www.jmeds.

eu

Information Security Standards

Dan Constantin Tofan
Academy of Economic Studies Bucharest
Romana Square, district 1, Bucharest 010374,
ROMANIA
[email protected]

Abstract: The use of standards is unanimously accepted and gives the possibility of comparing a personal
security system with a given frame of reference adopted at an international level. A good example is the ISO
9000 set of standards regarding the quality management system, which is a common reference regardless of the
industry in which a certain company activates. Just like quality control standards for other industrial processes
such as manufacturing and customer service, information security standards demonstrate in a methodical and
certifiable manner that an organization conforms to industry best practices and procedures. This article offers a
review of the world’s most used information security standards.

Key-Words: Information Security Standards, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 17799, COBIT, NIST SP-
800 series, Federal Office for Information Security (BSI), ISF – Standard of good practice for Information
Security.

1. What is an information name of ISO/IEC 27000 series (ISMS

Family of Standards) and ISO/IEC
security standard? 17799:2005 “Information Technology –
Code of practice for information security
Generally speaking a standard, whether it management”. Secondly, there is the NIST
is an accountability standard, a technical SP800 group of standards, published by
standard or an information security the National Institute of Standards and
standard, it represents a set of Technology (NIST) from USA.
requirements that a product or a system Another information security standard is
must achieve. Assuming the conformity of the Information Security Forum's Standard
a product or system with a certain of Good Practice for Information Security.
standard demonstrates that it fulfills all the This document also includes a description
standard’s specifications. of COBIT and BSI Standards 100 series.
There are currently some primary Due to the lack of space other
standards in place governing information international security standards like ITIL
security. could not be presented.
First of them is the ISO/IEC 27000 series
of standards. It is the most recognizable
standard as it bears the internationally
2. Why do we need an
prestigious name of the International information security standard?
Organization for Standardization and the
International Electrotechnical Commission. The use of standards is unanimously
It was initiated by British Standard accepted and gives the possibility of
Institute in 1995 through BS7799 comparing a personal security system with
(Information Security Management a given frame of reference adopted at an
System), and later was taken over by the international level. A good example is the
ISO (International Organization for ISO 9000 set of standards regarding the
Standardization) and released under the quality management system, which is a
common reference regardless of the
This is a post conference paper. Parts of
industry in which a certain company
this paper have been published in the
Proceedings of the 3rd International activates.
Conference on Security for Information Standards ensure desirable characteristics
Technology and Communications, SECITC of products and services such as quality,
2010 Conference (printed version). safety, reliability, efficiency and

128
 Journal of Mobile, Embedded and Distributed Systems, vol. III, no. 3, 2011
ISSN 2067 – 4074

interchangeability - and at an economical law, either through treaties or national

cost. standards, makes it more powerful than
We need information security standards in most non-governmental organizations.
order to implement information security The ISO International Standards are
controls to meet an organizations published in accordance with the following
requirements as well as a set of controls format: ISO[/IEC][/ASTM] [IS]
for business relationships with other nnnnn[:yyyy] Title, where nnnnn is the
organizations and the most effective way number of the standard, yyyy is the year
to do this is to have a common standard published, and Title describes the subject.
on best practice for information security IEC stands for International
management such as ISO/IEC Electrotechnical Commission and is
17799:2005. Organizations can then included if the standard results from the
benefit from common best practice at an work of ISO/IEC JTC1 (the ISO/IEC Joint
international level, and can prove the Technical Committee). For standards
protection of their business processes and developed in cooperation with ASTM
activities in order to satisfy business International, ASTM is used.
needs. ISO has 157 national members, out of the
Anyone responsible for designing or 195 total countries in the world. ISO has
implementing information security systems three membership categories:
knows that it can sometimes be difficult to Member bodies are national bodies that
demonstrate the effectiveness of their are considered to be the most
solutions, either to their organization's representative standards body in each
decision makers, or to its clients. Decision country. These are the only members of
makers need to know that the budgets ISO that have voting rights.
they assign are being directed at Correspondent members are countries
worthwhile targets, while clients demand that do not have their own standards
the sense of confidence that comes with organization. These members are informed
knowing their sensitive data and about ISO's work, but do not participate in
confidential details are in safe hands. standards promulgation.
This is where the role of information Subscriber members are countries with
security standards becomes essential. small economies. They pay reduced
Similarly to quality control standards for membership fees, but can follow the
other industrial branches such as customer development of standards.
service, information security standards The ISO/IEC 27000-series (also known as
demonstrate in a methodical and the 'ISMS Family of Standards' or 'ISO27k'
certifiable manner that an organization for short) comprises information security
conforms to industry best practices and standards published jointly by the
procedures. International Organization for
Standardization (ISO) and the
3. The ISO/IEC 27000 standards International Electrotechnical Commission
(IEC). The series provides
series recommendations on information security
management, risk handling and controls
The International Organization for implementation within the context of an
Standardization (Organization overall Information Security Management
internationale de normalization), known as System (ISMS). Management systems for
ISO, is an international-standard-setting quality assurance (the ISO 9000 series)
body composed of representatives from and environmental protection (the ISO
various national standards organizations. 14000 series) are also similar in design to
Founded on 23 February 1947, the the ISO/IEC 27000- series of standards.
organization promulgates world-wide The series is applicable to organizations of
proprietary industrial and commercial all shapes and sizes covering more than
standards. ISO’s headquarters are in just privacy, confidentiality and IT or
Geneva, Switzerland ISO is defined as a technical security issues.
non-governmental organization, but its The first of the 27000 series of standards
ability to set standards that often become (27001) was published in 2005. However,
129
 www.jmeds.eu

