Month: April 2020

ISO/IEC 27001: Everything That You Need To Know

Just like any important business asset, information is also an asset that has value to an organization and consequently needs to be protected. Information Security Management System [ISMS] is a fragment of the overall management system that is built on a business risk approach and helps establish, implement, operate, monitor, review, maintain and improve information security.

ISO/IEC 27001 is an ISMS, an overarching management framework and a suite of activities concerning the management of information risks. Through this framework, the organization identifies, analyzes and addresses its information risks. It ensures that the security arrangements are up-to-date to keep pace with changes to the security threats, vulnerabilities and business impacts. This is a crucial aspect in a dynamic field, and also a major advantage of ISO27k’s flexible risk-driven approach. ISO/IEC 27001 is the only auditable international standard that defines the requirements for an ISMS.

The Plan-Do-Check-Act Methodology

An ISMS should follow the Plan-Do-Check-Act methodology.

  1. The Plan phase includes designing the ISMS, assessing information security risks and selecting suitable controls that should be implemented.
  2. The Do phase is about implementing and operating the controls.
  3. The Check phase involves reviewing and evaluating the performance of the ISMS.
  4. During the Act phase, changes are done where necessary to bring the ISMS back to peak performance.

History of ISO 27001

Derived from BS 7799 Part 2, ISO 27001 was first published as such by the British Standards Institute in 1999. BS 7799 Part 2 was revised in 2002, incorporating the Deming-Cycle or the Plan-Do-Check-Act [PDCA] Cycle. In 2005, it was adopted as ISO 27001 with various changes to reflect its new custodians. After being extensively revised, the second edition was published in 2013, which brought it into line with other ISO management systems standards and dropped the explicit reference to the PDCA Cycle.

The Structure of ISO 27001 Standard?

ISO/IEC 27001: 2013 contains the following Sections:

  • Introduction: It explains a process for systematically managing information risks.

  • Scope: It specifies general ISMS requirements that are suitable for organizations of any type, nature or size.
  • Normative References: Only ISO/IEC 27000 is considered essential to Users of 27001 while the other Standards in the  ISO27000 Series are optional.
  • Context of the Organization: This includes understanding the organizational context, the expectations and needs of Interested Parties and defining the scope of ISMS. Section 4.4 states that “Organization should establish, implement, maintain and continually improve” the ISMS.
  • Leadership: The Top Management should demonstrate leadership and commitment to the ISMS, mandate applicable & relevant Policies, and assign information security roles, authorities and responsibilities.
  • Planning: This includes outlining the processes to identify, analyze and plan so as to treat information risks, and clarifying the objectives of information security.

  • Support:  Competent and adequate resources must be assigned, awareness about information security should be raised, appropriate documentation must be prepared and they must be controlled.
  • Operation: This aspect includes more detail about assessing and treating information risks, managing changes, and documenting things so that it can be audited by the certification auditors.

  • Performance Evaluation: This section includes monitoring, measuring, analyzing and evaluating the information security controls, processes, and management system, so as to systematically improve things where required.

  • Improvement: This section is about addressing the findings of Audits and Reviews and making continual refinements to the ISMS.

Apart from this, there is another section called Annex A Reference Control Objectives and Controls that talks about implying certified organizations that are expected to use it. The main body of the Section states that organizations are free to deviate from or supplement it in order to address their particular information risks.

What are the expected features of an ISMS?

  • An ISMS should do all of the following:

    1. Adopt the PDCA Model
    2. Adopt a Process-based Approach, instead of a People-based Approach.
    3. Identify & manage Activities and Functions effectively
    4. Stress on Continual Improvement of Processes
    5. The scope should cover Information Security and not just IT Security
    6. Focus on People, Process & Technology
    7. Provide resistance to intentional acts designed to cause damage to the Organization.
    8. Be a blend of Management Control, Technical Control, and Operational Control.
    9. Become an overall management system to establish, implement, operate, analyze, review, maintain and improve Information Security.

What are the Benefits of ISO 27001 Certification?

Certifying the ISMS against ISO 27001 is beneficial  to an organization in the following multiple ways:

  1. It is an independent framework that accounts for all legal and regulatory requirements.
  2. It provides the ability to demonstrate and independently assure the internal controls of the organization.
  3. It helps in providing a competitive edge to the organization.
  4. It proves Senior Management commitment to the security of business and customer information.
  5. It formalizes and independently verifies the Information Security processes, documentation and procedures.
  6. Individually verifies that risks to the organization are properly identified and managed.
  7. It validates to Clients & Customers that the security of their information is taken seriously.
  8. It helps identify and meet contractual and regulatory requirements.

