Despite the excellent work done to restructure and update the standard, I still feel some commonplace 'good practice' information security controls are either Missing In Action or inadequately covered by ISO/IEC 27002:2022, these nine for example:
- Business continuity controls, covering resilience, recovery and contingency aspects in general, not just in the IT security or IT domains. ISO 22301 is an excellent reference here, enabling organisations to identify, rationally evaluate and sensibly treat both high probability x low impact and low probability x high impact information risks (the orange zone on probability impact graphics), not just the obvious double-highs (the reds and flashing crimsons!). Therefore, '27002 could usefully introduce/summarise the approach and refer readers to '22301 and other sources for the details.
- Availability and integrity controls supporting/enabling the exploitation of high-quality, up-to-date, trustworthy business information and opportunities for legitimate purposes within the constraints of applicable policies, laws, regulations etc., even when this means deliberately taking chances (accepting risks!) to secure business opportunities. Also, I'd like to see, somewhere in the ISO27k series, clearer advice on how to tackle the trade-off between control and utility: information that is too tightly secured loses its value, just as it does if inadequately secured ... and that in turn leads to the idea of at least mentioning financial and general business controls relating to information risk and security (e.g. budgeting, project investments, resourcing, cost accounting, incident and impact costing, valuing intangible assets, directing and motivating specialists: these are all important but tricky areas to address, so advice would help improve the effectiveness and efficiency of information security). [Some of this is covered, albeit quite academically rather than pragmatically, in ISO/IEC 27014 and '27016, and outside the ISO27k realm.]
- Health and safety controls protecting 'our most valuable assets', providing a supportive work environment that is conducive to getting the most out of our people, and ensuring the safety of our customers using our products. As with business continuity, H&S is pretty well covered by other standards plus laws and regs ... although, arguably, there's much more left to say, yet, on mental health (e.g. the long-term adverse health effects of excessive stress, both on and off the job), with significant implications for information risks (e.g. managers making inappropriate decisions, or delaying/refusing/being unable to decide at all) and security controls (e.g. the importance of workload and stress management).
- Controls against fraud perpetrated by insiders (managers or staff), partners, outsiders/unknown parties, and potentially several (collusion) is another weak area in the standard. I have in mind controls such as 'trust but verify'; discreet monitoring/surveillance, both general and targeted at fraud-prone groups, roles, individuals or situations; explicitly designing business processes and information systems to deter, avoid, detect and alert on, or at the very least securely log fraudulent activities; identifying, reporting and following-up on various fraud indicators; encouraging and facilitating whistleblowers etc.
- Ethics in general - another human issue inadequately covered by the controls in the standard, despite the opportunity offered by section 6.
- Assurance controls in general: although there are some assurance controls in the ISO27k standards, they are mostly constrained to compliance auditing for accredited certification purposes. Oversight, for instance, is a valuable control (or rather, a cloud of related controls) that is almost universally applicable.
- Security architecture plus security engineering: once more, there are already useful standards and methods in this area, so '27002 need not reinvent the wheel - rather I feel it should introduce the concepts (perhaps with some version of the diagram above, or any of the many excellent alternatives documented in various other framework standards and methods), explaining their value as an integral part of information risk and security management, and cite the appropriate reference sources.
- Professional services other than the provision of IT/networks/cloud: many organisations rely on third parties for strategic, legal, accounting, HR, marketing and/or other specialist services (advice or full outsourcing), hence they are giving, receiving and using very valuable and sensitive information. [This is such a significant omission from the current ISO27k suite that it deserves its own ISO27k standard, in my opinion.]
- Information security controls mitigating information risks affecting the Information Security Management System itself, plus other 'management systems' and in fact management information in general e.g.:
- Governance arrangements such as structures, roles and responsibilities, reporting lines, delegation and oversight;
- Change controls for policies and procedures;
- Access controls for sensitive ISMS-related information such as risk registers, logs, incident reports, strategies, budgets and plans.
The good news, however, is that '27002 is a popular, generic, advisory standard that adequately catalogues and describes the basics. Users are free to interpret and apply the standard as they wish, even within the constraints of a ISO/IEC 27001 certified ISMS. The controls outlined in Annex A of '27001 are discretionary and not necessarily comprehensive - in other words, if you accept some or all what I've said above, determine that various other valuable controls are MIA or weak in '27002, or decide that the suggested controls (as described) are inappropriate in your particular business situation, you are positively encouraged to use the specified information risk management process to select, use, manage and maintain whichever controls are most relevant and valuable to your organisation, becoming integral parts of your unique ISMS.
