 9.1.5
11.1.6 Delivery and loading areas Control Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. 9.1.6
11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. 9.2
11.2.1 Equipment siting and protection Control Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. 9.2.1
11.2.2 Supporting utilities Control Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. 9.2.2
11.2.3 Cabling security Control Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. 9.2.3
11.2.4 Equipment maintenance Control Equipment shall be correctly maintained to ensure its continued availability and integrity. 9.2.4
11.2.5 Removal of assets Control Equipment, information or software shall not be taken off-site without prior authorization. 9.2.7
11.2.6 Security of equipment and assets off-premises Control Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. 9.2.5
11.2.7 Secure disposal or reuse of equipment Control All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. 9.2.6
11.2.8 Unattended user equipment Control Users shall ensure that unattended equipment has appropriate protection. 11.3.2
11.2.9 Clear desk and clear screen policy Control A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. 11.3.3
12 Operations security 10
12.1 Operational procedures and responsibilities Objective: To ensure correct and secure operations of information processing facilities. 10.1
12.1.1 Documented operating procedures Control Operating procedures shall be documented and made available to all users who need them. 10.1.1
12.1.2 Change management Control Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. 10.1.2
12.1.3 Capacity management Control The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. 10.3.1
12.1.4 Separation of development, testing and operational environments Control Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. 10.1.4
12.2 Protection from malware Objective: To ensure that information and information processing facilities are protected against malware. 10.4
12.2.1 Controls against malware Control Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. 10.4.1
12.3 Backup Objective: To protect against loss of data. 10.5
12.3.1 Information backup Control Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. 10.5.1
12.4 Logging and monitoring Objective: To record events and generate evidence. 10.1
12.4.1 Event logging Control Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. 10.10.1
12.4.2 Protection of log information Control Logging facilities and log information shall be protected against tampering and unauthorized access. 10.10.3
12.4.3 Administrator and operator logs Control System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. 10.10.4
12.4.4 Clock synchronisation Control The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source. 10.10.6
12.5 Control of operational software Objective: To ensure the integrity of operational systems. 12.4 New level 2
12.5.1 Installation of software on operational systems Control Procedures shall be implemented to control the installation of software on operational systems. 10.4.1
12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. 12.6
12.6.1 Management of technical vulnerabilities Control Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. 12.6.1
12.6.2 Restrictions on software installation Control Rules governing the installation of software by users shall be established and implemented. 12.5.3 New control
12.7 Information systems audit considerations Objective: To minimise the impact of audit activities on operational systems. 15.3
12.7.1 Information systems audit controls Control Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes. 15.3.1
13 Communications security New level 1 control
13.1 Network security management Objective: To ensure the protection of information in networks and its supporting information processing facilities. 10.6
13.1.1 Network controls Control Networks shall be managed and controlled to protect information in systems and applications. 10.6.1
13.1.2 Security of network services Control Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. 10.6.2
13.1.3 Segregation in networks Control Groups of information services, users and information systems shall be segregated on networks. 11.4.5
13.2 Information transfer Objective: To maintain the security of information transferred within an organization and with any external entity. 10.8
13.2.1 Information transfer policies and procedures Control Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. 10.8.1
13.2.2 Agreements on information transfer Control Agreements shall address the secure transfer of business information between the organization and external parties. 10.8.2
13.2.3 Electronic messaging Control Information involved in electronic messaging shall be appropriately protected. 10.8.4
13.2.4 Confidentiality or nondisclosure agreements Control Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented. 6.1.5
14 System acquisition, development and maintenance 12
14.1 Security requirements of information systems Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. 12.1
14.1.1 Information security requirements analysis and specification Control The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. 12.1.1
14.1.2 Securing application services on public networks Control Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. New
