Foundations of Information Security based on ISO27001 and ISO27002 – 4th revised edition

This book is intended for everyone in an organization who wishes to have a basic understanding of information security. Knowledge about information security is important to all employees. It makes no difference if you work in a profit or non-profit organization because the risks that organizations face are similar for all.

Employees need to know why they have to adhere to security rules on a day-to-day basis. Line managers need to have this understanding as they are responsible for the security of information in their department. This basic knowledge is also important for all businesspeople, including those self-employed without employees, as they are responsible for protecting their own information. A certain degree of knowledge is also necessary at home. And of course, this knowledge forms a good basis for those who may be considering a career as an information security specialist, whether as an IT professional or a process manager.

Everyone is involved in information security, often via security countermeasures. These countermeasures are sometimes enforced by regulatory rules and sometimes they are implemented by means of internal rules. Consider, for example, the use of a password on a computer. We often view such measures as a nuisance as these can take up our time and we do not always understand what the measures are protecting us against.

In information security the goal is to find the right balance between a number of aspects:

illustration    the quality requirements an organization may have for its information;

illustration    the risks associated with these quality requirements;

illustration    the countermeasures that are necessary to mitigate these risks;

illustration    ensuring business continuity in the event of a disaster;

illustration    establishing when and whether to report incidents outside the organization.

■   1.1 MAJOR CHANGES IN THE ISO/IEC 27002:2022

1.1.1 ISO/IEC 27002: 2013 Control layout

The 2013 version of ISO/IEC 27002 and the updates during the years up to 2020 had four introductory chapters and 13 chapters including security guidelines: chapters 5 through 18. Each chapter contains sections containing a purpose and one or more subsections including a control and an implementation guideline.

The Annex Table B2 of ISO/IEC 27002:2022 is a comparison table and gives a complete overview of the changes that took place between the 2013 version and the 2022 version.

1.1.2 ISO/IEC 27002: 2022 Control layout

The new version of the ISO 27002 has a different format. Where the old 2013 version consisted of 14 categories, the new 2022 version only has 4 categories left. In addition, these are more logically grouped, based on the most logical department or area of responsibility of an organization where these controls should belong.

In addition, five security aspects were added per control: Control type, Information security properties, Cybersecurity concepts, Operational capabilities and Security domains.

Organizations who have setup their ISMS based on the old ISO numbering will have serious work in changing their documentation where the old ISO numbering is used as reference.

Table 1.1 Security aspects

The goal of this division is for the company’s security manager to start thinking about CIA (Confidentiality, Integrity, Availability) classifications: will these remain leading? Or are we going to group the security measures around the five cybersecurity aspects? This division is intended to prevent the ISO 27002 from becoming a checklist. The security manager is now forced to make choices and have them substantiated in the event of certification. Section 3.5 explains these concepts in more detail.

As can be seen in Table 1.1, each of the aspects are preceded by a #. This is meant to allow for a quick search on such an aspect. Would you search on ‘integrity’, then 214 results come up. However, if you search on #Integrity, 177 results remain, which are directly linked to a security measure.

■   1.2

WHAT IS QUALITY?

First you have to decide what you think quality is. At its simplest level, quality answers two questions: ‘What is wanted?’ and ‘How do we do it?’ Accordingly, quality’s stomping ground has always been the area of processes. From the ISO 9000 standard, to the heady heights of Total Quality Management (TQM), quality professionals specify, measure, improve and re-engineer processes to ensure that people get what they want. So where are we now?

There are as many definitions of quality as there are quality consultants, but commonly accepted variations include:

illustration    ‘Conformance to requirements’ - P.B. (Phil) Crosby (1926-2001);

illustration    ‘Fitness for use’ - Joseph Juran (1904 - 2008);

illustration    ‘The totality of characteristics of an entity that bear on its ability to satisfy stated and implied need’ - ISO 9001:2015;

illustration    Quality models for business, including the Deming Prize, the EFQM excellence model and the Baldrige award.

The primary objective of this book is to provide awareness for students who want to apply for a basic security examination. This book is based on the international standard ISO 27002:2022. This book is also a source of information for the lecturer or trainer who wants to question information security students about their knowledge. Many of the chapters include a case study. In order to help with the understanding and coherence of each subject, these case studies include questions relating to the areas covered in the relevant chapters. Examples of recent events that illustrate the vulnerability of information are also included.

The case study Springbooks starts at a very basic level and grows during the chapters of the book. The starting point is a small bookstore with few employees and few risks. During the chapters this business grows and grows and, at the end, it is a large firm with 120 bookstores and a large web shop. The business risks faced by this bookshop run like a thread through this book.

This book is intended to explain the differences between risks and vulnerabilities and to identify how countermeasures can help to mitigate most risks. Due to its general character, this book is also suitable for awareness training or as a reference book in an awareness campaign. This book is primarily aimed at profit and non-profit organizations, but the subjects covered are also applicable to the daily home environment as well to companies that do not have dedicated information security personnel. In those situations, the various information security activities would be carried out by a single person. After reading the book you will have a general understanding of the subjects that encompass information security. You will also know why these subjects are important and will gain an appreciation of the most common concepts of information security.