Don't feel constrained by ISO/IEC 27001 Annex A and ISO/IEC 27002:2022. Do what's best for your organisation, for business, for Pete's sake!
With regards to (1) Business Continuity and (3) Health and safety, ISO has made some standards freely available on its Online Browsing Platform in response to the pandemic, including the following four.
ReplyDeleteISO 31000:2018 - Risk management
ISO 22301:2019 - Business continuity
ISO 22316:2017 - Organizational resilience
ISO 45003:2021 - Psychological health and safety at work
Here are the links.
https://www.iso.org/obp/ui/#!iso:std:65694:en
https://www.iso.org/obp/ui/#!iso:std:75106:en
https://www.iso.org/obp/ui/#!iso:std:50053:en
https://www.iso.org/obp/ui/#!iso:std:64283:en
With regards to (4) Fraud and (5) Ethics it is said that for every instance of bribery there is an instance of money laundering (by definition). Therefore, in order to participate in bribery, you must, by definition, compromise integrity and availability of information, e.g. by raising a purchase order for ‘Consulting’, which is actually a bribe. To that end the standard “ISO 37001 - Anti-Bribery Management Systems” contains two requirements "8.3 Financial controls" and "8.4 Non-financial controls". Both of these simply specify that you must have the controls but do not contain specific requirements. Annex A of the standard provides guidance for both in Clauses "A.11 Financial controls" and "A.12 Non-financial controls". These could be applied as additional controls to supplement those in ISO/IEC 27002, similar to ISO/IEC 27017 and ISO/IEC 27018. The reason for not putting these in as detailed requirements in ISO 37001 is because of differences in bribery legislation. In the USA the Foreign Corrupt Practices Act (FCPA) contains both “Anti-Bribery” and “Books and Records” provisions. The UK Bribery Act only deals with bribery; the monetary aspects are covered by separate legislation such as the Criminal Finances Act and Sanctions and Anti-Money Laundering Act.
Thanks Anthony Mason, very useful comments.
ReplyDeleteI'll be studying ISO 45003 today!
Re all the standards and laws, I get the impression that you consciously take a wide-ranging view of 'integrated management system', an admirable and yet challenging approach: most of the organisations I come across are doing the opposite, consciously restricting the scope of their Information Security Management Systems to the bare minimum as specified in ISO/IEC 27001, and often further restricting it to particular business units or functions/departments (typically just IT).
Any tips on how to get them to broaden their perspectives, widen the scope and at least consider, if not adopt, the 'integrated management system' approach?
Maybe this simply a maturity thing i.e. once they have a narrow-scope but certified management system in place and operating routinely, expanding it to take in other aspects is a natural progression (for some organisations, anyway), building on the success and learning from the first one.
Thanks for your kind comments Gary.
ReplyDeleteOriginally, I managed a Quality Management System (QMS) to maintain certification to ISO 9001. We have many customers in the National Health Service (NHS) and in 2007 the NHS introduced a supplier check process named the Information Governance Statement of Compliance (IGSoC). This required me to augment our QMS to incorporate provisions to ensure compliance with the Data Protection Act and other requirements of the IGSoC process.
At around the same time Her Majesty's Revenue and Customs (HMRC) managed to lose two CDs in the ordinary post with the personal and financial details of 25 million recipients of child benefit and a Ministry of Defence (MoD) official lost a laptop with a load of personal data of MoD employees. This made me realise that in the future our NHS and public sector customers would start to ask for ISO/IEC 27001 certification. So, our QMS was further augmented to become an Integrated Management System, to also be certified to ISO/IEC 27001.
We are essentially an information services company so management of quality and information security are almost synonymous.
