Has ‘Plan-Do-Check-Act´disappeared in the new ISO 27001?

The Plan-Do-Check-Act (PDCA) process originates from quality assurance in production environments, but has for some years also been a requirement in the ISMS standard ISO 27001 (ISMS = Information Security Management System). If you look at the new ISO 27001 that was published in late 2013, you may notice that it no longer contains a specific requirement for a PDCA process. Although it does contain headlines such as Planning, Operation, Performance Evaluation and Improvement, which admittedly are very close to PDCA, your company can now follow the new ISO 27001 without having an actual PDCA process. But there is a clear requirement that you continuously improve your ISMS, formally phrased as "the organization shall establish, implement, maintain and continually improve the ISMS". In general the new ISO 27001 introduces more flexibility in terms of selecting method and form than the previous version. A good example of this flexibility is the requirement for continuous improvement. You can choose to use PDCA - or another method - as your way of continuously improve your ISMS. My recommendation is that you only use PDCA to the extent that it makes sense to you. There are many other ways of ensuring ongoing improvement. Start with something as simple as having (or getting) an overview of your ISMS tasks. Since information security applies to most, if not all, your business processes, information security also involves a number of people. If you want to improve your information security you need to maintain a continuos overview of the security and compliance tasks people are assigned to, and you need to monitor whether or not the tasks are carried out. Strengthening information security by getting a grip on all security and compliance tasks is one of the main features in Workflow TNG, a new SecureAware module, which we are proud to announce. Read the news here.

We have a number of resources and offers for you:

How to manage security tasks

Live demo webinar with the new Workflow TNG

Educational webinars on information security management

Do you need to explain what is ISO 27001?

We've produced this short clip to help you communicate the main components of an Information Security Management System (ISMS), as described in ISO 27001.   

The new ISO 27001 is out! How to develop a Statement of Applicability

The 2013 editions of the widely used standards for information security management, ISO 27001 and 27002 were released a few weeks ago. It has been eight years since they were last updated, and the new versions contain a number of improvements that should be of interest to companies that lean towards ISO 27001 or complies with it.

ISO 27001 describes requirements to an Information Security Management System (ISMS). The requirements addresses the same topics as the previous version. The good news is that companies now have more freedom to choose how they will comply with the requirements. More functionality, less form, as one of my colleagues put it.

Risk Management = Risk Assessment + Risk Treatment

Risk management is now an even more central part of your ISMS. Risk management consists of a process of risk assessment and a process of risk treatment.

Road to SoA - and beyond

In the new ISO 27001 (and in the old standard as well), a key document is the Statement of Applicability, the SoA. It's new that your SoA is so closely aligned with your risk treatment process. It's also new that your organisation is to appoint Risk Managers. The responsibility of a Risk Manager is to approve your risk treatment plan and your risk tolerance - sometimes referred to as risk appetite.

Your SoA describes what controls are part of your ISMS. It is new that you have to justify both control inclusions and exclusions; that's a nice improvement to the standard. As the SoA is or becomes such a central document in your ISMS, Neupart has produced a free guide on how to prepare and maintain your SoA most effectively.

DOWNLOAD How to develop an ISO 27001 Statement of Applicability. Registration is not needed.


PS! I have a few more ISO 27001 resources for you:

SecureAware ISMS-tool
Webinar on how to develop af SoA

Webinar on Risk Assessment

Webinar on Risk Treatment

Live Demo Webinar: Tools for Risk Assessment and Risk Treatment

Blog Post about how the new ISO 27001 affects your risk management

About the Author: Lars Neupart is founder of Neupart and wants you to know that SecureAware = efficient information security management. Get more of him on Twitter.

PS: Click here to follow us on LinkedIn.

How to assess your business risks when going cloud

Cloud computing promises many benefits. Cost reductions, improved efficiency and improved security is what many companies can gain from moving into the cloud.

As with a traditional IT outsourcing venture there are also many threats, so you might want to perform an IT risk assessment before you go cloud. You'll need to decide upon what data and applications to move to the cloud, what type of cloud service fits your purpose, and of course assess the vendor you are considering.

Cloud security is different dependent on whether you want to jump into the cloud with a Software as a Service, Platform as a Service or Infrastructure as a Service solution (SaaS, PaaS, IaaS). As an IaaS customer, you will often have more operational security responsibilities, compared to SaaS, where you basically subscribe to the security services offered by your cloud provider.

Use a threat-based methodology

Regardless which type of cloud service you choose, you'll need to have an information security risk management process in place. This process should be based on a best practice methodology. I recommend you check out the ISO 27005 standard; it is a threat-based methodology that provides guidelines for information security risk management.

An alternative to the threat based approach is the control based approach. The risk management professionals in the Neupart team find that the threat based approach offers a more accurate risk picture, as you in the assessment process decide which threats causes business risks that need to be managed. In contrast, the control based approach can result in a list of of controls that may or may not offer business value.

