Just what exactly is ISO27001? As someone who has been interested in security and, in my opinion, doing a lot to know the different aspects of cyber security, this standard is an area I knew surprisingly little about. ISO27001 is often listed as a requirement in security job postings and as something to know if you “know” security. With that in mind I set out to better understand ISO27001 as well as the NIST CyberSecurity Framework.
ISO27001 is an international standard that defines the requirements for an Information Security Management System. [1] This standard is not specific to any industry and can be used by any organization. What is an Information Security Management System (ISMS)? An ISMS is simply the collection of policies, procedures, guidelines, and pretty much everything else you can think of that a company does to protect its information assets.
ISO27001 defines the requirements for an ISMS and lists 93 controls in an annex to the standard. ISO27001 is an international standard, here in the US the National Institute of Standards and Technology (NIST) has also published a Cyber Security Framework (CSF) as well as policies on Risk Management. Most of the international and national standards and frameworks are designed to be suitable for any organization to use and can be used with each other.
In my quest to understand ISO27001 and NIST CSF it makes sense to start with some basics. What is a successful ISMS, how is ISO27001 structured, how can ISO27001 be applied? For starters ISO27001 is just one of a series of standards on Information Security Management Systems! There are in fact no less than 5 standards that complement each other.
ISO27001 - The main requirements for an ISMS and my focus
ISO27000 - an overview of ISMS plus terms and definitions
ISO27002 - Security controls and implementation guidance. These controls are listed in an Annex of ISO27001 but detailed here
ISO27003 - Explanation and guidance on the requirements in ISO27001
ISO27005 - Guidance on Information security risk management
These are just the high-level standards, in the Deep Dive section there may be more that are mentioned as they apply to specific areas such as Assessing controls or monitoring.
A successful ISMS takes a few principles into consideration. It will have an awareness on the need for information security and assign responsibility for information security. This will require commitment from management and consideration of the interests of stakeholders. A successful ISMS implementation will perform risk assessments to determine what controls are appropriate to apply and incorporate security into the information networks and systems, working to actively prevent and detect security incidents. Taking a comprehensive approach to information security management a successful ISMS will also look to continually reassess and improve. [1]
Knowing now what an ISMS is and what makes it successful, where does ISO27001 fit, how is it laid out and how can it be applied? ISO27001 consists of 10 chapters and an Annex. The Annex is a reference to the 93 security controls that are detailed in ISO27002, I’ll take an overview look at these controls in the Deep Dive. The 10 chapters of ISO27001 cover all of the requirements for an ISMS. The chapters are: Scope, Normative references, Terms and definitions, Context of the Organization, Leadership, Planning, Support, Operation, Performance Evaluation, and Improvement. The first three chapters are what I’m going to call administrative, they help set the context for the rest of the standard. Chapters 4 through 10 outline different requirements for the ISMS covering everything from understanding the interested parties to assigning sufficient resources to support the ISMS to making continual incremental improvements. All of these requirements are intentionally broad to allow room for the implementing company to determine exactly how to comply within the context of their organization.
Applying ISO27001 to an organization is about understanding risks and taking appropriate measures to control those risks. As mentioned earlier an ISMS is about protecting Information assets, understanding the risks these assets face is a large part of implementing ISO27001. ISO27001 requires documentation around some of the activities that one needs to do in implementation, such as a Risk Assessment and Statement of applicability. Other documentation is not required but helpful to maintain. When implementing ISO27001 it is important to support not only the implementation but the ISMS with enough people, time and money. An organization can leverage ISO27001 to identify risks, opportunities for improvement and what controls are needed to protect its information assets.
ISO27001 articulates controls that are preventative, corrective, and detective in Annex A, however ISO27001 is largely about implementing a system to identify risks. The NIST Cybersecurity Framework is a tool that also lists controls. While ISO27001 is the standard for an ISMS, NIST CSF is a framework that assists in ensuring sufficient controls are in place. NIST CSF is broken into 6 different functions - Govern, Identify, Protect, Detect, Respond, and Recover. These functions outline different areas of cyber security. Each function of NIST is broken down into Categories and SubCategories.
The NIST CSF is designed to help an organization manage its cyber security risk, much like ISO27001 it is designed to be understood by a broad audience and applicable to any sector, country, or technology. The NIST CSF outlines what desirable outcomes are without touching on how or prescribing a method. NIST CSF refers to these 6 Functions and their categories and subcategories as “CSF Core”. In addition to this core they provide Organizational profiles to help an organization identify its current and target posture as it relates to the Core outcomes, and CSF Tiers that can be applied to the profiles to “characterize the rigor of an organization’s cybersecurity risk governance and management practices” [3]. While NIST is often used by companies to gauge security maturity, NIST does not provide a Maturity Model with NIST CSF. The NIST CSF is designed to be used by all organizations and should be used “in conjunction with other resources (e.g., frameworks, standards, guidelines, leading practices) to better manage cybersecurity risks” [3].