■   2.1 INTRODUCTION

To understand the theory in this book, it will be helpful to translate it to a practical situation. In most situations the reader gets a better understanding of the theory when it is illustrated by a practical case study.

In this case study, used throughout all chapters of this book, questions are included that relate to lessons learned in each chapter.

Figure 2.1 Springbooks’ London headquarters

This chapter gives an explanatory introduction to the case study. The establishment of the bookstore, the history and the years of growing into an international company are all described.

Springbooks was founded in 1901. During its expansion into an international organization operating within Europe the company had to change and to adjust to its environment. A major part of this is the huge change over the last 50 years in supplying information. As one might imagine there is a big difference in process control between the time Springbooks was founded in 1901, with the emergence of Information and Communication Techniques (ICT) during the 1960s and 1970s, through to the ever-increasing dependence on ICT nowadays. ICT has become one of the most important tools for Springbooks.

Now in the 2020s Springbooks IT is in the Cloud and the web shops turnover is greater than that of the physical shops. The board of directors is aiming for ISO 27001 certification by the end of this year.

■   2.2 SPRINGBOOKS

Springbooks Ltd. (SB) is a European operating bookstore. SB is an organization with 120 bookshops, most of which are run on a franchise basis. In total, 50 of the shops are owned by SB itself.

Figure 2.2 Organizational chart Springbooks 1901-1931

SB was founded in 1901 when Henry Spring opened a small shop in Bedrock-on-Thames, UK.

Figure 2.3 Organization of Springbooks 1938

Over time 36 shops were established in all major cities in the UK. Immediately after the end of World War 2 SB established bookshops in Amsterdam, Copenhagen, Stockholm, Bonn, Berlin and Paris.

Nowadays SB has shops in all major cities in the EU. The Board of Directors is based at offices in London. Because of the Brexit an independent European headquarter is established in Amsterdam. Every country has a central office. All bookstores are accountable to their national office.

The national office is accountable to the European Headquarters in Amsterdam.

The European headquarters are ultimately accountable to the Board of Directors in London.

In 2020 plans were made to expand the international business into the USA and Canada. New branches however have been canceled due to the Corona crisis. The board expects to be able to implement the plans in the near future.

Figure 2.4 Organization of Springbooks 1946-2022

The board of directors has adopted an old-fashioned approach to business for a long time. The Internet was not their way of doing business.

In 2013 an independent consultancy group has advised that SB should launch stores in Australia and New Zealand to expand in combination with the very successful ’local’ Internet stores which were opened in Australia and New Zealand in 2014. Because of this success SB has now one of the world’s most successful internet stores where the 2020 turnover consists of 60% eBooks and 40% physical books in addition to magazines.

■   2.3 ORGANIZATION

London UK:

In the London Headquarters resides the Board of Directors and the overall Chief Information Officer (CIO), Chief Financial Officer (CFO), Chief Procurement Officer (CPO) and Chief Executive Officer (CEO).

Each country has a central office which is responsible for the business in that specific country. The Country Director is responsible to the Unit Director for their particular region.

Bedrock-on-Thames UK:

UK Director (UK is not EU) responsible for the UK bookstores. There is also an UK-CIO, CEO, CFO and a Local Information Security Officer (LISO).

Amsterdam, the Netherlands:

EU director (EU without UK), EU CIO, CEO, CFO, CPO, LISO and the Corporate Information Security Officer (CISO).

IT is centrally organized. All IT is outsourced to a large worldwide operating U.S. Based IT Cloud Service Provider. As well, the web shops often focused on the local market, as the physical shops are directly connected to the Cloud Service Provider.

The local area networks (LANs) in the bookstores haven been discontinued in 2020 when the last transition from local network to the Cloud environment took place.

Every article that is sold is scanned at the cash desk and registered in a central database. This makes it possible to have a live overview of items in stock. By updating stocks based on sales, Springbooks can ensure that the popular items are always in stock. The speed of restocking depends on the popularity of the item, of course.

Every employee has their own ID that is used to login to the cash desk system. Every item sold, is connected to the employee who produced the invoice. In the same database there is a lot of customer information stored, such as names, addresses and credit card information.

All customer-related information stored in the Springbooks’ Cloud environment makes information security and compliance to (national) privacy laws very important. Unexpected and unauthorized disclosure of the customer database can have huge consequences for the trustworthiness of Springbooks.

■   2.4 SECURITY ORGANIZATION

Springbooks has a partly decentralized information security organization. For the UK, London is responsible for information security, for the rest of the world the Amsterdam Office is responsible. London and Amsterdam work closely together and pursue the same policy. ISO/IEC 27001 and ISO/IEC 27002 are the standards to be used in all countries.

Every bookstore has an information security focal point. This is an employee who is responsible for information security in the store and the contact point to the ‘national’ LISO.