ISO 27001 and ISO 27005 alignment

As an added bonus of following the ISO 27005 methodology, you will be on your way to compliance with the risk management requirements of ISO 27001.

The Cloud Security Alliance has compiled a list of the biggest threats to cloud security, which will help you assess potential cloud service providers.

You'll find the research here: The Notorious Nine – Cloud Computing Top Threats in 2013

Assess the potential impact to your business

ISO 27005 suggests you perform a Business Impact Analysis (BIA), and that's also a good advice before moving to the cloud. You will have to identify your critical and non-critical business processes. 'Critical processes' can be defined as those whose disruption would be unacceptable to your business.

Assess vulnerability or incident likelihood

Vulnerability assessments are also an ISO 27005 recommendation. These can be time-consuming to conduct, but luckily there are resources that can help. The Cloud Security Alliance (again) has a STAR registry that documents the security controls provided by various cloud-computing providers. All the providers in the registry has carried out self-assessments based on a control matrix from CSA. You can find the Cloud Security Alliance STAR Registry here.

Instead of vulnerability assessments, you may find it faster to assess how likely it is that security incidents will happen at your provider. Some organizations use past performance as an indicator of incident likelihood assessment.

Combining BIA and likelihood into risks

When you know the business impact of an incident, and you know incident likelihood, you can calculate your risk level, and then decide if it's acceptable to your business or not. The risk treatment process of ISO 27005 suggests four treatment options:

1. Accept Risk
2. Avoid Risk
3. Reduce Risk
4. Share Risk (in the past referred to as "Transfer Risk")

Are these tips useful in the assessment of your security? Do you have any experience in this field? Feel free to share your comments here on the blog.

Best regards

Lars Neupart

About the Author: Lars Neupart is founder of Neupart A/S. Follow Lars on Twitter.

---------------------------------

PS! The ISO 2700x standards are recognized and widely implemented in many organizations worldwide for good reasons. That is why we at Neupart designed SecureAware Risk TNG to provide you with risk management tools – based on the ISO 27005 and ISO 27001 standards. Here's how SecureAware can help your cloud security risk management:

• It helps you manage your business impact assessments
• It helps you manage vulnerability or probability assessments in relation to your cloud provider
• It helps you calculate, evaluate and report your risks
• It helps you treat your risks. 

Learn more about ISO 27005 implementation in the tool SecureAware Risk TNG  - delivered to you as a cloud service or on-premise installation.

You might also be interested in reading: IT Risk Management increases your IT outsourcing success

How does the ISO 27001:2013 affect your risk management process?

ISO / IEC 27001 was introduced in 2005 and has become a very popular international standard. Now ISO 27001 is being revised and a new version is due later in 2013. I’ve looked at the changes before and outlined the main differences between the old and the new version.

  

One central topic of the new ISO 27001 is the risk management processes. So our team here at Neupart has prepared a white paper to let you know how ISO 27001:2013 will impact your risk management processes.

Here’s a little teaser: One of the changes in the new ISO 27001 is that it only requires that you identify risks in relation to confidentiality, integrity and availability. This gives you greater flexibility in your choice of risk method.

You don’t have to provide an email address or any other information to get the PDF. If you have a moment, all I ask is that you let me know what you think about the changes in ISO / IEC 27001 or the whitepaper in the comments below.

Grab your copy of “How the ISO 27001 revision affects your risk management process” here.

Or view a webcast on the same topic here.

About the Author: Lars Neupart is founder of Neupart A/S and wants you to know that SecureAware = efficient information security. Get more of him on Twitter.

PS: Click here to follow us on LinkedIn.

IT Risk Management increases your IT outsourcing success

IT outsourcing can be a highly positive experience.

You outsource your IT operations to someone who has more experience and expertise and can do it more cost-efficiently.

However, for an outsourcing venture to succeed you will need to have a proper information security risk management process in place. One of the better methodologies you can use, to prevent unnecessary risks, is the information security risk management standard ISO 27005.

If your methodology is in place and a security strategy has been laid out and communicated to both your organisation and outsourcing supplier then you have nothing to fear. But when it isn’t done properly it can have a negative impact on your organisation.

The 2013 Trustwave Global Security Report had less than positive news on outsourcing. The researchers discovered that of 450 global data breach investigations, 63% were linked to an outsourcing supplier.

The outsourcing supplier responsible for IT system support, development or maintenance had neglected or introduced security deficiencies that were easily exploitable.

The results are strikingly similar to a report from 2009, commissioned by VanDyke Software and carried out by Amplitude Research. They discovered that sixy-one percent of their 350 respondents, whose organisations outsourced IT jobs, had experienced an unauthorized intrusion between 2007 and 2009.

