Security verified requirements 2016.10

These are the old, 2016.10 version, of the Security Verified requirements. These older requirements will remain available for reference. For new reviews you should use the latest version of the Security Verified requirements.  

Overall structure

The document consists of two parts.

  • Part 1 (General Requirements) consists of mandatory elements for a functioning ISMS and legal requirements. An organisation must address all these elements in order to have an effective ISMS.
  • Part 2 (Example controls) is a list of recommended or best practice controls for each area. An organisation should evaluate these controls and implement the controls that are relevant and valuable. ICT Institute wants to see evidence of implementation for more than 50% of these controls (at least 14 out of 27).

If an ISMS meets the requirements of both parts, it qualifies for a ‘Security Reviewed’ certificate.

The general requirements part consists of the following topics

  • Management requirements
  • Security team requirements
  • Staff involvement
  • Security Policy Documentation
  • Personal data protection
  • Final thoughts

These topics are in fact similar to ISO 27001, in that they describe a management system. By having all these elements in place, an organisation should be able to improve their informations security continuously. Eventually they should reach a very high level. The only difference in structure between ISO 27001 and this part is that there is an extra section for personal data  protection. Organisations are required by law to implement these, so it made sense to include them in the standard.

The example controls part consists of the following sections:

  • Human resource controls
  • Physical security controls
  • Backup plan
  • System access controls
  • Secure software development and acquisition
  • Technical security controls for systems
  • Technical security for devices
  • Recurring controls

This structure is somewhat similar to ISO 27002, a standard that also presents a set of controls. Like ISO 27002, not all of these controls are mandatory. The information security team should choose those controls that are most effective against the actual risks of an organisation. The controls that are included in the standard are however highly recommended for most organisations, and it would be very suspicious if an organisation claimed to have a good information security policy, but had determined that most of these controls would not be necessary. Such an organisation might be trying to get a security certificate without making any actual improvements. For this reason, it is mandatory to have more than half of the controls implemented. The organisation can determine by themselves which half is most suitable for their organisation.

Part 1: General requirements

management requirements

  • A permanent security team has been created by management
  • The security team has received enough time for quarterly reviews and improvement of information security
  • Top management itself has shown commitment and involvement in information security.

Security team requirements

  • The security team has created and maintains an inventory of information assets and risks.
  • The risks are continuously evaluated. A first evaluation has taken place and some controls have been defined in response
  • A regular (e.g. quarterly or semi-annually) meeting has been planned for reviewing risks, assets and choosing controls based on this analysis
  • The team has chosen a structured method like ‘plan-do-check-act’ for continuous improvement

Staff involvement

  • At least half the staff have attended a security awareness training
  • Randomly selected staff members know whom to contact and how to respond in case of incidents or questions.
  • The responsibility of each new and current staff member for information security is formally agreed (e.g. in staff policy or new contracts)

Security Policy Documentation

  • There is a document that describes the organisational scope of information security answering scope questions around legal entities, locations and personnel types
  • There is an up to date register of information security incidents (including staff questions, signals or other messages) available to the whole infosec team
  • Results and decisions from the risk assessment process are documented

Personal Data Protection

  • The management or security team has analysed whether and where the organisation is handling personal data and thus whether additional regulations apply to the organisation.
  • All staff handling personal data is aware of the existence of additional regulations for personal data. Specifically they understand the need to take additional care against improper use, improper storage and the need for proper security
  • It is clear which management team member is responsible for making sure all suppliers with access to personal data sign a data processing agreement. An actual example or template is available.
  • It is clear which management team member is responsible for keeping track of all data processing agreements signed by organisation. He or she must check if the infosec policy meets all requirements from these agreements.
  • There is a contact person and process for staff to report potential personal data breaches.
  • The information security team understands the actual rules for personal data protection and the importance of proper-use-only, limiting storage and distribution and the rights of subjects.

Final thoughts

  • The security team has defined actions to grow its own knowledge, e.g. through books, courses and involvement in the information security community.
  • A statement of applicability listing all controls chosen in the risk treatment process is maintained.
  • It is clear which metrics will be used by the management to evaluate the information security management system.

Part 2: Example controls

These controls are not all mandatory. Each organisation should select the most effective controls based on their risk analysis.

Human resource controls

  • Instructions on information security are included in the onboarding process for new employees.
  • A check is made when people leave the company whether assets are returned.
  • It is clear to all staff whether they can use their own devices (laptop and mobile) for company email and data
  • It is clear to all staff whether they are allowed to work from home or other locations, and what the requirements for these locations are
  • Candidates are screened by calling a reference or asking a VOG.

Physical security controls

  • Offices with IT infrastructure in it are locked or otherwise have access restrictions
  • Important documents such as contracts are stored out of sight and locked
  • All acceptance and production servers are hosted at secure, dedicated data centers

Backup plan

  • All production servers are backed up at least daily
  • There is a backup plan for office documents. The result must be that all office documents that users work on are either stored in the cloud or backed up on a daily basis

System access controls

  • All devices have a password or access code. Everyone is instructed on proper use of passwords
  • All IT systems have personal accounts with a password or access code
  • For all systems where possible, checks are in place to force people to choose strong passwords
  • All passwords are changed at least once a year or within 2 months after a technical member of staff with access leaves the company

Secure software development and acquisition

  • All software developers have working knowledge of OWASP and receive regular security awareness training
  • All product owners, designers and developers doing design work have been instructed to apply security by design and privacy by design.
  • Systems are regularly tested for security aspects, as part of the normal testing

Technical security controls for systems

  • Communication to and from servers is secured using https, SSL or other secure protocols
  • All production servers have a firewall installed
  • All production servers produce logs. This information is stored securely and monitored for important events using alerts or daily checks
  • There is a policy that forbids the use of default passwords and other weak passwords

Technical security for devices

  • PCs and laptops have a firewall enabled and antivirus software installed
  • Devices (PC laptop, tablet and smartphone) have an up to date, still supported OS version.
  • There is a backup or recovery plan for when devices go missing or are stolen. Possible elements include encryption, wiping and diabling accounts

Recurring controls

  • External ethical hackers are regularly (recurring PEN-test) or continuously (bug bounty program) invited to test security
  • Future security awareness trainings have been planned to keep new and current staff up to date. The dates for at least the next two trainings have been announced
  • There is a procedure for internal security audits, requested by management executed outside the information security team.