Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Information Security Management Systems Framework Provided by ISO/IEC 27001:2013

The framework suggested in this standard, i.e., information technology, security techniques, information security management systems, and requirements (ISO/IEC 27001:2013) is complemented by the guidance provided in the code of practice for information security controls (ISO/IEC 27002:2013).2 This standard suggests that the security issues related to an organization have to be understood both in external and internal contexts and based on the needs and expectations of the interested parties. A risk assessment is necessary whereby the level of a risk is understood,

the quantified risk has to be compared with acceptable risk as per the acceptance criteria of an organization and where appropriate, risk treatment options have to be identified, planned, and enacted.2 The standard does not dictate any specific risk assessment methodology to be used. Where risks need to be mitigated, additional controls can be identified from various sources or from the list of controls provided in the standard.2

This standard 27001:2013 does not suggest any specific layers or a layered approach, but it provides guidance as to various structural elements for an effective information security implementation, through control clauses. The control clauses are Information Security Policies, Organization of Information Security, Human Resources Security, Asset Management, Access Control, Cryptographic Controls, Physical and Environmental Security, Operations Security, Communications Security, System Acquisition, Development and Maintenance, Supplier Relationships, Information Security Incident Management, Information Security aspects of Business Continuity Management, Compliance.2

However, 35 control objectives and 114 controls are explicitly suggested here and the explanations to those are clearly provided for effective guidance in ISO/IEC 27002:2013. If an organization applies the risk management effectively and comprehensively at the organizational level (not in silos at the functional level) using this standard, there is a good chance that the organization will be able to face the information security threats quite effectively.

NIST Special Publication 800-39 complemented by 800-53

The NIST special publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View, provides guidance on integrated organization-wide risk management.3 Chapter Two of this special publication describes:

• The components of risk management

• The multi-tiered risk management approach

• Risk management at the organization level (Tier 1)

• Risk management at the mission/business process level (Tier 2)

• Risk management at the information system level (Tier 3)

• Risk related to trust and trustworthiness

• The effects of organizational culture on risk

• Relationships among key risk management concepts

Chapter Three describes a life cycle-based process for managing information security risks including:3

• A general overview of the risk management process

• How organizations establish the context for risk-based decisions

• How organizations assess risk

• How organizations respond to risk

• How organizations monitor risk over time

As you can see from the above, the risk management process is focused on three specific layers – the organization level (Tier 1), the mission/business process level (Tier 2) and the information system level (Tier 3).

The NIST special publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations, provides guidance on assignment of effective security controls during the multi-tiered risk management approach.3

Chapter Two describes the fundamental concepts that are associated with security control selections and specification including:

• Multi-tiered risk management

• The structure of security controls and how the controls are organized into families

• Security control baselines as starting points for the tailoring process

• The use of common controls and inheritance of security capabilities

• External environments and service providers

• Assurance and trustworthiness

• Revisions and extensions to security controls and control baselines

Chapter Three describes the process of selecting and specifying security controls for organizational information systems including:3

• Selecting the appropriate security control baselines

• Tailoring the baseline controls, including developing specialized overlays

• Documenting the security control selection process

• Applying the selection process to new and legacy systems

The application of SP 800-39, complemented with SP 800-53, provide a good foundation for any organization. Furthermore, other NIST special publications like SP 800-30 Rev 1 Guide for Conducting Risk Assessments give a detailed guideline on each of the steps of risk assessment.3

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science