Information security policies
FAQ: About ISO27k


Search this site
 

Security awareness content

This section of the ISO27k FAQ addresses the following general/basic questions relating to the ISO/IEC standards:

 

 

FAQ: “The titles of many ISO27k standards mention ‘Information Technology -- Security Techniques’. Does this mean they are IT-specific?”

 

A: No, certainly not! The formal titles simply reflect the original name of the joint ISO + IEC committee that oversees their production, namely SC 27 “Information Technology -- Security Techniques”, itself a subcommittee of JTC 1 “Information Technology”.

ISO/IEC JTC 1/SC 27 adopted a new name in 2019 becoming “Information security, cybersecurity and privacy protection”.  The new name will gradually find its way into the standards as they are revised and published.

The scope of the ISO27k standards naturally includes many aspects of IT but does not stop there. The introduction to ISO/IEC 27002:2013 states explicitly:

    ”The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and related processes, systems, network and personnel involved in their operation, handling and protection are assets that, like other important business assets, are valuable to an organization’s business and consequently deserve or require protection against various hazards.”

Generally speaking, an organization’s most valuable information assets belong to business units, departments or functions other than IT Department. IT typically owns, manages and is accountable for protecting the shared IT infrastructure (i.e. the main corporate IT systems and networks providing shared IT services to the business) which is a substantial information asset in its own right. However, in information security terms IT typically acts as a custodian (but not owner) for most business data on the systems and networks, including content belonging to other parts of the organization or to suppliers, customers, business partners, sales prospects, stakeholders and other third parties.

This distinction has important implications. Information asset owners are accountable for ensuring that their information assets are adequately protected, just like other corporate assets. While information asset owners generally delegate key responsibilities for information security to Information Security and/or IT, they remain accountable and must ensure that information security is adequately funded, directed and supported to achieve the necessary level of protection. Likewise, Information Security and IT generally act as advisors and custodians with a duty to protect the information/data placed in their care, but they are not ultimately accountable for most information security incidents, breaches and impacts that occur as a result of unwise risk management decisions (such as under-funding security or accepting risks) made by the actual information asset owners.

 

Implementation tip: when assessing and treating information risks, focus primarily on critical business processes and valuable business information rather than the supporting IT systems and data. The modern approach to corporate governance means that naive or duplicitous business managers can no longer blame and cower behind IT if they make inappropriate decisions or fail to act in order to identify and protect vital information assets. However, they often need help to appreciate and fulfil their security obligations.

Top

 

 

FAQ: “Where can I obtain [insert name of any ISO27k standard here]?”

 

A: ISO/IEC 27000, ISO/IEC 27001, ISO/IEC 27002 and all the other published ISO27k standards may be purchased directly from the ISO store or from the various national standards bodies and commercial organizations. Shop around for the best deal.

It is worth checking for localized/national versions of the standards. Several national standards bodies release translated versions of the standards in their local languages. They go to great lengths to ensure that the translations remain true to the originals, although naturally this takes time.

ISO27k standards can be purchased as electronic documents or printed hardcopies. In addition to single-user PDFs, standards bodies may license electronic versions of the standards for multi-user internal corporate use - handy to make the definitive standards available on your intranet.

 

Implementation tip: Google!

Top

 

 

FAQ: “I want to become an ISO27k consultant. I’m looking for books or courses that teach ISO27k. Is there an exam? ... ”

 

A: The best reference sources on the ISO27k standards are the standards themselves - in other words, you should buy and read the standards (see above). Being standards, they are quite formal in style but readable and useful. If you are going to implement them, write policies based upon them, consult around them etc. you will inevitably have to become very familiar with them so buy your copies and start reading!

