ISO27002 explained, part 2

| Joost Krapels | Security

The article is part two of a series of four articles. The article series briefly explain each control that is mentioned in the ISO 27001 statement of applicability. The explanation is based on ISO 27002.

—————–Article 1—————–

  • Information Security Policies  A5
  • Organization of Information Security A6
  • Human Resource Security A7
  • Asset Management A8

—————–Article 2—————- (this article)

  • Access Control A9
  • Cryptography A10
  • Physical and environmental security A11

—————–Article 3—————–

  • Operation Security A12
  • Communication security A13
  • System aquisition, development and maintenance A14

—————–Article 4—————–

  • Supplier relationships A15
  • Information security incident management A16
  • Information security aspects of business continuity management A17
  • Compliance A18

Should these articles pique your interest in ISO27001 then it might be good to know that ICT Institute also provides both an ISO27001 introduction course and a full ISO27001 Lead Auditor course.

Access control

Access control policy
An access control policy should be in place to define how access is managed, and who is allowed to access what. The rules per asset lie with the asset owners, who set up requirements, restrictions, and rights for the access to “their” asset. Often seen terms in an access control policy are need-to-know and need-to-use, where the former restricts the access rights only to information an employee needs to perform their task and the latter restricts the access rights only to information processing facilities needed to perform the task. If you are new to access control, take a look at our Introduction to Information Access.

Access to networks and network services
Limiting access to only networks that are needed for someone to perform their task limits the risk of (purposeful) disruption of important business processes. Normal employees would, for example, never need to access the network specialized machinery runs on, and could only cause (un)intentional harm. Another reason for network access management is the fact that not all networks are run (from) within the organization, and cannot be protected as such.

User registration and deregistration
To assign access rights to assets and networks and keep track of who actually does the accessing, users need to be registered under an ID. When an employee leaves an organization, the ID and access to it should be removed. When an employee only needs to be denied access, the access of the ID can be limited. Even though it might be quicker and easier to access something under another employee’s ID, this should not be allowed by management in most cases. Sharing ID’s remove the link between an access limitation and an employee, and makes it nigh impossible to keep the right person responsible for their actions.

User access provisioning
Management should have a system in place for the provisioning and revoking of access rights. It is advised to create certain roles based on activities certain types of employees perform, and give the same basic access rights to them. Part of having a system in place is having repercussions for attempted unauthorized access. Employees have no need to try to access places they should not, since access rights can easily be requested to the asset owner and/or management.

Management of privileged access rights
Some employees need to have special access rights to an asset or system, also known as privileged access rights. Examples of this are the system administrator who should be able to access even the deepest root of a system and override controls. These special rights should be formally managed with extra care, since the implications of misuse can be severe.

Management of secret authentication information of users
Secret authentication, such as passwords and access cards, must be managed in a formal process. Other important activities that should be stated in the policy are, for example, forbidding users to share secret authentication information, giving new users a password that has to be changed on first use, and having all systems authenticate a user by requiring a user’s secret authentication information (password on PC, swiping access card for doors).

Review of user access rights
Organizations and their employees are not static. Roles change or employees leave the company, changing access needs constantly. Asset owners should regularly review who may access their asset, while role changing or leaving should trigger an access rights review by management. Since privileged access rights are more sensitive, they should be reviewed more often.

Removal or adjustment of access rights
Once a contract or agreement has been terminated, the access rights of the receiving party should be removed. If complete removal is not needed due to a continuation of some sort, the rights may be changed instead of removed. This should be a policy, since unauthorized access by a former employee / partner can be quick and impactful. If the other party has the log-in details to a system or service, that password should be changed directly after termination.

Use of secret authentication information
No matter how perfect a policy is, management should make sure all employees actually follow it. In the case of secret authentication information, there should be a set of mandatory rules of which the adherence is checked. Examples of such rules are password requirements, prohibiting the sharing of passwords, and prohibiting the use of a personal password for business use.

Information access restriction
When the access rights policy states that the access to certain systems, assets or information should be limited, those access rights should in practice be restricted in exactly that way.

Secure log-on procedures
When the access control policy states that the access to certain systems, assets or information should be controlled by a log in procedure, this procedure needs to be in place in practice.

Password management system
If password management systems are used, they need to provide good passwords and strictly follow the organizations secret authentication information policy. The passwords themselves should be stored and transmitted securely by the password management system.

Use of privileged utility programs
Programs that provide privileged access to assets or systems must be controlled tightly. Due to the possibilities to override controls and access part of a system that could affect the performance, their use should be as limited as possible.

Access control to program source code
The source code is the most valuable piece of code a system or program has. Even source code that does not run any internal applications has great value, which can be monetary in the case of intellectual property. Source code of internal applications should by no means be accessible to unauthorized personnel, and authorized personnel should be controlled and reviewed regularly.