its predecessor -- ISO/IEC 17799 - dates hundreds of information security controls,

back to 2000, a time when the growth of the use of which will help to achieve
the Internet caused a rapidly increasing conformity with 27001. However, it is not
awareness of the importance of security in an compulsory list: organizations are free
the IT industry. to implement controls not specifically
There are currently four published listed, so long as they are effective and
standards in the series: 27001, 27002, conform to the requirements outlined in
27005 and 27006. Ten more are at various 27001.
draft stages. ISO/IEC 27002 provides best practice
recommendations on information security
3.1. ISO/IEC27001 management for use by those who are
The 27001 standard sets out the steps responsible for initiating, implementing or
required for an organization's Information maintaining Information Security
Security Management Systems (ISMS) to Management Systems (ISMS). Information
achieve certification. The standard security is defined within the standard in
specifies seven key elements in the the context of the C-I-A triad: the
creation of a certified ISMS. These are to preservation of confidentiality (ensuring
establish, implement, operate, monitor, that information is accessible only to those
review, maintain and improve the system. authorised to have access), integrity
As a management standard it doesn't (safeguarding the accuracy and
mandate the use of specific controls so completeness of information and
much as specify the management processing methods) and availability
processes required to identify controls that (ensuring that authorised users have
are appropriate to the organization. access to information and associated
It is intended to be used along with assets when required).
ISO/IEC 27002 (formerly ISO/IEC 17799), ISO/IEC 27002 contains best practices and
the Code of Practice for Information security controls in the following areas of
Security Management, which lists security information security management:
control objectives and recommends a  security policy;
range of specific security controls.  organization of information security;
Organizations that implement an ISMS in  asset management;
accordance with ISO/IEC 27002 are likely  human resources security;
to simultaneously meet the requirements  physical and environmental security;
of ISO/IEC 27001 but certification is
 communications and operations
entirely optional.
management
3.2. ISO/IEC 27002  Access control;
ISO/IEC 27002 is an information security  Information systems acquisition;
 development and maintenance;
standard published by the International
Organization for Standardization (ISO) and  information security incident
the International Electrotechnical management;
Commission (IEC) as ISO/IEC 17799:2005  business continuity management;
and subsequently renumbered ISO/IEC  compliance.
27002:2005 in July 2007, bringing it into
line with the other ISO/IEC 27000-series
standards. It is entitled Information
3.3. ISO/IEC 27005
ISO/IEC 27005:2008 provides guidelines
technology - Security techniques - Code of
for information security risk management.
practice for information security
It supports the general concepts specified
management. The current standard is a
in ISO/IEC 27001 and is designed to assist
revision of the version first published by
the implementation of information security
ISO/IEC in 2000, which was a word-for-
based on a risk management approach.
word copy of the British Standard (BS)
Knowledge of the concepts and
7799-1:1999.
terminologies described in ISO/IEC 27001
The purpose of the 27002 standard is to
and ISO/IEC 27002 is very important for a
set out a structured set of literally