ISO27001 and NIST CSF are probably the two standards/frameworks that are most common and well known. They are not the only standards though. Both ISO27001 and NIST CSF are focused on covering the full range of risks and the outcomes a business should aim to achieve. There are additional frameworks that focus on more technical aspects of security. The most well known is likely the Open Web Application Security Project (OWASP) Top Ten List of application vulnerabilities. OWASP is an open source organization that collects the most impactful application vulnerabilities (as rated by industry professionals) roughly every three to four years. OWASP also provides a myriad of other top ten lists and some tools to help security professionals [4]. The final framework I’m going to mention is the Supply-chain Levels for Software Artifacts (SLSA). This framework is a relatively new one that has been created to help reduce the impact of supply chain attacks by providing a list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure [5].
ISO27001 and NIST CSF are both extremely comprehensive documents. In this section I hope to provide a brief outline of the definition of threat vs vulnerability, some of the controls listed in Annex A of ISO27001, a high-level overview of the NIST CSF Functions, and a brief comparison of ISO27001’s requirements for changes to an ISMS and the Software Development Lifecycle (SDLC).
Threat and Vulnerability are often used interchangeably however they are not the same thing. A Threat is “a harmful act that has the intent of causing harm to an organization” [6]. An example of a threat is ransomware. This is something that could happen that would cause financial, legal, and/or reputational damage to a company. A Vulnerability is “a medium that threats use to access a system” [6]. This is the flaw in design or “open-door” that attackers take advantage of. As a bonus a Risk is the potential of a threat to exploit a vulnerability to cause harm. Risks are measured as the likelihood of a threat and the magnitude of damage it might cause.
ISO27001 Annex A lists out 93 controls for mitigating Risks. These controls are categorized as Organizations, People, Process, or Technology controls as well as Preventative, Corrective, or Detective. NIST has a similar break out by sorting the outcomes into the Govern, Identify, Detect, Protect, Recover, and Respond functions. I’m not going to regurgitate the 93 controls here as they can be found online, they touch on many of the areas you may already be familiar with Segregation of duties, Classification of informations, Access Control, Information Security Incident Management Planning and Preparation, Protection of Records, privacy and protection of PII, Responsibilities after termination or change of employment, confidentiality or nondisclosure agreements, physical entry controls, protection against physical and environmental threats, Access to source code, Logging, Segregation of networks and many others. As you can see these controls cover a wide range of scenarios. One of the aspects of ISO27001 is the statement of applicability where companies need to record which of the 93 controls are applicable to their business, for example a company that does not develop any applications probably does not need the “Access to source code” control.
The NIST CSF functions organize the outcomes at their highest level [3].
Govern - The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
Identify - The organization’s current cybersecurity risks are understood.
Protect - Safeguards to manage the organization’s cybersecurity risks are used.
Detect - Possible cybersecurity attacks and compromises are found and analyzed.
Respond - Actions regarding a detected cybersecurity incident are taken.
Recover - Assets and operations affected by a cybersecurity incident are restored.
These six areas encompass the lifecycle of security from defining policies, to identifying assets and the risks, through restoring operation after an incident has occurred and everywhere in between. These six areas should not occur in a linear fashion though, each function supports the others and they should all be addressed at the same time.
ISO27001 chapter 6.3 outlines the requirements of planning for changes to the ISMS. The steps called out here mention planning to avoid unwanted consequences and while it does not give direct examples it can be inferred it includes changes to tech, controls, or personnel. It requires planning not only what the change is, but who is responsible for the different portions of the change, what the consequences of the change are, and to test the change before making it if possible. It also calls for a strategy to revert the change. This process closely aligns with an ideal SDLC. Before making changes to an application planning out what the changes are and assigning responsibility to make the changes is important. The changes should also be tracked in a change management system so the impact can be seen and if needed changes can be reverted.
All articles I either directly reference or found useful in my pursuit of understanding NIST CSF and ISO27001!
[1] https://www.udemy.com/course/isoiec-27001-information-security-management-system/
[2] https://www.nist.gov/cyberframework
[3] https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
[6] https://www.clouddefense.ai/risk-vs-threat-vs-vulnerability/