S3E02. ISO Series - Primer to the ISO 27000 series

Hey Prof, how are you? Hi I'm good. So you've had some time to think about our discussion about ISO and you know how standards work. Now to be fair we had a podcast that talks about cybersecurity right we briefly touched about an ISO standard that even talk about brewing tea so we're not gonna cover so much about how to brew tea. Those of you interested in brewing tea ISO 3103 you can find a copy of the document and find out what is the proper ISO way or the British standards way of brewing tea. So this podcast is about cybersecurity and we are going to be focused on what the ISO standards for cybersecurity is. Welcome you are listening to SecurityLah podcast season 3. So Prof what do you have in mind? ISO 27000 series okay that's what we talk about and we promise that we will go on deeper in the coming episodes. So for now to start can you tell us what's the ISO 27000 series documentation? Okay so the ISO 27000 series or the ISO 27000 27k is the standard family specifically for information security. Alright so there are two committees who created or who's working together to create this standards. The first one is ISO the second one is IEC which is the International Electrotechnical Commission. That's why you will see that in any connotation it's ISO slash IEC 27000 whatever number that is right. So these two organizations work together and within ISO there's a specific committee called SC 27 or the subcommittee number 27 that looks at this specific standards body right. So if you if you want to know anything and everything about information security you zoom into 27000 series. Now besides that there are also two others that I often hear people talk about which is the one double seven double nine and BS double seven double nine. What are they? Okay so the first standard that was produced by ISO IEC was the 17799 and this was in the year 2000. Now what happened was that the original cybersecurity standard was fast-tracked from an existing British standard called the BS 7799 which was produced in 1999. So what they did was they took British standards already had the standards on information security. ISO took the standards and said okay so let's use this. So the first number that they came up with was 17799 so that it mirrors the existing British standards or the BS 1799. Now what happens is after that they decided to renumber the ISO standard gave it its own series which is the 27000 series. So originally it was just a one document and eventually ISO decided that it's too big to be just a single document that's a whole family of document that's involved and hence they gave it its own series. So they're mutually complementary? They are derived from British standards. So British standards was the one that actually came up with the original one which is the 7799. ISO took it up fast-tracked it created into a single document called 17799 and they realized that this is too big and hence they gave a family to it which is the 27000 series. So some standards are standalone some standards are family so family meaning that they have corresponding standards that are related to that particular standard. So these two are the only ones do we call them standards or families or how? So these are standards 17799, they no longer exist because these documents have been taken over by the 27000 series they've been deprecated which means it's not in use anymore so any reference would go back to 27000 series specifically 27001 and referring to the latest one which was released in 2022. Okay so let's go back to 27000 how many documents are there on this series? Oh wow a lot a lot if you look at the last count I'm talking about published documents are published documents close to 60 plus if I'm not mistaken from my memory it should be about 63 and they have a lot more documents and there are some documents that are not numbered under the 27000 series so one of the documents that I personally worked on was on cryptography and that was under a different number so that was under the 29000 series so I was working on 29192 part 6 which is a subset of that particular document and one of the things you may find interesting is that ISO documents for some documents they will be released as part by part and not as a single large document the reason is because every time you want to change a certain thing in that particular document that section is very wide and you may have different sub working groups that are working on the contents so to give the document a little bit more freedom on rather than modifying the document many times you break it into parts so ISO broke it into parts and they publish each of the parts independently so one example would be the ISO 27033 which is specifically on network security you have 27033 part 4 which talks about securing communications between networks using security gateways that's part 4 and you have part 5 which talks about securing community communications across networks using virtual private networks or VPNs so if you notice they are both part of network security but they've been given different part number so that when a change happens it doesn't affect the whole document it only affects that particular section okay and within on this series what are the standards there oh that's a lot I can sit down to release sit down and talk about all of it so let me go through a few which I find that it will be most relevant for most people to know right so the first one would be the most important one which is the 27,001 this is a document that I recommend everyone to actually have a reference to because if you're what if you want to certify your organization to the 27,000 you will be you will be certifying it against 27,001 right now this has just been updated