130
 Journal of Mobile, Embedded and Distributed Systems, vol. III, no. 3, 2011
ISSN 2067 – 4074

complete understanding of ISO/IEC  ISO/IEC 27033 - IT network security, a

27005:2008. ISO/IEC 27005:2008 is multi-part standard currently known as
applicable to all types of organizations ISO/IEC 18028:2006
(e.g. commercial enterprises, government
 ISO/IEC 27034 - a guideline for
agencies, non-profit organizations) which
intend to manage risks that could application security
compromise the organization's information
security. 4. The SP800 standard series
3.4. ISO/IEC 27006 Founded in 1901, NIST is a non-regulatory
The 27006 standard outlines the federal agency within the U.S. Department
certification and registration processes of Commerce. NIST's mission is to
that must be followed by certifying bodies. promote U.S. innovation and industrial
Its chief purpose is to guide accredited competitiveness by advancing
certification bodies on the formal measurement science, standards, and
processes for certifying or registering other technology in ways that enhance economic
organizations information security security and improve the quality of life.
management systems. NIST has a total budget of $931.5 million
The scope of ISO/IEC 27006 is “to specify and employs about 2,900 scientists,
general requirements a third-party body engineers, technicians, and support and
operating ISMS certification/registration administrative personnel. 2
has to meet, if it is to be recognized as NIST Laboratories provide measurements
competent and reliable in the operation of and standards for U.S. industry:
ISMS certification / registration.”  Building and fire research
The following standards are under  Chemical science and technology
development by the ISO/IEC JTC1:  Electronics and electrical engineering
 ISO/IEC 27000 - an introduction and  Information technology
overview for the ISMS Family of  Manufacturing engineering
Standards, plus a glossary of common  Materials science and engineering
terms  Nanoscale science and technology
 ISO/IEC 27003 - an ISMS  Neutron research
implementation guide  Physics
 ISO/IEC 27004 - a standard for  Technology services
information security management Established in 1990 the NIST Special
measurements Publications 800 group of documents is the
 ISO/IEC 27007 - a guideline for ISMS oldest of all the information security
auditing (focusing on the management standards. It consists of over a hundred
system) documents covering almost every aspect
of information security. The most
 ISO/IEC 27008 - a guideline for
representative among all these documents
Information Security Management is the computer security handbook SP800-
auditing (focusing on the security 12 which provides a good idea of the NIST
controls) approach.
 ISO/IEC 27011 - an ISMS
implementation guideline for the 4.1. SP800-12
telecommunications industry (also The core document of the series, SP800-
known as X.1051) 12, is a handbook that covers the central
principles of information security in details.
 ISO/IEC 27031 - a specification for ICT
It summarizes NIST's approach to the
readiness for business continuity
subject, identifying the following eight
 ISO/IEC 27032 - a guideline for major guiding elements:
cybersecurity (essentially, 'being a 1. Computer security should support the
good neighbor' on the Internet) organization's mission

131
 www.jmeds.eu

2. Computer security is a central element companies, from North America, Asia, and
of sound management other locations around the world. Groups
3. Computer security should be cost of members are organized as chapters
throughout Europe, Africa, Asia, the Middle
effective
East, and North America. The ISF is
4. Computer security responsibilities and headquartered in London, England, but
accountability should be made explicit also has staff based in New York City.
5. System owners have security The membership of the ISF is international
responsibilities outside their own and includes large organizations in
organizations transportation, financial services,
6. Computer security requires a chemical/pharmaceutical, manufacturing,
government, retail, media,
comprehensive and integrated
telecommunications, energy,
approach transportation, professional services, and
7. Computer security should be other sectors.
periodically reassessed The Standard of Good Practice (SoGP)
8. Computer security is constrained by was first released in 1996 by the
societal factors Information Security Forum (ISF) and it
The document, along with the rest of the represents a detailed documentation of
series, goes on to outline in detail the best practice for information security. The
specific strategies, procedures and controls Standard is published and revised
by which security issues can be addressed biannually.
in compliance with these principles. They Standard of Good Practice, which is freely
cover areas such as Guidelines on available, derives from the ISO/IEC 27002
Electronic Mail Security (SP800-45), and COBIT v4.1. standards and outlines a
Building an Information Technology functional information security
Security Awareness and Training Program methodology based on both research and
(SP800-50), Electronic Authentication real world experience. The standard is
Guidelines (SP800-63) and Guidelines for centered around the following six key
Secure Web Services (SP800-95) to aspects:
mention just a few. By explaining 1. Computer installations. This aspect is
important concepts, cost considerations, targeted chiefly at IT specialists, and
and interrelationships of security controls addresses the hardware and software
the handbook provides assistance in that supports the critical business
securing computer-based resources applications.
(including hardware, software, and 2. Critical business applications. These
information).
are the applications on which the
Although NIST doesn't itself provide a
certification program, it provides support organization's activities depend. This
for a range of initiatives in the areas of aspect is primarily targeted at the CBA
awareness, training and education. owners, the individuals in charge of
business processes and systems
5. ISF Standard of Good Practice integrators.
for Information Security 3. Security management. The security
management aspect is targeted at
The Information Security Forum (ISF) is an security decision makers and auditors.
international, independent, non-profit It handles management level decision
organization dedicated to benchmarking making in relation to security
and best practices in information security.
implementations across the
It was established in 1989 as the European
Security Forum but expanded its mission organization.
and membership in the 1990s, so that it 4. Networks. Networks form a special
now includes hundreds of members, category due to their unique security
including a large number of Fortune 500 vulnerabilities. Its target is typically

