ISO27002 explained, part 4

| Joost Krapels | Security

The article is part four of a series of four articles explaining ISO 27002 and the ISO 27001 statement of applicability. The article series briefly explain each control that is mentioned in these standards. The explanation is based on ISO 27002.

—————–Article 1—————–

  • Information Security Policies  A5
  • Organization of Information Security A6
  • Human Resource Security A7
  • Asset Management A8

—————–Article 2—————-

  • Access Control A9
  • Cryptography A10
  • Physical and environmental security A11

—————–Article 3—————–

  • Operation Security A12
  • Communication security A13
  • System aquisition, development and maintenance A14

—————–Article 4—————– (this article)

  • Supplier relationships A15
  • Information security incident management A16
  • Information security aspects of business continuity management A17
  • Compliance A18

Should these articles pique your interest in ISO27001 then it might be good to know that ICT Institute also provides both an ISO27001 introduction course and a full ISO27001 Lead Auditor course.

Supplier relationships

Information security policy for supplier relationships
Since suppliers have access to certain assets, organizations need to establish a policy stating requirements for risk mitigation. This policy needs to be communicated to suppliers and agreed upon. Examples of such requirements are pre-determined logistic processes, obligations for both sides, NDA’s, and documentation of the supplying process.

Addressing security within supplier agreements
Every supplier that in any way, directly or indirectly, comes in contact with the organization’s information must follow the set information security requirements and agree to them. An easily forgotten aspect of an agreement is what to do when the supplier cannot and will not supply anymore. It is important to implement a clause on that.

Information and communication technology supply chain
The agreements should also state the information security requirements and agreements on ICT services and supply chain. Examples of included requirements are the need to be able to follow items through the supply chain, and that a certain minimal level of security is maintained.

Monitoring and review of supplier services
Everyone makes mistakes, and so do suppliers. Whether the mistake did indeed happen on accident or was a deliberate action, the result is the same: the organization does not exactly receive what has been agreed upon and trust may decrease. For this reason, organizations should keep a good eye on suppliers, and audit them when the need is felt. This way, an organization is aware when a supplier does something out of the ordinary.

Managing changes to supplier services
Just like with system changes, management needs to control any changes in supplier services. They need to make sure that information security policies are up to date and any changes in the provision of the service itself is managed. A small change in the provided service combined with an outdated information security policy might result in a large new risk.

We offer a free excel template to create a register of your suppliers and you security requirements. Download it here.

Information security incident management

Responsibilities and procedures
Organizations need to create and document procedures for information security incidents, and which manager is responsible for what. Should an information security incident occur, it can be handled effectively and quickly. Security incident happen unexpected and can cause quite some chaos, which can be mitigated by having a protocol to follow.

Reporting information security events
As soon as an information security incident occurs, it needs to be reported to the right people in management in the right way. This only works when all involved personnel know their position and role in the chain. It is advised to instruct personnel to err on the side of caution, and explain to them why false positives are better than false negatives in the case of information security.

Reporting information security weaknesses
The difference between an information security incident and weakness is small, but vital. An incident has happened, but a weakness may lead to an incident happening. Since in the latter case the incident can still be prevented, employees should learn to recognize weaknesses and report them immediately. It is best not to let them try to prove the weakness, as this may result in an actual incident and/or legal issues.

Assessment of and decision on information security events
Organizations should have a well document assessment method for security incident. When a suspected event occurs, the responsible person is to test the incident against the requirements and determine whether there was an actual information security incident. The results of this assessment should be documented, so that they can be used for future reference.

Response to information security incidents
This point seems straight forward, but is still important to mention. Once an information security incident occurs, it needs to be responded to following the set-up procedures. The pre-determined measures should be taken, and the whole process accurately document.

Learning from information security incidents
Even though incidents are unwanted, they still possess great value. The knowledge gained from solving an incident should be used to prevent similar incidents in the future, and can help identify a possible systematic problem.

Collection of evidence
Once an accident occurs, the cause is usually not immediately clear. When the cause is an individual or organization, they should be disciplined based on the intention and effect. To link an incident to a cause, evidence needs to be collected. In case of a malicious action, this evidence might be used in legal actions. To prevent accidental or deliberate destruction of evidence, there should be a clear and safe evidence identification procedure.

We offer a free excel template for registering and recording security incidents. Download it here.

Information security aspects of business continuity management

Planning information security continuity
Organizations should determine their requirements for information security continuity in case of a crisis. The easiest choice is to resume standard information security activities as best as possible in an adverse situation.

Implementing information security continuity
Once the requirements of the previous subchapter have been determined and agreed upon in management, procedure, plans, and controls should be put in place to resume with an acceptable level of information security in case of a crisis.

Verify, review and evaluate information security continuity
As organizations change, the best way to respond to a crisis changes as well. An organization that, for example, doubled in size within a years’ time will most likely benefit from a different response than a year ago. For this reason, the information security continuity controls on a regular basis.

Availability of information processing facilities
Sharply planning the availability of information processing facilities might be cost efficient in optimal situations, it is most definitely not in abnormal situations. Information processing facilities should, therefore, be designed with a certain margin of redundancy, so that extra unexpected capacity does not exceed the maximal capacity.


Identification of applicable legislation and contractual requirements
Requirements come from all places, and are there to be met. Organizations should therefore have an overview of all requirements they need to comply to, and how this is done. Since requirements can change or get added, the requirement compliance overview needs to be kept up to date.

Intellectual property rights
Intellectual property rights, also a part of legal compliance, is an area that deserves special attention. Intellectual property can be of great value, so it is important to document one’s own intellectual property and the use of other’s intellectual property well. (Accidental) wrong use of other’s IP may result in large lawsuits, and should be prevented at all costs.

Protection of records
Any records, be it accounting records or audit logs, should be protected. Records are at the risk of being lost, compromised, or accessed unauthorized. The requirements for the protection of record might come from the organization itself or from other sources such as legislation or insurance companies. For this, strict guidelines should be created and followed.

Privacy and protection of personally identifiable information
Depending on the country or economic space an organization is located in, different legislation on the protection of personal data might apply. To organizations situated in the EU and/or processing personal data of EU citizens, the General Data Protection Regulation applies. Organizations need to make sure to be aware of the requirements set by such legislation and follow it religiously.

We offer free templates to help you meet GDPR requirements, including a template for a processing register and a data protection impact assessment (DPIA) template. You can find our templates here.

Regulation of cryptographic controls
Just like the previous subchapter, different parts of the world have different legislation regarding cryptographic controls. Organizations need to be aware of the rules and follow them.

Independent review of information security
It is impossible for organizations to objectively review their own information security system. For this reason, organizations should have their information security audited by an independent party on a regular basis, or when large changes occur. This keeps an organization’s view of their information security correct and transparent.

Compliance with security policies and standards
With all these security policies, standards and procedures, it is important for managers to regularly review whether the activities and/or processes they are responsible for are fully compliant. For this to be done correctly, they should be aware exactly which rules and requirement they need to comply with and check this manually or with an automatic reporting tool.

Technical compliance review
Information systems need to be regularly reviewed on compliance as well. The easiest and usually most cost-effective way to do this is by means of automated tooling. This tooling can quickly check all nooks and crannies of a system and report exactly what went/could go wrong. Vulnerability tests such as penetration tests can effectively show any weaknesses, but might actually harm the system when done without caution.


Image credit: @kellybrito via Unsplash

Author: Joost Krapels
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. Within ICT Institute, Joost provides IT advice to clients, advises clients on Security and Privacy, and further develops our internal tools and templates.