so please make sure you get the right copy it should be 27,001 colon 2022 not 2013 or not 2008 those are the older versions right then the next one is now you have this 27,001 standards and you're reading through the standards and you realize that hey these statements are so white how can I actually what do I need to do I mean as as techies that we are you give me a motherhood statement like all policies must be updated frequently and I'm like I don't know what to do this right so I need some prescriptive guidance as to what do I need to do right of course you have the option of hiring a consultant who will come and do everything for you if you have that much of money or if you're looking at being the consultant yourself then the best way to do this is to look at the subsequent documents within ISO so the next document I make reference to is the 27,002 which gives you a detailed catalog on how you could implement controls right on how you can implement controls so there are so many topics that ISO has published under 27,000 series let me give you a few example one that most people also refer to would be the 27,005 which is the guidance on managing information risks now just to share with everyone this standard is I'm not sure if it's already been deprecated but this standards now refer to the ISO 31,000 which specifically talks about risk management now this document was created in tandem to manage risks related to information security but since risk management is a is a generic methodology hence ISO has decided that this document doesn't need to be here makes reference to ISO 31,000 right so if you notice there's a lot of ISO documents right so yeah there's a lot so there's even guidelines so if you want to be an ISO auditor that means you want to be one of the guys who's auditing an organization on managing the controls there's ISO IEC 27008 which is guidance for auditors on ISMS controls now one of the things you will notice is that ISO 27,001 refers to this word called ISMS which stands for information security management system so there's two parts to this one is information security another one is the management system so management system refers to how you manage and run the implementation of an ISO standard an organization so typically most organizations will follow the damning model which is plan do check and act that is considered one cycle of an audit when usually one cycle of audit is takes about a year so by the time you get into your audit and your findings and everything usually it takes a year no one does it more than that it's too laborious to actually do that multiple times a year all right so we spoke about 27008 which is guidance for auditors on SMS control there also specific guidance on industries so for example there used to be a standard called 27015 which is the information security management guidelines for financial services but unfortunately now this document has been pulled out because they find that well you don't need something specifically for financial organizations anymore there are other standards that you would refer to if you're specifically in financial organizations not necessarily on information security so 27,001 still applies for that you may also have say if you're from the energy industry you want to know how to have information security for process control in energy industry you can look at 27019 so if you look at it there is so many of these things that you can look at right if you're interested in cloud right I'm sure everybody's going into cloud right now you can look at 27017 which talks about code of practice for information security controls based on ISO 27002 for cloud services and there's another one 27018 which talks about protection of personally identifiable information in public clouds acting as the PII processes these are organizations that act as data processors for other organizations what are the controls you need to put into place for you to be able to use public clouds as a data processor right I just explained about 27033 which was about network security in general where it has about seven parts now you can go a little bit deeper and also look at 27035 which talks about information security incident management so if you want to know how to manage a security incident well there's four parts that you can refer to what are the areas you need to look at from incident management how do you manage the whole process end to end so if you look at it that's literally a document for anything and everything and we can't just talk about information security without touching digital forensics we spoke about incident response there's also a number of standards on forensics so for example 27037 talks about guidelines for identification collection acquisition and preservation of digital evidence so if you have digital evidence how do you manage it how do you collect it how do you ensure that it meets your local legal requirements you also have ISO 27042 which talks about analyzing digital evidence you have ISO 27043 which talks about incident investigation and one of the key things in digital forensics and acquisition is electronic discovery ISO 27050 part 1 part 2 part 3 part 4 all talks about electronic discovery so if you look at it I'm actually running out of breath right now each of the one after another man it's that's why I said if you ever have a particular requirement ISO would definitely have a document for it right and with so many standards you know do you certify to all of them no no no as I mentioned earlier you only certify to 27,001 that's the only document an organization will be looking at but then you might ask me hey doc I'm running forensics lab yeah right there are different standards beyond the 27,000 series that you would use to certify