The 27k family of standards

There’s more than walls and fences, if any, to protect in your company. Let’s suppose your company has developed a new product. This product can guarantee a nine-figure income for at least the next decade. So, what’s the most important asset of your company?

One of your company’s most significant assets is information.

As you continue to read this book, this sentence will soon become your mantra. Ensuring the confidentiality, integrity, and availability of information is the goal of information security. These fundamental information security factors aid in ensuring that an entity’s data is secure. So, getting back to your product, what does your company need to defend itself from?

The main pain points are the following:

• The leakage or disclosure of sensitive or confidential information, exposed either by accident or design
• The compromise of personally identifiable information
• Critical information being tampered with, either by mistake or on purpose, without the knowledge of the entity
• Critical corporate data disappearing without a trace or the possibility of recovery
• The unavailability of critical business information when it is required

The preceding statements lead us to a couple of valuable mantras about information:

Everyone within the company should be responsible for the information system, and they must do their best to ensure that their information is secure.

A human being is always the weakest link of the security chain.

Let’s put it simply: everyone within the company needs to understand and help out to improve the security posture, and often, just following the company policies and procedures (or even using common sense) will vastly improve the standard security. For instance, just adopting and respecting a clean desk policy may prevent the cleaning staff from viewing unauthorized documents (and we don’t know whether the cleaning staff is somehow ready to sell our company and/or private information – insiders can wear any kind of hat).

Let’s see another example: your company spends thousands of dollars on implementing privacy screens (privacy filters designed for computer users to keep their private and confidential information safe). But if you leave your laptop unattended, then they are completely useless.

Information is adequately maintained and safeguarded against several threats.

Every entity can be at risk of data leakage by different means, and if a company wants to improve its security standards, it feels the need to improve those. The vast majority of companies (at least in Europe) use so-called frameworks (such as ISO 27001/27002, NIST, etc.) simply because they’re ready to apply and use. More specifically, in regard to European entities, by implementing ISO 27001, you are also implementing things such as General Data Protection Regulation (GDPR, aka the European privacy law) and security over the cloud. Basically, you’re killing three birds with one stone.

The following ISOs give us a foundation to establish an effective information management system:

• Information security management systems – ISO/IEC 27001:2017
• Security approaches – Requirements and ISO/IEC 27002:2022

While ISO 27001 has been prepared to provide requirements for establishing, implementing, maintaining, and continually improving an information security management system, ISO27002 is designed for organizations of all types and sizes. It is to be used as a reference for determining and implementing controls for information security risk treatment in an information security management system (ISMS) based on ISO/IEC 27001

Born as an independent, non-governmental entity, the International Organization for Standardization (ISO) comprises the national standards bodies from the 165 countries that make up its membership. There are more than 1,500 voluntary international standards developed by ISO.

According to Wikipedia:

More than 20,000 standards have been established, encompassing everything from manufactured goods and technology to food safety, agriculture, and healthcare services. ISO is a voluntary entity whose members are recognized authorities on standards, each one representing one country. Members meet annually at a General Assembly to discuss the strategic objectives of ISO. The entity is coordinated by a central secretariat based in Geneva.

A council with a rotating membership of 20 member bodies provides guidance and governance, including setting the annual budget of the central secretariat.

The technical management board is responsible for more than 250 technical committees, who develop the ISO standards.

Products and services of high quality can be produced by adhering to the standards. Using the standards, businesses can boost productivity while reducing waste and errors. Comparing products from different markets makes it easier for businesses to expand into new markets and helps global trade develop on an equal footing. The standards also protect consumers and end users of products and services by ensuring that certified products meet international minimum standards.

Since we are interested in the information security side of ISO, let’s set aside what’s irrelevant to our scope.

The ISO/IEC 27001 requirements for approved third-party Information Security Management System (ISMS) certifications can be applied to third-party accreditations of ISMSs. ISMS audits are conducted by accredited certification bodies as part of the accreditation process. With the help of ISO/IEC 27001, they can be confident that their management systems and procedures comply.

ISO/IEC 27002, a guidance document, provides information security best practices and implementation guidance. As part of the risk management process, ISO/IEC 27001-compliant entities can use these controls to protect their information assets.