Chapter 3 in the ISO 27001:2022 standard states that all terms and definitions used are explained in the ISO/IEC 27000:2020.

The definitions in Section 3.1 below are explained in the ISO/IEC 27000:2020 standard. The goal of this approach is to create a common understanding on terms and definitions. The goal of ISO is to avoid confusion on terms and definitions. For instance, an asset is any item that has value to the organization. This means that in every ISO standard, whatever the subject of the standard is, the same definition on asset is used.

In this chapter we give definitions for the key concepts used in this book. At the end of this book there is also an extensive glossary.

Before we get into definitions and security concepts, there is a brief introduction into the latest ISO management standards together with some information about the major changes which have taken place in the latest ISO management standards. In 2018, the ISO/IEC 27103, Cybersecurity and ISO and IEC Standards was published. The ISO/IEC 27103 standard is the ISO equivalent for the NIST Framework for Improving Critical Infrastructure Cybersecurity (version 1.1, 2018). The ISO 27103 is also based on the five principles: Identify, Protect, Detect, Response and Recover. (Identify, Protect, Detect, Respond and Recover). These five principles are now part of the ISO 27002. See also Section 1.1.2.

The ISO/IEC 27017 is the standard for cloud computing, which is now also partly part of the ISO/IEC 27002:2022 standard. As a result, these standards are growing towards each other.

Risk Management is described in the ISO/IEC 31000 standard and Business Continuity Management is described in the ISO/IEC 27031 and ISO/IEC 27301.

■   3.1

DEFINITIONS

For the purposes of this document, the terms and definitions contained in the ISO/IEC 27000 standard as well as the terms and definitions below apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

illustration    ISO Online browsing platform: to be reached at http://www.iso.org/obp

illustration    IEC Electropedia: reachable at http://www.electropedia.org/

Applicable are the terms and definitions contained in the ISO/IEC 27000 standard, to which are added the following definitions specifically contained in the ISO 27002:

Access control

Means to ensure that access to assets is authorized and restricted based on business and security requirements.

Accountability

Assignment of actions and decisions to an entity.

Asset

Anything that has value to the organization. This a broad definition, you can think about premises, information, software, hardware, hard copies (paper) services, but also people, skills and experience, and intangibles such as reputation and image too.

Audit

Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.

Authentication

Provision of assurance that a claimed characteristic of an entity is correct.

Authenticity

Property that an entity is what it claims to be.

Attack

An attempt to destroy, expose, alter, disable, steal or gain unauthorized access to, or make unauthorized use of, an asset.

Availability

Property of being accessible and usable upon demand by an authorized entity.

The formal text above ensures the reliable and timely access to data or computing resources by the appropriate personnel. In other words, availability guarantees that the systems are up and running when needed. In addition, this concept guarantees that the security services which the security practitioner requires are in working order.

Business Asset

Anything that has value to the organization. Business assets can be divided into two types:

illustration    Primary business assets:

•   business processes & activities;

•   information.

illustration    Supporting assets:

Supporting business assets (upon which the primary business assets rely) such as:

•   hardware;

•   software;

•   network;

•   personnel;

•   location;

•   the structure of the organization.

Confidentiality

Property that information is not made available about or disclosed to unauthorized individuals, entities, or processes. The concept of confidentiality attempts to prevent the intentional or unintentional disclosure of a message’s content. Loss of confidentiality can occur in many ways, such as through the intentional release of private company information or through a misapplication in network rights.

Conformity

Fulfilment of a requirement.

Continual improvement

Recurring activity to enhance performance (see Sections 4.1 - 4.3).

Control

Means of managing risk, including policies, procedures, guidelines and practices or organizational structures, which can be of an administrative, technical, management, or legal nature, which modify information security risk.

Controls may not always exert the intended or assumed modifying effect and a control is also used as a synonym for safeguard or countermeasure.

Control objective

Statement describing what is to be achieved as a result of implementing controls.

Correction

Action to eliminate a detected nonconformity.

Corrective action

Action to eliminate the cause of a nonconformity and to prevent recurrence.

Exposure

An exposure is an instance of being exposed to losses from a threat agent.

Event

Occurrence or change of a particular set of circumstances.

Governance of information security

System by which an organization’s information security activities are directed and controlled.

Guideline

Description that clarifies what should be done and how, to achieve the objectives set out in policies.

Information

Information is data that has meaning in some context for its receiver. When information is entered into and stored on a computer, it is generally referred to as data. After processing (such as formatting and printing), output data can again be perceived as information.

Information analysis

Information analysis provides a clear picture of how an organization handles information and how the information ‘flows’ through the organization.

Information management

Information management describes the means by which an organization efficiently plans, collects, organizes, uses, controls, disseminates and disposes of its information, and through which it ensures that the value of that information is identified and exploited to the fullest extent.

Information processing facilities

Any information processing system, service or infrastructure, or the physical locations housing them.

Information security

Preservation of confidentiality, integrity and availability of information. In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.

Translating this formal definition, we can say that information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.

Information security event

Identified occurrence of a system, service or network state indicating a possible breach of information security