14.1.3 Protecting application services transactions Control Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. New
14.2 Security in development and support processes Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. 12.5
14.2.1 Secure development policy Control Rules for the development of software and systems shall be established and applied to developments within the organization. New
14.2.2 System change control procedures Control Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. 12.5.1
14.2.3 Technical review of applications after operating platform changes Control When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. 12.5.2
14.2.4 Restrictions on changes to software packages Control Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. 12.5.3
14.2.5 Secure system engineering principles Control Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. New
14.2.6 Secure development environment Control Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. New
14.2.7 Outsourced development Control The organization shall supervise and monitor the activity of outsourced system development. 12.5.5
14.2.8 System security testing Control Testing of security functionality shall be carried out during development. New
14.2.9 System acceptance testing Control Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. New
14.3 Test data Objective: To ensure the protection of data used for testing. New
14.3.1 Protection of test data Control Test data shall be selected carefully, protected and controlled. 12.4.2
15 Supplier relationships
15.1 Information security in supplier relationships Objective: To ensure protection of the organization’s assets that is accessible by suppliers. New
15.1.1 Information security policy for supplier relationships Control Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented. New
15.1.2 Addressing security within supplier agreements Control All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. New
15.1.3 Information and communication technology supply chain Control Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. New
15.2 Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. 10.2
15.2.1 Monitoring and review of supplier services Control Organizations shall regularly monitor, review and audit supplier service delivery. 10.2.2
15.2.2 Managing changes to supplier services Control Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. 10.2.3
16 Information security incident management 13
16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. 13.2
16.1.1 Responsibilities and procedures Control Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. 13.2.1
16.1.2 Reporting information security events Control Information security events shall be reported through appropriate management channels as quickly as possible. 13.1.1
16.1.3 Reporting information security weaknesses Control Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services. 13.1.2
16.1.4 Assessment of and decision on information security events Control Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. New
16.1.5 Response to information security incidents Control Information security incidents shall be responded to in accordance with the documented procedures. New
16.1.6 Learning from information security incidents Control Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. 13.2.2
16.1.7 Collection of evidence Control The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. 13.2.3
17 Information security aspects of business continuity management 14
17.1 Information security continuity Objective: Information security continuity shall be embedded in the organization’s business continuity management systems. 14.1
17.1.1 Planning information security continuity Control The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. New
17.1.2 Implementing information security continuity Control The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. 14.1.3
17.1.3 Verify, review and evaluate information security continuity Control The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. 14.1.5
17.2 Redundancies Objective: To ensure availability of information processing facilities. New
17.2.1 Availability of information processing facilities Control Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. New
18 Compliance 15
18.1 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. 15.1
18.1.1 Identification of applicable legislation and contractual requirements Control All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. 15.1.1
18.1.2 Intellectual property rights Control Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. 15.1.2
18.1.3 Protection of records Control Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. 15.1.3
18.1.4 Privacy and protection of personally identifiable information Control Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. 15.1.4
18.1.5 Regulation of cryptographic controls Control Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. 15.1.6
18.2 Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. New
18.2.1 Independent review of information security Control The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. 6.1.8
18.2.2 Compliance with security policies and standards Control Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. 15.2.1
18.2.3 Technical compliance review Control Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards. 15.2.2