The following ISO27k standards well worth studying:

  • ISO/IEC 27000 introduces and gives an overview of the whole suite of ISO27k standards, and provides a glossary defining various information security terms specifically as they are used in the context of the standards.
  • ISO/IEC 27001 formally specifies the system for managing information security. Along with ISO/IEC 27006, it is essential if you intend to become an ISMS certification auditor by taking a “ISO/IEC 27001 Lead Auditor” training course offered by various training, consultancy and certification companies, and completing the requisite number of compliance audits under the wing of a fully-qualified ISMS certification auditor. If you are looking to implement rather than certify compliance with the standard, you should also study ISO/IEC 27002 and others.
  • ISO/IEC 27002 is the ‘Code of Practice’, a practical standard offering oodles of advice for those choosing/designing and implementing information security controls. The best way to learn ISO/IEC 27002 inside-out is to use it for real, which means going all the way through one or more ISMS implementations from planning to operations, auditing and maintenance. If you have no prior experience in information security, you should try to find an experienced mentor or guide, or take an “ISO/IEC 27001 Lead Implementer” course. Professional organizations such as ISSA, ISF and ISACA can help, along with the ISO27k Forum.
  • ISO/IEC 27003 explains the process for implementing ISO27k.
  • ISO/IEC 27004 concerns metrics - an advanced topic that will become more important as your experience builds.
  • ISO/IEC 27005 concerns the management (analysis, evaluation and treatment) of information risks and as such underpins all the ISO27k standards.

You should also be aware of the remaining ISO27k standards and have some familiarity with other similar/related standards, methods, laws etc. (such as PCI-DSS, COBIT and various privacy laws).

As to becoming a consultant, you are well advised to start by building a solid technical understanding of governance, risk and control concepts, and establishing your own expertise, experience, competence and hence credibility.

 

Implementation tip: don’t forget to join the ISO27k Forum. If you are struggling with particular ISMS-related issues, the archive of Forum messages well worth browsing or searching (it’s a Google group so the search function works well), and members can always seek fresh answers to current issues and challenges.

Top

 

 

FAQ: “Are there any qualifications for ISO27k professionals?”

 

A: Kind of. Other than the ISO and national standards bodies’ processes for checking and accrediting organizations who wish to offer ‘official’ compliance certification services, there is currently no equivalent of, say, ISACA or (ISC)2 overseeing the ISO27k courses and qualifications in order to set and maintain professional standards, insist on continuous professional development and so forth. At present there is nothing to stop anyone offering “ISO27k Lead Implementer” training courses and issuing certificates like confetti. This unfortunate situation casts doubt on the validity of Lead Implementer certificates in particular, and potentially discredits both the organizations currently offering them and the candidates who obtain them, even though they may be truly excellent. It’s a question of assurance not quality.

There are a number of ISMS-related training courses that hand out certificates of completion but I would not necessarily call them ‘qualifications’ on that basis alone. ‘Designations’ may be a better term. This is still a relatively new field so it will inevitably take time for the training and qualification practices to settle down and for the most worthwhile and meaningful certification schemes to become universally accepted. Meanwhile, read on.

The two most common types of ISMS-related designations are as follows.

ISO/IEC 27001 Lead Auditor (LA)

The term “Lead Auditor” was coined by training schemes that were initially designed and run internally by accredited ISO/IEC 27001 certification bodies in order to train up their own staff to perform certification audits. Subsequently, various public/commercial LA training courses have emerged. There are at least four possible routes to someone calling themselves an ISO/IEC 27001 LA:

  1. The highway: spend 5 straight days on a suitable officially-recognised training course run by an officially-recognised training body, pass the end of course exam, then undertake a further 35 days of third party certification audits under the guidance of a registered ISO/IEC 27001 LA. This route is preferred by the International Register of Certification Auditors and, in Japan, JRCA. The highway naturally suits students who are employed by the accredited certification bodies, since they can get both the classroom training and on-site experience from their employers.
  2. The country route: complete some other form of ISMS/audit related training (for example modular courses comprising a day or two’s training on ISMS plus 3 days on auditing), then undertake further ISMS assignments such as internal ISMS audits, ISMS-related consultancy gigs or third party certification audits, and finally pass some form of “on-site skills examination”. The country route may be the best option for students not working for accredited certification bodies, but may not deliver as much assurance.
  3. The cross-country 4x4 route: become a qualified and experienced information security professional and a qualified and experienced IT audit professional and gain lots of real-world experience of designing, building, implementing, managing, maintaining and advising on ISO27k ISMSs. Most professionals with more than, say, a decade or two’s work experience crossing these three areas have amassed valuable expertise, knowledge and battle scars, having faced many situations in the field. Some of them go on to take the highway or the country route, while others are too busy working for their clients or sharing their expertise with their employers to worry about certificates per se.
  4. The back alleys: a few students and consultants allegedly don’t bother with the hardship of actual training, exams and/or on-the-job experience, simply adding “ISO/IEC 27001 LA” (or similar) to their CVs and email signatures and carrying on regardless ...

