ISO27002 and Statement of Applicability explained

| Joost Krapels | Security

The international information security standard ISO27001 is known by many. But what is the illusive ISO27002 that is often mentioned alongside it? ICT Institute has created a series of articles to explain the lesser known ISO27002 standard in more detail. You could use this overview to prepare yourself for ISO27001 certification or just to refresh your knowledge.

Should these articles pique your interest in ISO27001 then it might be good to know that ICT Institute also provides both an ISO27001 introduction course and a full ISO27001 Lead Auditor course. Online we also provide a summary of ISO 27001.

What is ISO27002?

One of the most important chapters of ISO27001 is risk treatment, which should be done methodically. To create insights in the risks, ISO27001 requires a so-called Statement of Applicability. This statement includes a long list of best practice  information security controls. Organizations should  put a Yes if the best practice is ‘applicable’ to the organization. You can put a No if the control is not applicable.

All elements of ISO 27002 are mentioned in the Annex of ISO 27001 The annex is called Reference control objectives and controls. In the annex they are numbered from A5.1.1 until A18.2.3. The ISO 27002 standard provides additional details, called ‘implementation guidance’. This is guidance and therefore not mandatory. However the guidance is helpful to understand each control.

Article Structure

The norm is divided into 14 chapters, each discussing a different aspect of information security controls. We discuss the following chapters in the following articles:

—————–Article 1—————– (this article)

  • Information Security Policies  A5
  • Organization of Information Security A6
  • Human Resource Security A7
  • Asset Management A8

—————–Article 2—————–

  • Access Control A9
  • Cryptography A10
  • Physical and environmental security A11

—————–Article 3—————–

  • Operation Security A12
  • Communication security A13
  • System aquisition, development and maintenance A14

—————–Article 4—————–

  • Supplier relationships A15
  • Information security incident management A16
  • Information security aspects of business continuity management A17
  • Compliance A18

Information Security policies

Having an Information Security Policy
A document needs to be created, containing how the organization manages information security objectives. This document needs to be approved by management, and needs to contain both high- and low-level policies.

Reviewing the Information Security policy on a regular basis
Once the policies are in place, they need to be reviewed regularly. The best approach to this is to set a regular meeting, and plan an extra meeting in between should the situation require it. If any changes are made, management needs to give their approval.

Organization of information security

Information security roles and responsibilities
The policy needs to define who is responsible for what asset, process, or information security risk activity. It is important that the assignment is done clearly and for all assignments.

Segregation of duties
To prevent any misuse of company assets, the “power” to fully control a sensitive activity should not lie with the same person. The best way to implement this is to log all activities and split important tasks in doing and checking or approving and initiating. This prevents fraud and error, e.g. in the case of having one person make and sign all company checks.

Contact with authorities
It should clear who is responsible for contacting authorities (e.g. law enforcement, regulatory bodies, supervisory authorities), which authorities should be contacted (e.g. which region/country), and in what cases this needs to happen. A quick and adequate response to incidents can greatly decrease the impact, and may even be mandatory by law.

Contact with special interest groups
To make sure that the latest information security trends and best practices are kept up with, good contact with special interest groups should be maintained. They can even, under the correct controls, be asked for expert advice. Examples of such groups are: Information Security NL, PVIB, NGFG, and the IAPP.

Information security in project management
To assure a successful organization wide ISMS implementation, information security should be considered and documented in all projects. If you have project management handbooks or templates, an information security chapter should be included.

Mobile device policy
The use of mobile devices can be risky, especially the use of own mobile devices. Updating, protecting, and not losing lies with the user. Organizations need to have a policy regarding the use of (own) mobile devices, and how the risks attached to them are managed.

Teleworking / working from home policy
There should be a policy for teleworking. The policy should state whether and under what conditions it is allowed. Examples of those conditions/constraints can be the security of the place, allowed devices, allowed network types, software requirements, and parts of the organizations system that is remotely accessible.

Human resource security

Pre-employment screening
There should be a policy for the screening of future employees. Proportionality to the sensitivity of the information future employees should be applied, and relevant laws, regulations and ethics should be respected while doing so. For information security roles, competence and trustworthiness should be determined and documented.

Terms of employment and information security
The employees’ contracts should contain the organizations’ IS policy, and what role the employee fulfils in it. Future employees need to be made aware of it, and sign for compliance to it in their contract.