ISO 27001 For the New Year

ImageThey’ve gone and changed ISO 27001.  Normally, if it ain’t broke don’t fix, but the ISO team obviously thought differently and here we have a whole new version.  What does it mean?  And more importantly what do we need to do to comply?  Or, more accurately

What is the minimum we need to to in order to get the certificate?

We know that compliance is not security, but we also know that there are a couple of reasons to chase formal certification:

  • It ticks the box and puts the certificate on the wall;
  • It’s bid candy;
  • It gives us a stick to beat our suppliers; and
  • It might just help up to improve our game.

So we do the minimum and then focus on the real-world need of INSTALLING THE NEXT GEN FIREWALL.

In our shiny new version, the sections have been moved around and the controls have been shifted.  But there are some real changes around system security and managing risk.

Here is a breakdown.

First, the table of contents.


What’s New


0 Introduction



Process approach

Compatibility with other management systems

1 Scope




2 Normative references

As 2005

3 Terms and definitions

As 2005

4 Context of the organization

New for 2013

4-1 Understanding the organization and its context

New for 2013

4-2 Understanding the needs and expectations of interested parties

New for 2013

4-3 Determining the scope of the information security management system

New for 2013

4-4 Information security management system

Previously section 4

5 Leadership

New for 2013

5-1 Leadership and commitment

New for 2013

5-2 Policy

New for 2013

5-3 Organizational roles, responsibilities and authorities

New for 2013

6 Planning

New for 2013

6-1 Actions to address risks and opportunities

New for 2013

6-2 Information security objectives and planning to achieve them

New for 2013

7 Support

New for 2013

7-1 Resources

New for 2013

7-2 Competence

Previously section 5-2-2

7-3 Awareness

Previously section 5-2-2

7-4 Communication

New for 2013

7-5 Documented information

New for 2013

8 Operation

New for 2013

8-1 Operational planning and control

New for 2013

8-2 Information security risk assessment

New for 2013

8-3 Information security risk treatment

New for 2013

9 Performance evaluation

New for 2013

9-1 Monitoring, measurement, analysis and evaluation

New for 2013

9-2 Internal audit

Previously section 6

9-3 Management review

Previously section 7

10 Improvement

New for 2013

10-1 Nonconformity and corrective action

Previously section 8.1

10-2 Continual improvement

Previously section 8.1

Annex A (normative) Reference control objectives and controls

New for 2013


New for 2013

The detailed walk-through of the standard, excluding the controls

0 Introduction
0-1   General
Slightly longer pre-amble.  No material additions.

This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

It is important that the information security management system is part of and integrated with the

organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organization.

This International Standard can be used by internal and external parties to assess the organization’s

ability to meet the organization’s own information security requirements.

The order in which requirements are presented in this International Standard does not reflect their

importance or imply the order in which they are to be implemented. The list items are enumerated for reference purpose only.

ISO/IEC 27000 describes the overview and the vocabulary of information security management systems, referencing the information security management system family of standards (including ISO/IEC 27003[2], ISO/IEC 27004[3] and ISO/IEC 27005[4]), with related terms and definitions

0-2   Compatibility with other management system standards
No material requirements.

1         Scope
No material requirements

2         Normative Refernces
No material requirements

3         Terms and definitions
No material requirements

4         Context of the organisation
4-1 Understanding the organisation and its context
Fortunately this requirement

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

Is too vague

4-2 Understanding the needs and expectations of interested parties

Determine interested parties relevant to the information security management system and their requirements.  Vague.

4-2 Determining the scope of the ISMS

The requirement is

The organization shall determine the boundaries and applicability of the information security management system to establish its scope.

So the scope document needs to be changed to specifically show, in the pre-amble:

a) the external and internal issues referred to in 4.1;

b) the requirements referred to in 4.2; and

c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.

Which probably means that the existing scope can stay as it is and we need a couple of hours to write some more introduction.  Net effect: no material change.

4.4 ISMS

We need one.  Same as before.  No material change.

5         Leadership
5-1   Leadership and commitment

“Leadership” is a new word.  But fortunately the actual requirements of “top management” is pretty much the same as before and it’s sufficiently vague to mean No material change.

5-2   Policy
A policy is required.  Pretty straight forward, but need to include two sentences:

c) includes a commitment to satisfy applicable requirements related to information security; and

d) includes a commitment to continual improvement of the information security management system.

And we also need to make the policy

available as documented information

Which means No material change.

5-3   Organizational roles, responsibilities and authorities
Make sure that people are available.  No material change.

6         Planning
6.1 Actions to address risks and opportunities

6.1.1 General
Plan stuff.  No material change.

6.1.2 Information security risk assessment
Requires the same criteria as in 2005. A new requirement:

ensures that repeated information security risk assessments produce consistent, valid and

comparable results;

So, no material change.  But also requires these

c) identifies the information security risks:

1) apply the information security risk assessment process to identify risks associated with the loss

of confidentiality, integrity and availability for information within the scope of the information security management system; and

2) identify the risk owners;

d) analyses the information security risks:

1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;

2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and

3) determine the levels of risk;

e) evaluates the information security risks:

1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and

2) prioritize the analysed risks for risk treatment.

Looks like the risk assessment process needs to include some words about these specific requirements.  A couple of hours to update the document, but No material change.

6.1.3 Information security risk treatment
This now requires

The organization shall define and apply an information security risk treatment process to:

Which implies a specific document titled “risk treatment process”.  It also requires

produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;

This could be interpreted as a SOA for every system, which could be a considerable effort.  It also requires

obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.

This is new and could require actually changing a real process and involving real people.

6.2 Information security objectives and planning to achieve them
A requirement to

The organization shall establish information security objectives at relevant functions and levels.

Which is all very well, but they must also be

Measurable […] communicated

Which sounds like a fag to do well.