By the way, that’s lead as in dog, not the dense metal.

ISO/IEC 27001 Lead Implementer (LI)

In response to market demand for help with implementing the ISO27k standards rather than just auditing ISMSs against ISO/IEC 27001, a number of IT training companies offer commercial ISO/IEC 27001 LI courses. These aim to give students some familiarity with the ISO27k standards, and then presumably provide pragmatic guidance on how to apply them to the design and implementation of an ISMS.

As with ISO/IECc 27001 LAs, do not rely on a candidate’s claimed LI qualification alone if information security is important to you - and why else would you be employing them? Skills (both technical and social), expertise, competencies and experience all vary from person to person, as does trustworthiness.

Caveat emptor! If you are employing information security professionals on the basis of their competence and integrity (trustworthiness), it pays to check carefully into their backgrounds. Verify their claims. See ISO/IEC 27002 section 7.1.1 (screening) for sage advice on this very point.

Note: ISO/IEC 27021 lays out the skills and competencies expected of professionals in this field. Training providers will hopefully align their course curricula with the standard, hence the course-completion certificates will have more meaning and value.

Implementation tip: in our considered opinion, demonstrable hands-on ISO27k standards implementation and audit experience, ideally with more than one organization, is by far the best “qualification” in the field today. Next best would be demonstrable consultancy experience, helping a number of clients design, install and run their ISMSs, preferably again with a considerable amount of hands-on work and not merely advising at a distance. The LA and particularly the LI certifications vary in credibility but nevertheless the courses are a valuable introduction for beginners, although students who already have a reasonable understanding of information security management concepts are more likely to benefit from ISO27k-specific training, general information security and IT audit qualifications such as CISSP, CISM and CISA, and general business management qualifications such as MBAs.

Advice for people who want to become IT auditors in our IT audit FAQ is useful for those planning to become lead auditors and is also relevant to becoming an information security management specialist since the fields are very closely related.

Top

 

 

FAQ: “Where else can I find answers on ISO27k and information security?”

 

A: Besides this FAQ and the ISO27k standards themselves, there are several professional/special interest groups and forums (fora?) worth considering:

  • ACM SIGSAC (Association for Computing Machinery - Special Interest Group - Security, Audit and Control). Mission: “to develop the information security profession by sponsoring high-quality research conferences and workshops.”
  • CSA (Cloud Security Alliance) is “the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud - from providers and customers, to governments, entrepreneurs and the assurance industry - and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.”
  • InfraGard:InfraGard is a partnership between the FBI and members of the private sector. The InfraGard program provides a vehicle for seamless public-private collaboration with government that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of Critical Infrastructure. With thousands of vetted members nationally, InfraGard's membership includes business executives, entrepreneurs, military and government officials, computer professionals, academia and state and local law enforcement; each dedicated to contributing industry specific insight and advancing national security.”
  • ISACA (originally the Information Systems Audit and Control Association). “As a nonprofit, global membership association for IT and information systems professionals, ISACA is committed to providing its diverse constituency of more than 140,000 professionals worldwide with the tools they need to achieve individual and organizational success. The benefits offered through our globally accepted research, certifications and community collaboration result in greater trust in, and value from, information systems. Through more than 200 chapters established in more than 80 countries, ISACA provides its members with education, resource sharing, advocacy, professional networking, and a host of other benefits on a local level.”
  • (ISC) (International Information Systems Security Certification Consortium) is “an international, nonprofit membership association for information security leaders like you. We’re committed to helping our members learn, grow and thrive. More than 140,000 certified members strong, we empower professionals who touch every aspect of information security.”
  • ISO27k Forum (ISO/IEC 27000-series standards discussion forum). “Since its launch back in 2006, the ISO27k Forum has grown steadily into a supportive and friendly global community of over 4,000 information security professionals, most of whom are actively using the ISO/IEC 27000-series standards and willing to share their queries, experience and expertise freely with others. This is a practitioner’s group with a practical focus, where (almost!) every contribution is treasured and every member valued. We mostly discuss matters of interest and concern to those interpreting and applying the ISO27k standards in real world situations.”
  • ISSA (Information Systems Security Association) is “a nonprofit organization for the information security profession committed to promoting effective cyber security on a global basis: Being a respected forum for networking and collaboration; Providing education and knowledge sharing at all career lifecycle stages; Being a highly regarded voice of information security that influences public opinion, government legislation, education and technology with objective expertise that supports sound decision-making.”
  • OWASP (Open Web Application Security Project) is a “worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies, and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.”