In comparison only thirty-five percent of the companies that did not outsource had dealt with unauthorized intrusions.

Don’t worry, take proper measures

Don’t let these numbers scare you. There are many highly professional outsourcing suppliers out there.

Most of the issues reported in the above studies are due to miscommunication between organisations and their outsourcing supplier. The blame can therefore not be placed solely with the supplier, but should instead be shared between both parties.

When IT outsourcing is done correctly it can be highly beneficial for both you and your outsourcing supplier. All you have to do is take the proper steps to ensure a secure and rewarding outsourcing experience.

Where to start?

Performing a proper risk assessment can inoculate you against a bad outsourcing decision.

First consider what areas you want to outsource. Then look into what the potential business impact would be if something went wrong, and whether outsourcing makes you more vulnerable.

The more risk involved, the more you need to vet the potential outsourcing supplier. SecureAware can help you with this by, among other things, supplying you with questions that you can present to your potential outsourcing partner.

A recognised security standard, such as ISO 27001 for information security, is a good indicator that the outsourcing supplier takes security seriously, but it is never a guarantee.

You’d also want to check who did the accreditation, as there are some “fast-track certifications.” You also want to check out what parts of the business the certification covers.

Next you’d want to check if they “practice what they preach,” if they don’t your company name may end up all over the six o’clock news.

Building a trusting relationship

This process isn’t just a matter of inspecting their business once or twice. This can take weeks or months. You rely on them to manage risk aspects on your behalf. You need to be certain that they are up to the challenge, and that you understand each other.

Building a mutually understanding and trusting relationship can take time and requires a large amount of diligence on both sides. It is important that both parties take the time to fully cover exactly how this partnership is to go down.

That way you can minimize misunderstandings and potential security issues. Take the necessary steps and you will be on the road to a positive and beneficial outsourcing experience.

For inspiration you can use this list of questions that you can present to your potential outsourcing supplier:

Click here to download the list.

Feel free to give us feedback if you found the list useful or not, or if you have any additions.

About the Author: Lars Neupart is founder of Neupart A/S and wants you to know that SecureAware = efficient information security. Get more of him on Twitter.

PS: Click here to follow us on LinkedIn.

Here's how SecureAware can help your IT outsourcing risk management:

- It can help you ask the right questions to your supplier and collect the responses.

- It can help assess your business risk in relation to your IT outsourcing provider.

- It can help manage and communicate your requirements to your supplier as an integrated part of your information security policies.

Click here to read more about how SecureAware can benefit your organisation.

Six questions about the ISO 27001 revision (with answers)

How does the ISO 27001 revision impact your risk management?

I recently held a presentation on this very topic in an attempt to address some of the questions and if you haven't already I strongly recommend you go watch it! You can watch it here.

I have since received a lot of feedback and more questions. Since many of these are relatively basic questions I thought it would be a good idea to share them and the answers here.

If you are looking for the presentation slides you can find them here.

Now on to the questions:

1. What else is new in ISO 27001, is it only about risk?

No, there are plenty of other changes. For example, management will have an increased responsibility in the IT Risk Management. There will also be an increased flexibility in your choice of risk method.

The revision is still only a draft so changes can still occur.

You can see a few of the possible changes here:

Three ways the ISO 27001 revision will affect your company

2. Will it take a great amount of effort to shift to the new ISO 27001?

No, quite the contrary. ISO 27001 is not filled with technical demands to your security, internal audit or other. The 2013 draft has the same main content as the 2005 version; The purpose and many activities are the same.

The main difference is that the way it is presented has been altered creating sharper formulations and some areas are given more flexibility.

A transition would therefore not require lots of extra effort on your part.

Further, you have absolutely nothing to fear if your company is already ISO 27001 certified.

3. Are there any consequences for the management (risk owner) if you do not live up to the compliance?

There will only be consequences for the risk owner if your company has decided such should exist. It can, however, have consequences for your ISO 27001 certification and may result in a reprimand when an audit visits.

4. Is there a good mapping between NIST SP 800-53 controls and ISO 27001?

Yes, the National Institute of Standards and Technology has even released a paper regarding the issue. You can find it here.

5. When will SecureAware reflect the new ISO 27001 standard?

Shortly after the new ISO 27001 changes are finalised and made public.

6. Is there already a paper about risk management in the new ISO 27001?

There are currently, to my knowledge, no specific papers available on this topic. 

However, Neupart will publish a paper, on the topic. Once it is finished it will be available on our website and everyone on our mailing list will be informed.

If you have any questions not listed here then feel free to contact me and I'll do my best to answer them.

You might also be interested in some of Neupart's other webinars. We offer you a learning experience with hands-on approaches. Check them out here: http://www.neupart.com/events

About the Author: Lars Neupart is founder of Neupart A/S and wants you to know that SecureAware = efficient information security. Get more of him on Twitter.