7         Support
7.1 Resources
No material change

7.2 Competence
Staff need to be competence.  A new requirement, but No material change.

7.3 Awareness
Staff are now required to be aware of:

a) the information security policy;

b) their contribution to the effectiveness of the information security management system, including

the benefits of improved information security performance; and

c) the implications of not conforming with the information security management system requirements.

This might mean an hour adding in these three lines into the awareness pack.  No material change.

7.4 Communication
No material requirements

7.5 Documented information
7.5.1 General
Documentation in the ISMS now includes

documented information determined by the organization as being necessary for the effectiveness of the information security management system

Which could be interpreted as including all the HR documentation too.  This could be a major effort to update and maintain as part of the ISMS.

7.5.2 Creating and updating
No material change

7.5.3 Control of documented information
No material change

8         Operation
8.1 Operational planning and control
Change control needed.  No material change.

8.2 Information security risk assessment
No material change

8.3 Information security risk treatment
No material change

9         Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
Specifically asks for monitoring, but no material change

9.2 Internal audit
Internal audits now specifically requested, but no material change

9.3 Management review
No material changes

10     Improvement
10.1 Nonconformity and corrective action
No material changes

BYOD: Bring your own distraction

It’s all the rage.  There’s not much to add.  Everyone has a solution to it, even Novell  So, what is there useful to say?

Only this.  Think about BYOD policies and be consistent.  Do you ban people from browsing porn on their own tablet?  Do you pay people for the hardware? Or do you expect people to fund their own IT? Who provides insurance?

Run a pilot.  Here are some requirements to think about.

  • Container for corporate data
  • Control of password complexity
  • Encrypt whole device
  • Enforce policies
  • Full alerting
  • Full logging
  • Full reporting
  • Hierarchical administration
  • Limit to OS version
  • Locate device
  • Log web sites visited
  • Login time out
  • No jail breaks
  • Remote control of device
  • Remote wipe or device or data
  • Screen clear timeout
  • Separate administration by business units

Cyber Security Internship

Cyber Security Internship photo InternshipPilotIAACInformationAssuranceAdvisoryCouncil_zps764eeab5.png
This new information security intern programme looks just the ticket. I do hope that the bright-young-things are not put off by the amount of pure drudgery that one finds in real-world infosec.

Security Consultant: The Best of Times

It’s no accident that being a consultant is often the goal for many a worker; it is perceived as a cushy number, a well paid sinecure solving other people’s problems and not living with the consequences.  So, what are the best bits about being a con(slut)ant?

You are handsomely rewarded.  Not in the league of a premier league footballer, or possibly even an IT contractor, but well enough for the work required: more than a teacher but slightly less than a headmaster (ish).  Likely to be slightly more than you’d get as the equivalent industry  position.  Don’t forget your car allowance too.  It’s the way the employers give their staff another £6K per year without having to pay National Insurance, pension or it to be bonusable.  All of this and the other cash benefits below add a good 20% to 60% onto your base salary.

Culture of expenses. Everyone claims expenses, it’s expected.  Expenses for expensive coffee.  Taking a client to lunch.  Taking your team to lunch.  It’s just so much easier in a consultancy where the expectation is that there are expenses and usually approvals are delegated from the budget holder to their PA who may query a high-value item but it usually goes through.

Cash benefits.  Consultancies usually have great benefits: healthcare; gym; pension; lunch allowance; concierge service; wellbeing; expenses for everything as noted; fully expensed mobile telephone

More cash benefits.  With all these expenses the consultant would be daft not to push them through a credit card that gives them points/cash/miles.  When you are in a hotel, booking flights and racking up £1,000 of expenses every single week the points add up.

And more.  If you are in a hotel, all your meals are provided for.  Some consultants  without families will not have a permanent home but may rent out their flat or use a relative’s address.  They then effectively live free of charge at the client’s expense.  What they do is have a big breakfast at the Hilton and squirrel away a bit into a doggy bag which they have for lunch. They then get their £30 per deim which they spend at Tesco and scoff in their room.