 

Implementation tip: Questions are good. I learn a lot from questions. I also learn a lot from answering questions and from considering other people’s answers, further responses, corrections, clarifications, retrenchments and counterpoints. Despite the popular mantra, there are dumb questions ... but there are also deceptively simple questions that turn out to be extremely insightful and deep once we peel back the layers to respond. Whatever your initial state of knowledge, expertise and experience, actively engaging in the debate puts you on the fast track to further personal and professional development. Do join in. Remember: life is not a spectator sport.

Top

 

 

FAQ: “What does ‘ISO’ mean? And what about ‘ISO/IEC’?”

 

A: ISO is the short or common name of the global standards body known in English as the International Organization for Standardization. “ISO” is not strictly an abbreviation since the long name varies in different languages - it is in fact derived from the Greek word isos meaning equal. At least, that’s what we’re told.

IEC is the International Electrotechnical Commission, another international standards body that cooperates closely with ISO on electrical, electronic and related technical standards. Standards developed jointly with ISO are prefixed “ISO/IEC”.

ISO/IEC also collaborate on some standards with other international organisations (both governmental and private sector) such as the International Telecommunication Union, a trade body coordinating telecomms organizations and practices to enable worldwide communications.

 

Implementation tip: we have tried to use “ISO/IEC” consistently throughout this site when referring to applicable standards, but we know it’s a mouthful. In casual conversation, management reports, security awareness materials, social media etc. “ISO” is good enough for most purposes. Don’t sweat the small stuff.

Top

 

 

FAQ: “What do ‘WD’, ‘CD’, ‘FDIS’ and those other acronyms prepended to draft ISO standards really mean?”

 

A: The acronyms indicate the progress of International Standards sequentially through the drafting and approval stages:

  1. PWI = Preliminary Work Item - initial feasibility and outline scoping activities
  2. SP = Study Period - researching the area, hunting for other relevant standards and inputs, evaluating market demand, identifying stakeholders etc.
  3. NWIP or NP = New Work Item Proposal - preparing the scope and outline of a proposed standard, paving the way for a new standards development project *
  4. WD = Working Draft (1st WD, 2nd WD etc.) - standard content development (“preparatory”) phase, generating content
  5. CD = Committee Draft (1st CD, 2nd CD etc.)- quality control phase, addressing editorial matters and typoos *
  6. FCD = Final Committee Draft - getting ready for final approval (voting) *
  7. DIS = Draft International Standard - nearly there, hold your breath *
  8. DAM = Draft AMendment - as in “Damn it, we need to fix this”
  9. FDIS = Final Draft/Distribution International Standard - just about ready to publish, pinch your nose and count to 100 *
  10. FDAM = Final Draft AMendment - as in “Damn it, get this thing out”
  11. IS = International Standard - published! Yay!
  12. TR = Technical Report - published!   (see next Q&A)
  13. TS = Technical Specification - published!   (see next Q&A)
  14. COR = CORigendum - technically, a correction

* At several stages during the standards development process, national standards bodies that belong fully to ISO/IEC JTC 1/SC 27 are invited to vote formally on the standards and submit comments, particularly to explain why they disapprove of anything.