Neumetric, a cyber security services, consulting & products company based in Bangalore, recommends that certified compliance with ISO 27001 by an accredited and respected Certification Body is entirely optional. However, this is increasingly being demanded by Clients, Business Partnersand by Organizations that are concerned about the security of their information, and about information Security throughout the supply chain.

ISO 27001 Certification brings many benefits above and beyond mere compliance, and it says more than just “We are a Quality organization”. It has marketing potential that strongly demonstrates that the organization takes information security management seriously.

Information Security Effectiveness through ISO 27004 Standard

When it comes to information security, being careful is not enough. Protecting commercially sensitive information and personal records is quite critical. But how can you tell that your Information Security Management System [ISMS] is being effective & making a difference?

Guidance from ISO 27004

The goal of a security process is to minimize exposure to risk, so it is crucial to determine the efficiency of the implemented controls. 

  • How do you justify & explain the budget to improve your existing controls? 
  • How do you measure whether the implemented security controls are effective or not? 

It is important to demonstrate to your Senior Management & to your organization that the funds that are meant for implementing the security controls will be invested in preventing the issues that can adequately mitigate & reduce an information risk against any of the core business processes. 

ISO 27004 can provide guidance on how to evaluate the information security performance and the effectiveness of your ISMS. It explains how to assess and report the results of a set of information security metrics and how to develop and operate measurement processes. ISO 27004 is valid for & applicable to organizations of all types & sizes. It helps establish the following important aspects:

  1. monitoring and measurement of information security performance;
  2. monitoring the effectiveness of an ISMS including its processes and controls;
  3. scrutinizing and evaluating the results of monitoring and measurement.

The value of ISO 27004 in mitigating Cyber Attacks

Cyber attacks are one of the greatest risks that a business can face and that is why the enhanced version of ISO 27004 is trusted the most as a reliable mechanism to manage them. It gives the necessary fundamental and practical support to organizations that have already implemented the ISO 27001 Standard to safeguard themselves from the growing diversity of cyberattacks that they face.

Cyber security metrics can provide insights about the effectiveness of an ISMS and hence have taken center stage in an effective information security program. Whether you are a Professional, Consultant, or Engineer responsible for cybersecurity and for reporting to the Management, security metrics have become a crucial way to communicate the state of your organization’s cyber security risk posture.

Making the most out of your Cyber Security Investment

Organizations need help in addressing the question of whether their investment in information security management is effective or not. They need to know what it is fit for the purpose to react, defend, and respond to the continually changing cyber-risk environment. This is where ISO 27004 can provide multiple advantages to your organization.

ISO 27004 can help organizations construct an information security measurement program, make selections as to what needs to be measured, and operate the necessary measurement processes. This includes different types of measures and how the effectiveness of these measures can be assessed.

Benefits of using ISO 27004

Using ISO 27004 provides many benefits to organizations:

  1. Improved accountability.
  2. Enhanced ISMS processes and information security performance.
  3. Evidence of meeting requirements of ISO 27001.
  4. Adherence to applicable Laws, Rules, and Regulations.

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Get in touch with us if you wish to implement the ISO 27001 Series of information security standards in your organization.

Information Security Effectiveness through ISO 27004 Standard

ISO 27004 can provide guidance on how to evaluate the information security performance and the effectiveness of your ISMS. It explains how to assess and report the results of a set of information security metrics and how to develop and operate measurement processes. ISO 27004 is valid for & applicable to organizations of all types & sizes.

Continue Reading

How PCI DSS Compliance can help meet EU GDPR mandates?

For storage, processing, and transmission of personal data, both PCI DSS and EU GDPR base an Organization’s compliance on its risk management efforts.
Developing strong Information Security & Data Security Policies helps offset these risks and provides an opportunity for an Organization to efficiently address PCI DSS and EU GDPR compliance simultaneously. Although EU GDPR includes all Personal Data and Cardholders’ details, applying the latest version of PCI DSS strategies can help with Personal Data Protection that is required for EU GDPR compliance.

By achieving PCI DSS compliance, Organizations can meet the baseline security control standards that are required under EU GDPR.

