In October 2005, the first version of the ISO 27001 was published and essentially replaced BS7799-2 as an audit standard for identifying the maturity and effectiveness of Information Management Systems. Over the years, the standard has matured and developed largely because of the growth in system complexity, the introduction of new technologies and the evolution of adversarial behaviours.
Although regarded as a universal and internationally accepted compliance audit standard, the ability to certify an organisation to ISO 27001 allows visible and tangible security control efforts. It also provides a “comfort level” among supply chain partners. As mentioned, one of the main reasons the standard undergoes revision is to increase its effectiveness as an audit standard. This is to ensure the ISO 27001 standard is responsive to identifying controls which are most effective against modern day threat actors and security risks. The general approach demanded by ISO 27001 is to reduce the risks associated with information security, such as making sure changes are security-tested prior to being put into production.
ISO 27001 has always been designed to be adopted by any organisation, small to global enterprise, in any industry sector to manage security controls effectively. It is generally a systematic approach which aligns employees’ activities, business processes and security control technology to maintain robust defences against threats to the organisation. This is achieved via the traditional view of the three pillars of security: confidentiality, integrity and availability.
Achieving full ISO 27001 certification every three years against a standard which comes under regular revision is no small exercise. A senior manager should own the effort and be resourced sufficiently to gain access to the evidence of security control compliance, maintaining standards. When a security control is found to be lacking or is absent, ISO 27002 provides detailed guidance on how to implement the necessary controls.
How will ISO 27001 change in the latest revision?
- Sections 4-10 have not changed and only the security controls listed in ISO 27001 will be updated.
- The controls have also been categorised into more useful groups, enabling streamlining as they are now organised into 4 sections (instead of 14) with 93 controls (instead of 114). These are Organisational Controls (clause 5), People Controls (clause 6), Physical Controls (clause 7) and Technological Controls (clause 8).
- 23 of the controls have been renamed to make them easier to understand.
- No controls have been deleted but 57 controls have been merged into 24.
- One control has been split, namely the 18.2.3 Technical compliance review. This has been split into 5.36 Conformance with policies, rules, and standard for information security and 8.8 Management of Technical Vulnerabilities
- In addition to the split control, 11 new controls were added. These are:
- 5.7 Threat Intelligence
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding.
Like all the new 11 controls, ISO 27001 5.7 will require an organisation to make an investment and address threat intelligence within their processes. This must be reflected in the organisation’s documentation and policies. As this control is designed to provide business risk reduction and governance support (GRC), it is highly unlikely that it can avoid being part of the statement of applicability. Therefore, all organisations will need to give this area careful consideration, not only to meet the standard, but for good practice and a recognition that it will assist with compliance with other regulations such as the General Data Protection Regulation (GDPR).
The fulfilment of threat intelligence control within the organisation will require both evidence of existence and measurement of effectiveness. The evidence of existence of the control is straight-forward and can include:
- Oversight of reports that detail current threats, the threat landscape and types of attacks, including those relevant to your industry.
- Identification of attacker methodologies, tools, tactics, indicators of compromise and the ability to monitor threats to your supply chain.
- The reports must be insightful, contextual, and actionable. The processes supporting threat intelligence should ensure intelligence reports are actioned and measures taken to mitigate the threats identified.
As an example, software vulnerabilities, vendor mitigations and vendor patches are constantly being released. It is important to be able to identify if the software vulnerability relevant to your organisation is exposed – especially in the case of a remote code execution vulnerability – and under active exploit by a threat actor. This information should be fed into a ticketing or tracking system, ensuring that teams can coordinate to address the issue as a priority.
Not only should the above be supported by a policy and a process/workflow, but the details of an intelligence report should also be captured in the ticketing or tracking system for later audit review. A threat intelligence capability that cannot influence organisational activity to mitigate a threat will not be deemed effective. Put another way, when it comes to threat intelligence “action speaks louder than words”.
Please visit cyjax.com or email firstname.lastname@example.org for details on how we can help your organisation deploy an effective threat intelligence capability to meet ISO 27001 control requirements.