Welcome to the SecAware blog

I spy with my beady eye ...

3 Sept 2019

NBlog Sept 3 - principles, axioms and policies

ISO/IEC 27001:2013 section 5.2 is normally interpreted as requiring the top layer of the classical ‘policy pyramid’. 

As with all the main body text in ‘27001, the wording of clause 5.2 is largely determined by:
(a) ISO/IEC JTC1 insisting on commonality between all the management systems standards, hence you’ll find much the same mandated wording in ISO 9000 and the others; and
(b) the need to spell out reasonably explicit, unambiguous ‘requirements’ against which certification auditors can objectively assess conformity.

Personally, when reading and interpreting clause 5.2, I have in mind something closer to “strategy” than what information security pro's would normally call “policy” - in other words a visionary grand plan for information risk and security that aligns with, supports and enables the achievement of the organization’s overall business objectives. That business drive is crucial and yet is too often overlooked by those implementing Information Security Management Systems, partly because '27001 doesn't really explain it. The phrase "internal and external context" is not exactly crystal clear ... but that's what the JTC 1 directive demands.

In our generic (model, template) corporate information security policy, we lay out a set of principles and axioms for information risk and security such as:
Principle 1. Our Information Security Management System conforms to generally accepted good security practices as described in the ISO/IEC 27000-series information security standards.
Principle 2.   Information is a valuable business asset that must be protected against inappropriate activities or harm, yet exploited appropriately for the benefit of the organization.  This includes our own information and that made available to us or placed in our care by third parties.
... and ...
Axiom 1: This policy establishes a comprehensive approach to managing information security risks.  Its purpose is to communicate management’s position on the protection of information assets and to promote the consistent application of appropriate information security controls throughout the organization.  [A.5.1]

Axiom 2: An Information Security Management System is necessary to direct, monitor and control the implementation, operation and management of information security as a whole within the organization, in accordance with the policies and other requirements.  [A.6.1]
As you might have guessed from those [A. …] references, the axioms are based on the controls in Annex A of ISO/IEC 27001:2013. We have simply rephrased the control objectives from ISO/IEC 27002:2013 to suit the style of a corporate policy, such that the policy is strongly linked to and aligned with ISO27k. Those reading and implementing the policy are encouraged to refer to the ISO27k standards for further details and explanation if needed. 

There is a downside to this approach however since there are 35 axioms to lay out, making the whole generic policy 5½ pages long. I'd be happier with half that length. Customers may not need all 35 axioms and might review and maybe reword, revise and combine them, hopefully without adding yet more. That's something I plan to have a go at when the generic policy is next revised.

The principles take things up closer to strategy. This could be seen as a governance layer, hence our first principle concerns structuring the ISMS around ISO27k. It could equally have referred to NIST's Cyber Security Framework, COBIT, BMIS or whatever: the point is to make use of one or more generally accepted standards, adapting them to suit the organization's needs rather than reinventing the wheel.

I find the concept of information risk and security principles fascinating. There are in fact several different sets of principles Out There, often incomplete and imprecisely stated, sometimes only vaguely implied. Different authors take different perspectives to emphasize different aspects, hence it was an interesting exercise to find and elaborate on a succinct, coherent, comprehensive set of generally-applicable principles. I'm pleased to have settled on just 7 principles, and these too will be reviewed at some point, partly because the field is moving on. 

Meanwhile, further down the policy pyramid, a set of classical security policies covers a wide range of topics in more detail, supporting and expanding on those high-level axioms in the overall context of the principles. '27001, refers to such policies in A.5.1.1:
"A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties."
ISO/IEC 27002 section 5 expands on that succinct guidance with more than a page of advice. ISO/IEC 27003 is not terribly helpful in respect of the topic-specific policies but does a reasonable job of explaining how the high level/corporate security policy aligns with business objectives.

No comments:

Post a Comment