Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

5/23/2006
06:45 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Users Line Up Behind Audit Standard

ISO 27001 poised to fill the void in security audit standards and become a global benchmark

If audits are about as much fun as dental fillings, then security audits are like root canals. Small wonder, then, that security professionals don't want to have to conduct separate audits for Sarbanes-Oxley, HIPAA, and a growing pile of new state and federal regulations for data handling and privacy.

And while it may never be the perfect catch-all, ISO 27001:2005, "Information Security Management Systems – Requirements," may be the closest thing enterprises can get to an Underwriters Laboratory seal for security audits.

ISO 27001 has also recently won some important buy-in from a couple big users. Vendor sources a few weeks ago said the Federal Reserve Bank of New York has recently achieved ISO 27001 registration. And other companies have been marching down the ISO 27001 path since before the standard was approved.

ISO 27001, ratified in November 2005, defines the implementation requirements based on ISO 17799 and can be used by companies to build a security plan. More importantly, "ISO 27001 contains verifiable implementation language spelling out procedures and practices that an auditor can use to determine if your organization is compliant," explains Ken Peterson, president of consultancy Churchill & Harriman.

ISO 17799:2005, "Code of Practice for Information Security Management," is used as a framework for building a security plan, laying out 11 categories ranging from policy and organization requirements, asset, communications, and human resources management, through access control and business continuity. Think of ISO 17799 as a guidebook for implementing security initiatives.

Contrast the ISO approaches with the American Institute of Certified Public Accountants Statement of Auditing Standard 70 (SAS70) audits, which are conducted by CPA firms. The auditor issues a statement of opinion based on what the client company wants assessed. There are no standard criteria to measure the effectiveness of a security control. A SAS70 report really boils down to "this is the stated control, this is how the subject implements the control, and this is our opinion of whether the subject does what they say they do." Type II audits include testing of the controls by the auditor.

Companies can be audited against ISO 17799, but until ISO 27001 came along, there wasn't a certification path. Companies seeking an audit using ISO 17799 criteria would hire an auditor to perform the assessment and would be issued a letter of opinion, which Jon Gossels, president of consultancy System Experts, describes as "analogous to accounting firms issuing opinions to companies on their financial systems and reports." Letters of opinion are just that, qualified opinions about a company at a point in time. Finding a qualified auditor for an assessment based on ISO 17799 is not a simple task. Gossels recommends seeking advice from peers, interviewing potential auditor's reference clients, and examining the qualifications of the auditors.

Companies seeking ISO 27001 registration have to be audited by a certified body or registrar. Certified bodies have to go through extensive training and testing and are accredited by the International Register for Certified Auditors, according to Peterson. He points to these three phases of an audit:

  • Map the company's policies and procedures to 27001.

  • Audit the company's processes to the stated policies procedures.

  • A registered audit is valid for three years with interim audits taking place every six to nine months. After three years, the whole process starts again.

Gossels urges companies not to confuse an audit with a security assessment. "An audit documents the current state of an organization focusing on instances of non-compliance," he says. "In contrast, a security assessment is looking for problems and root causes or classes of problems -- not every instance of a problem. These standards are useful for both purposes."

To Page 2

The business case
Many compare ISO 27001 to ISO 9001:2000, "Quality Management System," which shows the company has gone through a rigorous audit of its manufacturing processes, and also submits to interim checkups to ensure that the QMS is enforced. Some experts are confident that ISO 27001 will have a similar impact on security practices. "Similar to when BS5750 became standardized as ISO 9001, the world, including the U.S., took notice and flocked to it," Peterson asserts.

Others are not sure ISO 27001 will have wide appeal. Gossels thinks unless there is a clear business reason -- such as customers or partners demanding certification to do business -- there is no reason to get registered. "We would not advise a company to get registered [for ISO 27001] unless there is a clear business driver, because of the expense. There is no incremental value in spending those dollars. Having a reputable security firm say they are substantially compliant is good enough." Audit costs can easily run to five figures or higher, depending on the scope.

Gossels does point out that "in some vertical markets, like financials and healthcare, or markets were there are supply chains in place like aerospace, registrations may become a fact of life."

Rick Hargraves, CIO of United Recovery Systems LP, a Houston-based collections firm, had a sound business reason. "A few years ago, our clients started asking us questions about our security processes that came straight from ISO 17799, so we knew they were leaning that direction. We made a decision to align with ISO 17799. When we found that ISO 27001 was being ratified, we decided to achieve registration."

The registration process went smoothly for URS. The first part of the audit compared URS's policies and procedures to ISO 27001, and the second part ensured that stated business processes were being carried out. "We didn't have to make major changes to map our processes to ISO 27001 because being a financial company, we already had them in place to begin with. Companies starting from the ground up will have a more difficult time adjusting."

The key to undergoing and consuming an ISO 27001 registration lies with the scope. Peterson recommends "starting with a narrow scope based on critical business process and then expand it when needed because an ISO 27001 audit is a difficult process, a large part of auditing is defining asset identification, risk assessment, and ownership. Failures happen when the scope is too large."

Hargraves agrees. "Just because your 27001 doesn't mean your company is doing best thing. For example, our company included processes under GLBA, networking, handling consumer information, complying with our clients data security standards, and how we developed our own software within our ISO 27001 audit, because those are critical processes for our customer. If we didn't include how we protect consumer information, our certification would be lacking."

The International Register of ISMS Certificates maintains a list of registered companies, their certificate numbers, and a statement of scope. As of this writing, there are 2,625 organizations registered either to BS 7799 part II or ISO 27001. The bulk of the registrations are in Japan.

— Mike Fratto, Editor at Large, Dark Reading

Organizations mentioned in this story

  • American Institute of Certified Public Accountants
  • Churchill & Harriman
  • International Organization for Standardization (ISO)
  • United Recovery Systems, LP
  • System Experts

    Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How Attackers Infiltrate the Supply Chain & What to Do About It
    Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
    US Mayors Commit to Just Saying No to Ransomware
    Robert Lemos, Contributing Writer,  7/16/2019
    The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
    Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-12551
    PUBLISHED: 2019-07-22
    In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
    CVE-2019-12552
    PUBLISHED: 2019-07-22
    In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
    CVE-2019-3414
    PUBLISHED: 2019-07-22
    All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
    CVE-2019-10102
    PUBLISHED: 2019-07-22
    tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
    CVE-2019-10102
    PUBLISHED: 2019-07-22
    aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.