Continue Reading

Top 10 Basic Defenses against Security Breach

According to security experts, private and public sector organizations are usually an easy target for cyber attacks (Security Breach). And unless organizations get the basics right, they will keep falling prey to battling fraudsters, ransomware rings, or nation-state hackers. In times like these, it is crucial to make sure that organizations shore up their basic defenses, like using Multi-Factor Authentication [MFA], and as soon as they suspect an incident, they must take it seriously and act quickly.

Why is there a need to prioritize the basics?

Several Organizations have long ago implemented the Multi-Factor Authentication [MFA] and a Security Incident Response Plan. They have also continued to actively shore up any defenses that may have been lagging. And yet, organizations that support critical infrastructure still lag behind when it comes to the security basics.

Before the advent of Artificial Intelligence [AI] and Machine Learning [ML], security experts have been warning that the basics too often get overlooked. But still, cybersecurity has remained partially a story of organizations continually tackling new problems, just to leave them half-finished and move to a new one. Usually, organizations are hyper-obsessed with the latest technology and get caught up in just about whatever the industry is selling. But the truth is that organizations are still failing to get the basics right.

Information Security Mitigation Strategies

In 2011, the Australian Signals Directorate published top four (4) information security mitigation strategies which are considered by many experts as the best place to start.

  1. Whitelist Applications
  2. Patch Applications & Operating Systems
  3. Update to the latest versions of Applications & Operating Systems
  4. Minimize Administrative Privileges

Who is at risk?

Organizations in the financial, defense, government, and oil & gas sectors are the most likely targets for cyber attacks.

Even the best prevention in the world cannot guarantee that an organization will not get breached. To identify exactly what all organizations should be doing to survive a data breach, organizations should learn how to build a Data Breach Response Playbook or a Security Incident Response Plan. The single most important factor is to set up everything, ahead of time, get buy-in from all levels of the Organization, including the Board, and then practice the Playbook.

Data Breach Response Playbook or Security Incident Response Plan

Chief Information Security Officers (CISOs), especially in government agencies, aerospace and defense sectors, should conduct a 4-week review to shore up defenses, resilience and they must ensure that they can get back up and running after a successful attack.

Here’s a four-week “Cyber Sprint” or top 10 items that organizations can focus on.

  1. Board: The Board and Executive leadership team should be properly communicated about the need for dedicated resources for ensuring that the organization is prepared and is able to do a 4-week cyber-sprint, including securing people, obtaining extra funding and support.
  2. Keys: All the encryption keys and privileged administrative passwords should be rotated regularly & as a standard practice
  3. Passwords: Password reset for all Users and external login access should be made a mandate with a fixed frequency.
  4. Multifactor: Every system must use Multi-Factor Authentication [MFA].
  5. Endpoints: Every endpoint should have an active, working and updated protection. All the nodes that do not have any protection should be terminated & if termination is not possible, then they should be isolated & put on a separate network
  6. Patching: Every critical vulnerability should be patched. Organizations should apply the latest patches to all workstation computers.
  7. Disaster Recovery: Availability of all necessary backups and the ability to work with warm or hot replication sites should be confirmed.
  8. Hygiene: All accounts should be closed for those who are no longer employed by the Organization.
  9. Phishing: A message along with a 60-second educational piece on phishing should be pushed out to every User.
  10. Monitoring: Turn up controls for IPS, email monitoring, web traffic monitoring and IDS, Gateway Firewall and Web Application Firewall (WAF) protection to a higher level.

These are some of the low-hanging-fruit items that can help prevent a hack, without introducing too much friction. Most organizations can achieve them in four weeks and successfully create a better balance between protection and recovery. But this 4-week target cannot begin counting down until organizations have put a Plan in place!

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

What is PCI DSS Certification and Why is it so Crucial?

The Payment Card Industry Data Security Standard [PCI DSS] is an information security standard for organizations that handle financial cards in some manner. These include Credit Card, Debit Card & now increasing includes Digital Currency such as Wallets as well.

PCI DSS Standard is mandated by the Card provider organizations (such as MasterCard, VISA, American Express) but it is administered & managed by the Payment Card Industry Security Standards Council, which is also known as the “PCI Council”.

The standard was created to increase controls around Cardholder Data [CHD] to reduce card fraud & validation of compliance is typically performed annually or quarterly, by a method suited to the volume of transactions handled.

Self Assessment Questionnaire [SAQ] for smaller volumes.
Through an External Qualified Security Assessor [QSA] for moderate volumes.
And a Organization-specific Internal Security Assessor [ISA] for larger volumes which also involves issuing a Report on Compliance.

Continue Reading
Scroll to top