 

The process from PWI to IS normally takes between 2 and 4 years (average 2.8 years), given the attention to detail at every stage and the need for collaboration and consensus on a global scale e.g. when a WD is issued for comments, representatives of the national standards bodies that belong to ISO or IEC (known as “Member Bodies” MBs within ISO but “National Committees” NCs in IEC) typically have ~3 months to review the document, discuss it amongst themselves and submit formal votes and comments. If the comments are unfavourable or complex, an updated WD is normally released for a further round of comments. When documents have stabilised, they are circulated for voting. Any of you with experience of getting formal documents such as security policies prepared, reviewed and approved by your management will surely appreciate the ‘fun’ involved in doing this in an international arena!

A fast-track process is sometimes used to adopt an existing national standard as an ISO standard. Some 6 months is allowed for comments and no more than a quarter of the votes may be negative if the standard is to be approved. “Fast” is of course a relative term.

Published standards are reviewed every five years, or earlier if defect reports are submitted.

Top

 

 

FAQ: “Aside from International Standards, what are TRs and PASs and ... ?”

 

A: ISO/IEC publishes a range of different types of standards, as well as covering a number of different subjects:

  • An International Standard (IS) is the most common form of ISO/IEC standard, including product/technical standards, test methods, ‘codes of practice’ (good practices) and management standards. An IS “provides rules, guidelines or characteristics for activities or for their results, aimed at the achievement of the optimum degree of order in a given context”. Most aim to describe the final objective without prescribing the method of getting there (although they don’t all meet that aim!). The review cycle is 5 years (maximum).
  • A Technical Specification (TS) is a standard on a immature subject that is still being developed, and is not quite ready to become a full IS. Feedback is encouraged in order to drive further development and lead, eventually, to the release of an IS. Internally within the committee, final drafts are called PDTS Proposed Draft Technical Specifications.
  • A Technical Report (TR) is informational in style rather than providing firm guidance. It may draw on surveys and ‘informative reports’, and may attempt to describe the ‘state of the art’. Internally within the committee, final drafts are called PDTR Proposed Draft Technical Reports.
  • A Publicly Available Specification (PAS) responds to an urgent need to drive consensus on some emerging topic. Alternative and perhaps incompatible views may be expressed by parallel PASs from different expert streams. A PAS is supposed to be replaced by a TS or IS, or withdrawn, within 6 years.
  • An International Workshop Agreement (IWA) is essentially an alien PAS produced outside of the ISO/IEC world - for example by some technical or industry body. It too has a maximum life of 6 years.

Top

 

 

FAQ: “What is meant by ‘JTC 1/SC 27’ and what are ‘WG’s’?”

 

A: As you might expect, an international body developing and coordinating a vast range of technical standards on a global basis has evolved a correspondingly vast bureaucracy to manage and share the work. Member Bodies (that is, members of ISO, in other words national standards bodies) normally participate in the development of standards through Technical Committees established by the respective organisation to deal with particular fields of technical activity. The ISO and IEC Technical Committees often collaborate in fields of mutual interest. IT standardisation presents unique requirements and challenges given the pace of innovation therefore, in 1987, ISO and IEC established a Joint Technical Committee ISO/IEC JTC 1 with responsibility for IT standards.

JTC 1’s purpose is “Standardization in the field of Information Technology” which “includes the specification, design and development of systems and tools dealing with the capture, representation, processing, security, transfer, interchange, presentation, management, organization, storage and retrieval of information.” While there is general agreement that information security is a superset of IT security, the unfortunate fact that the ISO/IEC committee has IT in its official title means that the ISO27k information security standards are misleadingly labelled IT standards.

In ISO-speak, “SC” is a “Sub-Committee”. SC 27 is the main (but not the only!) ISO Sub-Committee responsible for numerous information security standards. SC 27 is a Sub-Committee of ISO/JTC 1. SC 27’s “Standing Document 1” (SD1 - one of several) lays out its key processes in 50 pages of excruciating detail.