And more. The cash benefits really do go on.  The consultant gets an annual bonus.  This is usually in the range of 10% for the worker consultant, to 15% for the team leader.  Up to 50% for the principal or director.  Of course, for equity partners then the sky is the proverbial limit. They may get their broadband at home paid for, unused laptops will find their way into the consultants own home (for return when they resign),

And more and more. Yes, even more.  The consultancy realises that it’s only asset is the CV of its staff, so they will pay for: exams (though often only if passed); courses (though these tend to be frowned on if too expensive); professional body membership (the consultant may well be a member of half a dozen organisations costing a grand a year); attendance at conferences provided the utilisation remains high.

And more, here is the big one.  If they are smart they get their travel paid for. As the typical consultant will usually work on a client site, the engagement letter will specify that expenses are paid so the consultancy does not care that the individual’s travel from home is paid for.  In the case where the consultant is based in an office that isn’t the office they are working in, it becomes easier to get this through.  This is particularly useful where the consultant does not live in London as most consultancies tend to do much of their work there.  The numbers on this really can be staggering.  Consultants will happily live in, say, Manchester and be based there but work in London and travel every day (see the hotel …). Or they will live within two hours commute which may cost say £8K per year, but they’d have to earn £16K to take home the £8K to pay for the season ticket.  Meaning the consultant’s effective pay is increased by a whopping £16K.  Though this does make it harder to find the next industry role.

It’s easy work. The actual work is easy, although admittedly the client may well expect you to be on site all day and you may have to live out of a hotel.  A typical consultant doesn’t have to live with or implement the consequences of their actions.  The tasks are usually within their skill set; if they are not, then your employer will pay for you to read a book.  The good consultant only needs to be one chapter ahead of the client.

Someone else gets the work for you.  Resource management exist to match your CV with the new opportunities. Often with no interview or competency test.

Varied work.  When you get into the office on a Monday morning you’ve no idea where they will send you on Monday afternoon.

Easy entry to new clients.  Resource management or the client lead partner wants an analyst for Barclays, Shell, MoD, Sainsbury’s or any other client for which the consultant has zero industry expertise.  It’s easier to get a role with no industry expertise and therefore increase your skillset.  You might be a government expert, with experience only with MoD:  in open competition, you’d never get a role with a bank either as a permie or a contractor because they would simply look at your experience and that of the next person.  However, the consultancy will happily place you because they understand that sometimes subject matter trumps industry.  Now you’ve got banking expertise, which you can spin into SOX, BASEL, PCI DSS or whatever you want.  So now, you can get that contract role with the bank and the transition is compete.

Flexible working.  As long as you are earning a fee, no one back on the mother ship cares where you are.  You could be on the moon.  More likely you are working from home.  Unless the client wants to see bums on seats of course.  Just make sure you send emails in the evening.

Team around you. As a consultant you’ll have a team of like-minded subject matter experts around you.  If the client asks you to do something you’ve not done before, just ask on the mailing list and someone will help. This is possibly one of the major advantages for clients where typically the entire functional team may be one person and if there are others, they won’t often be as trained or skilled as the consultancy team.

Open neckwear. Many men in many consultancies don’t wear a tie.  They are expected to wear a suit.  Women are expected to dress up, but not too tarty.  You can usually spot the consultant in a room full of clients, especially where the client staff are female civil servants or female council workers.  It’s harder with male council workers, but their suits tend to have ties and the shirts don’t come from Thomas Pink.

Promotion. The consultancy is oriented on consultant grades.  The expectation is that the individual will apply for promotion and move up the ranks.  That client team in industry may well have been at the same pay grade and position for the past ten years.  How depressing is that?

Great CV.  If the consultant has to find a new job, the CV will usually be pretty good as there will be many varied clients; varied projects; and opportunities to demonstrate functional and behavioural excellence.

Always learning. The constant churn of new projects means that the consultant always has opportunities to learn new best practice and improve those skills.

Respected views.  While the client won’t respect the individual in a corporate sense, the views will be respected, not least because that report cost them £30K.  The report may well be filed and never read, but it will at least be there.  The client may well believe that the consultant is a god-on-earth and possess a unique insight.  Which is all very flattering.

Vendors love you. And will buy you lunch.

Just a few of the reasons to be cheerful when working as a consultant.  Might explain why the competition is quite high.

A bit like monkeys having a poo

This twitter twaddle and blagging is a little bit like a monkey having a poo.

What does a monkey do after it has had a poo?

That’s right, it turns around and has a good look.