Management responsibility
Management needs to make sure all employees and contractors are aware of and follow the organizations information security policy. They should lead by means of being an example and show that Information Security is both useful and necessary.

Security awareness training
All employees should have followed an IS security and awareness training. Since not all personnel handles the same type of information, the level of training should be appropriate for the target audience. To keep the awareness top of mind and the level of knowledge appropriate, it is important to give the training regularly and for personnel moving to a position that requires a higher level of information security.

Disciplinary process
Should a security breach have taken place, there should be formal disciplinary action. While this sounds harsh, it is vital to document the reason and source of a security breach to prevent repetition and to have it clear to all personnel that information security is something to take seriously.

End or change of employment responsibilities
Some information security duties and responsibilities do not immediately end at the time of an employee’s employment in a position or end of an agreement with a contractor. Such responsibilities or duties should be stated in a policy, be communicated to those involved, and enforced. Most importantly, make sure that that it is clearly stated that non-disclosure clause continues up until 1-2 year after employment.

Asset management

Inventory of assets
The organization should have identified of all information- and information processing assets. All the assets must be drawn up in an inventory, which should be properly maintained. Knowing what assets there are, their importance, where they are, and how they are handled is essential in identifying and predicting risks. It might even be mandatory for legal obligations or insurance purposes.

Ownership of assets assigned
All assets in the inventory, so of the whole company if the inventory is complete, must have an owner. Thanks to asset ownership, assets are watched and taken care of through their whole lifecycle. Similar assets may be grouped and the day to day supervision of an asset may be left to a so-called custodian, but the owner remains responsible. Asset ownership must be approved by management.

Acceptable use of assets
There should be well-document rules for the accessing of information assets. Users of the asset should be aware of the information security requirements regarding asset use, and follow them.

Return of assets
When an employee or external party may no longer access an asset due to, for example, the end of employment of agreement, they must return the asset to the organization. There should be a clear policy for this, which has to be known by all involved. Non-tangible assets important to current operations such as specific knowledge that is not yet documented should be documented and returned as such.

Classification of assets
Certain information is considered to be sensitive due to e.g. monetary or legal value, and has to remain confidential while other information is less crucial. The organization should have a policy in place on how to handle classified information. The accountability to classify information assets lies with its owner. To distinguish between the importance of different classified assets, it can be useful to implement several levels of confidentiality from non-existent to severely impacting the organization’s survivability.

Labelling of information
As discussing in the previous subchapter, not all information falls in the same category. It is, therefore, important to label all information in accordance to their classification. When information is handled, stored, or exchanged it can be useful to know the classification of the object. Sadly, this can be useful to ill-willing individuals as well. It is important to be aware of this risk.

Handling of assets
For the handling of assets, there should be certain procedures in place. Personnel needs to understand the labeling of assets, and know how to handle different levels of classifications. Since there is no universal classification, it is also important to have knowledge of classification levels of other parties, since they will most likely differ from yours.

Removable media management
Even in this day and age of The Cloud, removeable media is still used quite a lot. Management should set up a procedure how removeable media such as USB sticks, hard drives, and CD’s. Examples of such procedures are restrictions on where these devices are kept, whether they are encrypted, what type of assets may be stored on them, or in more sensitive environments, how the use of removeable media is monitored.

Disposal of media
When media is no longer needed, it should be properly disposed of to prevent leakage. To make sure nothing gets lost, it is important to document the disposal of media. Sensitive media should be disposed of with extra care, which is best done by the organization itself. A procedure on how classified and non-classified media will be disposed of minimizes the risk of leakage and accidental destruction of information assets.

Physical transport of media
Sometimes, information assets need to be transported physically. Hard drives or documents need to be sent by courier or post, causing a risk of unauthorized access or corruption. To minimize the risk, guidelines surrounding the physical protection of media should be in place. It is wise to have a list of verified reliable methods of transport, ask identification of couriers, and document what media has been sent, containing what information, and how it has been secured.



Image credit: @kellybrito via Unsplash

Quiz created with GoConqr

Author: Joost Krapels
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. Within ICT Institute, Joost provides IT advice to clients, advises clients on Security and Privacy, and further develops our internal tools and templates.