SC 27 owns and maintains more than 200 standards of which around a quarter are actively progressing at any one time. SC 27, in turn, has carved-up its workload across five WGs (Working Groups):

  • SC 27/WG1 - Information Security Management Systems: responsible for developing and maintaining ISMS standards and guidelines, identifying requirements for future ISMS standards and guidelines, maintaining the WG1 roadmap and liaising/collaborating with other organizations and committees in relation to ISMS;
  • SC 27/WG2 - Cryptography and Security Mechanisms: cryptography, cryptographic algorithms, encryption, authentication, key management, digital signatures and all that;
  • SC 27/WG3 - Security Evaluation, Testing and Specification: Common Criteria, evaluation methods, protection profiles, security capability maturity models etc.;
  • SC 27/WG4 - Security Controls and Services: responsible for a variety of standards covering intrusion detection, IT network security, incident management, ICT disaster recovery, use of trusted third parties, business continuity, application security, cybersecurity and outsourcing. Some of these also fall into ISO27k;
  • SC 27/WG5 - Identity Management and Privacy Technologies: does pretty much exactly ‘what it says on the tin’ (the title is self-explanatory). Includes biometrics.

 

SC27 scope diagram 800

Find out more about the inner workings of SC 27 in the welcome package.

As if that wasn’t complicated enough, there are also Other Working Groups (OWGs), Special Working Groups (SWGs), Rapporteur Groups (RGs, advisors), Joint Working Groups (JWGs), Workshops and the IT Task Force (ITTF). [There is presumably also a secret CFA (Committee For Acronyms) somewhere in ISO/IEC land!].

Aside from SC 27, various other subcommittees are working on security-related matters, such as:

  • SC 6 - Telecommunications and information exchange between systems
  • SC 7 - Software and systems engineering
  • SC 17 - Cards and personal identification
  • SC 25 - Interconnection of information technology equipment
  • SC 29 - Coding of audio, picture, multimedia and hypermedia information
  • SC 31 - Automatic identification and data capture techniques
  • SC 32 - Data management and interchange
  • SC 36 - Information technology for learning, education and training
  • SC 37 - Biometrics

 

Implementation tip: once you have gained ISMS implementation experience, consider helping the continued development of the ISO27k standards by contacting your national standards body and volunteering your assistance (more advice follows ...).

 

Please note: this website is privately owned and is NOT an official organ of ISO/IEC. Please read our disclaimer for more.

Top

 

 

FAQ: “How can I keep up with developments in ISO27k?”

 

A: An easy way to keep in touch with developments is to join the ISO27k Forum. Don’t forget to bookmark this website and call back every so often to check the news.

Another option is to Google ISO/IEC 27000 or related terms. Professional information security-related organizations such as ISSA and ISACA, and journals such as EDPACS, are increasingly discussing or publishing articles on ISO27k. There are a few ISO27k groups on Linkedin and other social media, of variable quality.

 

Implementation tip: if you discover some ISO27k news before it is published here, please tell us so we can share it with the user community via this website and/or via the ISO27k Forum.

Top

 

 

FAQ: “How can I get involved in the development of security standards?”

 

A: Contact your local national standards body (e.g. BSI, NIST, SNZ) to find out about any special interest groups and committees working in the information security arena. If you can spare the time to get involved with standards specification, development and/or review, contact your local ISO/IEC JTC 1/SC 27 representative/s to volunteer your services.

There is a genuine chance for experienced professionals to influence the future directions of ISO27k if they are prepared to put in the effort and collaborate with colleagues around the world. Don’t wait for the published standard to raise your criticisms and improvement suggestions: get involved in the drafting and review process!

 

Implementation tip: the ISO/IEC security Sub-Committees and Working Groups are extremely busy and produce lots of paperwork. Committee work drafting and reviewing standards plus responding to queries from other interested parties has to be slotted-in with other duties including the day-job. If you get involved, be prepared to lose a substantial chunk of your free time reading, reviewing and contributing to draft standards. It’s fun though, a privilege to be able to collaborate with professional peers who are committed to ISO27k.

Top

FAQ index   Next FAQ section >

Copyright © 2019 IsecT Ltd.