Policy on the use of cryptographic controls
Since some information has to remain confidential to those not entrusted with it and keep its integrity/authenticity, it has to be encrypted. For these types of situations, a cryptography control policy has to be in place. In this policy should be stated when cryptographic controls are needed and what types fit what situations.

Key management
Just like the cryptographic controls need to be securely managed, so do the cryptographic keys. Maybe even more so. Cryptographic keys have, just like information assets, a lifetime cycle. This cycle includes generating, storing, archiving, retrieving, distributing, retiring and destroying of keys. A policy on the management of keys throughout their whole lifecycle should be in place. For the creation of keys, this could, for example, be the required length, the used algorithm, and how it will be stored.

Physical and environmental security

Physical security perimeter
The protection of information should take place on a physical level as well, as attempts to unauthorized access do not always happen over distance. Physical barriers should be in place both inside and outside of the organization’s workspace, such as an access gate, locked offices, and a manned reception area to control who gets access and who does not.

Physical entry controls
Secure areas need to be locked of from common areas, and the access to them should be authorized and documented. Non-personnel such as visitors should be accompanied, and their identity should be authenticated

Securing offices, rooms and facilities
In order to remain secure, key offices, rooms and facilities should be made non-accessible to the public. The public should not be aware of their purpose, whether and what information processing takes place in them, and best, even their location.

Protecting against external and environmental threats
This one sounds extreme, but the organizations should take measures against any natural or unnatural threat from outside. Natural threats can be (partially) mitigated by being situated in a strong and secure building, and unnatural threats such as mobs or break-ins can be mitigated by multiple physical barriers.

Working in secure areas
Procedures for working in secure areas should be captured. Areas might be secure due to their classified or dangerous nature, and may only be accessed by authorized personnel. To protect the content of secure areas, the organization might want to consider prohibiting any visual and audial recording equipment.

Delivery and loading areas
As goods might not always arrive and leave the premises by own personnel, delivery and loading areas on premise should be controlled well. To avoid any (accidental) unauthorized access to other parts of the organization, the delivery and loading areas could be situated in a remote and controlled part of the building. Incoming and outgoing goods should be properly separated and inspected before entering/leaving.

Equipment siting and protection
Equipment should be located and protected proportionally to their classification. By controlling all types of access, equipment can be protected from (accidental) damage, tampering and any form of unauthorized access.

Supporting utilities
Supporting utilities, such as a network connection, water/air/gas supply, and ventilation may at some point fail. To prevent any negative consequences, the risk should be anticipated. Utilities should be inspected on a regular base, automatic detection of failure can be implemented, and for key facilities backup utilities such as an alternative emergency network or water supply can be put in place.

Cabling security
Cables carrying either power or telecommunications should be protected against damage, interference, and interception. To prevent easy access, they should be routed out of sight below floors or in/behind walls. For particularly important systems, the cabling can even ben electromagnetically shielded.

Equipment maintenance
Equipment should be maintained well to prevent any damage or tampering. Manufacturers usually have a recommended maintenance interval and insurance companies might have their own requirements, which should both be respected. Any faults should be documented, and the maintenance may only be carried out by authorized personnel.

Removal of assets
Assets might be taken offsite sometimes, which poses many risks. Outside of the organization’s control they can more easily be tampered with, accessed unauthorized, or damaged. Any removal of assets offsite should be documented, where it is important to register by whom, whereto, why, and for how long the asset will be offsite.

Security of equipment and assets off-premises
As described in the previous subchapters, bringing an asset or equipment offsite poses many risks. They should be properly secured, looked after, and protected. To mitigate these risks, an organization might choose to prohibit any offsite taking by normal personnel.

Secure disposal or re-use of equipment
Media carriers might be re-used at some point, but it is important to properly control this process. The medium could have contained classified contents, which should be made non-retrievable by overwriting it. When overwriting cannot be done securely, the medium should not be re-used and might have to be physically destroyed after overwriting.

Unattended user equipment
Equipment is not always in use, and should therefore be properly protected in those cases. Log-in sessions should be automatically terminated after a short period of inactivity, and personnel should manually log out after sessions.

Clear desk and clear screen policy
To make sure no information on a desk or system can be accessed unauthorized, the desk should not contain any physical information assets or media carriers and the computer should be logged off when the employee is not present. When an employee is not present and information is exposed, it can be seen, stolen, tampered with, or destroyed very easily.


Image credit: @kellybrito via Unsplash

Author: Joost Krapels
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. Within ICT Institute, Joost provides IT advice to clients, advises clients on Security and Privacy, and further develops our internal tools and templates.