You're reading from Mastering Information Security Compliance Management A comprehensive handbook on ISO/IEC 27001:2022 compliance

Product type Paperback

Published in Aug 2023

Publisher Packt

ISBN-13 9781803231174

Length 236 pages

Edition 1st Edition

Concepts

Information Security

Authors (2):

Greeshma M. R.

Adarsh Nair

View More author details

Table of Contents (19) Chapters

Preface

1. Part 1: Setting the Stage – Definitions, Concepts, Principles, Standards, and Certifications

2. Chapter 1: Foundations, Standards, and Principles of Information Security FREE CHAPTER

3. Chapter 2: Introduction to ISO 27001

4. Part 2: The Protection Strategy – ISO/IEC 27001/02 Design and Implementation

5. Chapter 3: ISMS Controls

6. Chapter 4: Risk Management

7. Chapter 5: ISMS – Phases of Implementation

8. Chapter 6: Information Security Incident Management

9. Chapter 7: Case Studies – Certification, SoA, and Incident Management

10. Part 3: How to Sustain – Monitoring and Measurement

11. Chapter 8: Audit Principles, Concepts, and Planning

12. Chapter 9: Performing an Audit

13. Chapter 10: Audit Reporting, Follow-Up, and Strategies for Continual Improvement

14. Chapter 11: Auditor Competence and Evaluation

15. Chapter 12: Case Studies – Audit Planning, Reporting Nonconformities, and Audit Reporting

16. Index

Why subscribe?

17. Other Books You May Enjoy

Appendix – Terms and Definitions

The CIA triad

InfoSec, the shorthand for information security, refers to procedures designed to secure data from unauthorized access or modification, even when the data is at rest or in transit. It covers a broad range of topics, including safeguarding your digital assets, which is where you hold sensitive data.

Information security relies on three pillars known as the CIA Triad: Confidentiality, Integrity, and Availability, the preservation of which is defined in ISO/IEC 27000. See Figure 1.1 for a visual representation of the following three pillars:

Confidentiality – Providing access only to authorized personnel who need access
Integrity – Maintaining the information’s accuracy and completeness
Availability – Making sure the information is available to authorized users when they need it

Figure 1.1 – CIA triad

Let’s see what each of the pillars in the triad means for information security.

Confidentiality

When an organization takes steps to keep its information private or secret, it is referred to as confidentiality. In the real world, this means limiting who has access to data in order to keep it safe from unwanted disclosure. Unauthorized disclosure of information or unauthorized access to information systems can be prevented by implementing confidentiality safeguards. For the confidentiality principle to be effective, sensitive information must be protected and only those who need access to accomplish their job responsibilities should be able to see or access it.

Confidentiality is required to prevent sensitive information from leaking to the wrong people. It is possible to safeguard user data by using authentication controls such as passwords and the encryption of data that is in transit or at rest to keep it confidential.

Integrity

Integrity refers to the ability of a person or thing to stand on their or its own two feet. In the same sense, integrity in information security entails the safeguarding of data from uncontrolled or unauthorized additions, deletions, or modifications. Integrity is based on the idea that data can be trusted to be accurate and not improperly altered.

The idea of non-repudiation, or the inability to refute anything, is closely linked to integrity. Non-repudiation of information and services is ensured by this criterion and thus provides traceability of the actions conducted on them. At all times, accuracy and consistency in data are vital. You must be prepared to show that document credibility has been maintained, particularly in legal circumstances, when it comes to integrity. Hashing, digital signatures, and digital certificates are often employed to ensure the integrity of data.

Availability

It is useless for a business to have valuable systems, apps, or data that can’t be easily accessed by the people who need them. Being available implies all systems and apps are working as expected, and resources are available to authorized users in a timely and reliable manner. The goal of availability is to ensure that data and services are available when needed to make decisions.

The accessibility of the system and services provided to authorized users is dependent on the availability factor because the system and services should be available whenever the user needs them. Redundancy of important systems, hardware fault tolerance, frequent backups, extensive disaster recovery plans, and so on, are all ways to assure availability.

Accountability and cyber resilience

Accountability entails assigning explicit obligations for information assurance to each person who interacts with an information system. A manager responsible for information assurance can readily quantify the responsibilities of an employee within the context of the organization’s overall information security plan. A policy statement saying that no employee shall install third-party software on company-owned information infrastructure is one example. To be resilient in the face of cyberattacks, a business must be capable of anticipating them, preparing for them, and responding to them appropriately. This aids an organization in combating cyber threats, reducing the severity of attacks, and guaranteeing that the company continues to exist even after an attack has taken place. This is cyber resilience.

The CIA triad forms the foundation of information security standards such as ISO/IEC 27001. Let’s now look at some of the standards that are accessible in the information security sector.