132
 Journal of Mobile, Embedded and Distributed Systems, vol. III, no. 3, 2011
ISSN 2067 – 4074

network managers, network service the USA in 1967 by a group of individuals

specialists and network service dealing with auditing controls in the
providers. The network aspect computer systems, when they realized the
need for a standard in the field. In 1969,
addresses the nature and
Stuart Tyrnauer founded an entity named
implementation of an organization's EDP Auditors Association. In 1976 the
networking requirements. association developed as an education
5. Systems development. This aspect foundation with the scope of expanding
addresses to system developers and the knowledge and value of the IT
deals with the identification, design governance and control field.
and implementation of system Today, ISACA’s membership is composed
of more than 75,000 members worldwide.
requirements.
Members live and work in more than 160
6. End user environment. The end user countries and cover a variety of
environment is the point at which professional IT-related positions.
individuals are using the organization's The Control Objectives for Information and
systems and applications to support related Technology (COBIT) is a set of best
business processes. This aspect practices (framework) for information
therefore tends to target business technology management created by the
Information Systems Audit and Control
managers and individuals who work
Association (ISACA), and the IT
within such end user environments. Governance Institute (ITGI).
Computer Installations and Networks COBIT was first released in 1996. Its
address the underlying IT infrastructure on mission is “to research, develop, publicize
which Critical Business Applications and promote an authoritative, up-to-date,
run. The End-User Environment covers international set of generally accepted
the arrangements associated with information technology control objectives
protecting corporate and workstation for day-to-day use by business managers
applications at the endpoint in use by and auditors.” COBIT helps Managers,
individuals. Systems Development deals auditors, and other users to understand
with how new applications and systems their IT systems and decide the level of
are created, and Security Management security and control that is necessary to
addresses high- level direction and control. protect their companies’ assets through
The standard itself consists of a statement the development of an IT governance
of principles and objectives, completed by model.
an extensive documentation covering COBIT is an IT governance framework that
implementation recommendations. In allows managers to fill in the gap between
order to maintain currency in the fast control requirements, technical issues and
changing world of information security the business risks. The latest update COBIT
standard is reviewed and updated 4.1 helps organizations to increase the
biannually. In addition to the Standard of value attained from IT, highlights links
Good Practice, the ISF also supervises a between business and IT goals, and
biannual benchmarking program known as simplifies implementation of the COBIT
the Information Security Status Survey. framework. COBIT 4.1 is a fine-tuning of
The participating organizations are the COBIT framework and can be used to
examined on the effectiveness of the enhance work already done based upon
security systems and the results are earlier versions of COBIT.
measured against each other. COBIT 4.1 has 34 high level processes that
cover 210 control objectives categorized in
6. Control Objectives for four domains: Planning and Organization,
Acquisition and Implementation, Delivery
Information and related
and Support, and Monitoring and
Technology (COBIT) Evaluation:
1. Plan and Organize. The Plan and
The ISACA (Information Systems Audit Organize domain describes how IT can
and Control Association) was founded in