Several years later I was asked to add some anti-bribery provisions to our IMS, to satisfy a requirement for an important customer who was pursuing certification to ISO 37001 - Anti-Bribery Management System (ABMS). This raised my awareness of corruption, which unfortunately is very prevalent worldwide. Where it is widespread it increases costs, which have to be recouped, so end users pay more, which decreases customer satisfaction. So, there is a direct inverse correlation between corruption and quality. Similarly, there is a direct inverse correlation between corruption and information security. To pay a bribe someone may, for example, raise a purchase order for consulting, to pay a third party, a consultancy, which in reality is simply an intermediary to facilitate corruption. This, by definition, compromises integrity and availability of information.
I could go on with more examples, but in summary, I regard different aspects of operations as all interacting with one another, and improving management of one or more of them as contributing to good management overall.
Personally, I take an extreme view, which I hasten to add I do not foist upon others. There is no such thing as a QMS or an ISMS or a BCMS or an ABMS etc. An organisation simply has one Management System (MS), hopefully an IMS (Improvement Management System). If, for example, you implement ISO/IEC 27001 and ISO 22301 that will improve the effectiveness of how the MS manages information security and business continuity.
An ISMS Manager may manage a so-called ISMS with a restricted scope, to make it easier to get and keep an ISO/IEC 27001 certificate, and keep all the documentation in a folder named ISMS. However, that, in my view, almost defeats the point of doing it in the first place, which is to improve management. Also, it doesn't alter the reality that everything the organisation does with respect to information security (or business continuity or quality etc.) has an impact throughout the organisation.
Anthony Mason
aprmason@gmail.com
Thanks Anthony, fascinating.
DeleteI don't think your view is extreme: it makes good sense to me. As a big picture thinker with a strong business perspective, I completely agree!
I'm intrigued by the concept of 'a system of systems' - a governance perspective that seeks to integrate rather than isolate various parts of the organisation ('stove pipes') through common management approaches and information flows ... hinting at the possibility of extending the integration beyond the organisation to its first tier partners, then further still to integrated supply chains, then integrated supply networks on a global scale. Information is crucial to all of that, with complex, dynamic and challenging information risks to address as well as business opportunities to exploit.
Gary,
ReplyDeleteThe following document describes something consistent with the concept you envisage and which you may find interesting.
https://instituteforcollaborativeworking.com/resources/Documents/iso_44001/insight_into_iso44001_new_final.pdf
The ISO 44000 series of standards have been created with primary input from the Institute for Collaborative Working (ICW). ISO 44001 is the auditable standard. ISO 44002 is analogous to ISO 27002 and ISO 27003. ISO 44000 specifies principles. ISO 44003 provides guidance to small and medium organisations, and ISO 44004 gives guidance to large organisations collaborating with small and medium organisations. The framework includes the sharing of information but in a wider concept of sharing of knowledge and information. Collaborative working is implemented in many industries such as construction, civil engineering, defence, health, so interpret knowledge broadly as also meaning know-how and experience.
Anthony Mason
aprmason@gmail.com
Thanks once again, Anthony, for sharing that info. Right on-the-button. You are a goldmine of useful info!
DeleteIn my opinion, ISO/IEC JTC 1/SC 27 could really benefit from more collaborative approaches, particularly in the early stages of drafting standards. I appreciate the need to formalise the later standard finalisation and approval stages: gaining international consensus takes diplomacy and time. The problem (as I see it) is that the formalities slow things down and increase the costs in drafting, and worse still discourage innovation and frustrate creativity. Given that information security is a dynamic field, SC27 almost inevitably lags behind.
I can see opportunities for clients and contacts too, plus my own micro-business, so I shall continue studying. Thanks again for opening my eyes to this.
And always so many abstensions when various countries seemingly do not have enough coverage on particular subjects. ISO 27036-3, recently, is a good example of that. I've been trying to participate in its evolution, am unsure if my thoughts are rising beyond the Standards Council of Canada and then they abstain. Frustrating indeed.
DeleteInteresting that you mention the supply chain security standard ISO/IEC 27036-3, Pete. I was reading the latest DIS yesterday, noticing that although they removed "ICT" from the title, it is still heavily focused on IT. It barely mentions services, and then only in the IT context ... so I'm leaning towards proposing a new part of 27036 covering professional services (in general).
DeleteAs to the national standards bodies and ISO, I share your frustrations. With so many parties and interest involved, everything becomes tough ... but at the end of the day, broad consensus (albeit on the 'least disagreeable options') moves things along. S l o w l y.