133
 www.jmeds.eu

be used to help achieve the company’s procedures and approaches relating to

goals and objectives. information security. For accomplishing
2. Acquire and Implement. This domain that the BSI standards contains
fundamentally
covers activities such as identifying IT
important areas for information security
requirements, acquiring the regarding public authorities and companies
technology, and implementing it within and for which appropriate practical
the company’s current business approaches have been established.
processes. BSI Standard 100-1 is the first standard
3. Deliver and Support. It covers areas of the BSI IT-Grundschutz series and
such as the execution of the defines the general requirements for
implementing an ISMS. It is completely
applications within the IT system and
compatible with ISO Standard 27001 and
its results, as well as, the processes also takes into consideration the
that enable the efficient execution of recommendations within ISO Standards
these IT systems. 13335 and 27002.
4. Monitor and Evaluate. This domain BSI-Standard 100-2 also known as The
deals with the strategy of assessing the IT-Grundschutz Methodology is a step by
needs of the company and establishes step description of how IT security
management can be set up and operated
whether or not the current IT system
in practice.
still meets the objectives for which it The IT-Grundschutz Methodology provides
was designed. a detailed description of how to select
1. COBIT and ISO/IEC 27002 do not appropriate IT security measures, how to
compete with each other and actually produce a practical IT security concept,
complement one another. COBIT and how to implement the IT security
concept. IT-Grundschutz interprets the
typically covers a broader area than
general requirements of the ISO Standards
ISO/IEC 27002. 27001, 27002 and 13335 and provides
many notes, background expertise and
7. BSI IT-Grundschutz - IT examples in order to help users implement
baseline protection them in practice. The IT-Grundschutz
Catalogues not only explain what has to be
The Bundesamt für Sicherheit in der done, they also provide very specific
Informationstechnik (abbreviated BSI - in information as to what implementation
English: Federal Office for Information may look like.
Security) is the German government BSI-Standard 100-3: The third standard
agency in charge of managing computer from the BSI series deals with a method of
and communication security for the risk analysis based on IT-Grundschutz.
German government. Its areas of This approach can be used when
expertise and responsibility include the organizations are already working
security of computer applications, critical successfully with the IT-Grundschutz
infrastructure protection, Internet security, Manual and would like to add an additional
cryptography, counter eavesdropping, risk analysis to the IT- Grundschutz
certification of security products and the analysis.
accreditation of security test laboratories.
It is located in Bonn and has over 400 8. Conclusions
employees.
BSI's predecessor was the cryptographic Information security standards are needed
department of Germany's foreign in order to implement information security
intelligence agency (BND). BSI still designs controls to meet an organizations
cryptographic algorithms such as the requirements as well as a set of controls
Libelle cipher. for business relationships with other
The BSI Standards contains organizations. The most effective way to
recommendations on methods, processes, do this is to have a common standard on

134
 Journal of Mobile, Embedded and Distributed Systems, vol. III, no. 3, 2011
ISSN 2067 – 4074

best practice for information security [3] National Institute for Standards and
management such as the standards Technology, An introduction to Computer
described above. By implementing one of Security – The NIST Handbook – SP 800-
these standards organizations can benefit 12, NIST 1995, http://csrc.nist.gov.
from common best practice at an
[4] Information Security Forum, The
international level, and can prove the
Standard of Good Practice for Information
protection of their business processes and
Security, ISF 2007,
activities in order to satisfy business
https://www.isfsecuritystandard.com/SOG
needs. The only problem is to choose
P07/index.htm.
which of the standards is appropriate for
an organization judging by the nature and [5] Erik Guldentops, Tony Betts, Gary
field of activity. Although there are a Hodgkiss, Aligning COBIT, ITIL and ISO
number of information security standards 17799 for Business Benefit,
available, an organization can only benefit http://www.isaca.org 2007
if those standards are implemented
[6] Jimmy Heschl, Cobit Mapping:
properly. Security is something that all
Overview Of International IT Guidance -
parties should be involved in. Senior
2nd edition, IT Governance Institute USA
management, information security
http://www.isaca.org 2007
practitioners, IT professionals and users all
have a role to play in securing the assets [7] Federal Office for Information Security
of an organization. The success of (BSI), BSI Standard 100-1 Information
information security can only be achieved Security Management System,
by full cooperation at all levels of an http://www.bsi.de/english/publications/bsi
organization, both inside and outside. _st andards/index.htm 2008
[8] Federal Office for Information Security
(BSI), BSI Standard 100-2 IT-Grundschutz
References Methodology,
[1] International Organization for http://www.bsi.de/english/publications/bsi
Standardization - International _st andards/index.htm 2008
Electrotechnical Commission Joint
Technical Committee1, ISO/IEC 27002- [10] Federal Office for Information
Information technology -- Security Security (BSI), BSI Standard 100-3 Risk
techniques -- Information security Analysis based on IT-Grundschutz,
management systems -- Requirements, http://www.bsi.de/english/publications/bsi
2007. _st andards/index.htm 2008.

[2] International Organization for [11] An Overview of Information Security

Standardization-International Standards, The Government of the Hong
Electrotechnical Commission Joint Kong Special Administrative Region, 2008,
Technical Committee1, ISO/IEC 17799 www.infosec.gov.hk/english/technical/files
Information technology — Security /overview.pdf
techniques — Code of practice for [12] http://en.wikipedia.org
information security management, 2005.

135