your forensics lab that should give you an idea as to how you know how detailed this whole topic is that's obviously a lot more to cover if you were to go into every single one of them but from your experience which sectors you mentioned a field like energy and then also financial sectors so from your experience which sectors are more forthcoming when it comes to getting the ISO 27,000 series well it really depends so for example some countries may mandate to say that as part of information security assurance and infrastructure resilience you must be able to demonstrate your compliance towards a particular ISO standards but it's entirely up to an organization or maybe their parent company or maybe a country regulation to determine that right but the other thing I must stress is that even though you are certified against ISO 27,000 series it doesn't mean your hacker proof yes that actually leads me to another question that I wanted to ask you I originally wanted to ask you how do you measure or how do you know that it's effective you know there's obviously a lot of standards a lot of things well the risk of being labeled as being cumbersome and tedious and how do we know that it's actually effective and it's doing what it's supposed to do it what it promises first things first the standards give you a guide as to what are the things you should be doing like I mentioned in the first episode if the board comes up to you say prof you're the CISO and the board comes up to you how do you know how can you give me the assurance that you're doing everything necessary to protect our infrastructure and the answer can be is that we adopt the ISO 27,000 series we practice and we certify ourselves against the standard and the certification is a proof of how we are committed towards the ISO standards or towards a standard that is globally recognized as a security standard but I still don't see the connection here just because there is a list of guidelines and you've done according but that itself does not guarantee and it's not proof because it's on paper how well you do it is another thing and how effective it is it's yet another thing so the effectiveness is proven through the audit because as part of your damning model the PDCA plan do check act there's actually two stages of audit the first stage of audit is your internal auditor so you need to have engage your internal auditors to do the first round of audit against the standards and usually the way that I've seen after having to certify a few organizations and running some of these audits myself if the internal audit does a very thorough job of assessing all the controls checking to make sure the controls are actually being done then the external auditors may focus on areas which are not focused by the internal auditors and that would give you a comprehensive view of how well your organization does so while you may say on paper yes I've certified myself the proof of the pudding comes as how thorough the audit process is so if you take the audit process very seriously and you really want to show your compliance then you will have all the necessary records or details for you to show that this is what we've done for the past one year and the auditor may say that okay in the month of June I'll give an example in the month of June can you give me a list of all your staff who has left the organization okay so you get this list and then you can say that in the month of July I want to see who has access cards into the building just comparing these two list you can easily see if anyone who's left the organization still has access cards and the same thing can be replicated to an active directory list or anything else a system list a critical system right so you can generate the list of users wine in a critical system at this month you can take a staff exit at a particular month and you can make a comparison and you will know whether the process is actually working and drawing the show so far subscribe now so that you don't miss out on the latest episode we are available on Spotify Apple podcast Google podcast and many other platforms visit podcast security law dot Asia to get the links to subscribe right so with a thorough audit process you tend to mitigate a lot of these low-hanging security vulnerabilities which would help to improve the posture of your organization so in in the event of an audit and after obtaining certification would you say that it's actually a measure of how well the process has been followed or is it how well the objectives are achieved yes provided that the audit process was done thoroughly so I have to put a caveat there if you have done it thoroughly then yes now I mentioned earlier that you may still get hacked even though you follow ISO standards so what did I mean by this now the ISO mandates that you manage your systems properly systems are patched there's a possibility that you may have a zero day right in your system that is beyond what ISO can actually tell you of course it'd be dumb enough to say you have to mitigate zero day attacks and yeah a lot of security vendors would be happy to throw solutions and boxes tell you yeah we mitigate zero day attacks but in reality some of these vendors themselves become part and parcel and victim of these kind of zero day attacks so there's always a possibility of you being hacked but where ISO comes in is that like what I mentioned earlier digital forensics and incident response you have all these processes that gives you a guidance of what to do so you know okay you you believe there's an there's an incident and there's a security breach you have all these processes that tells you what you need to do how do you call in a war room how do you organize the the situation does this need to go to the board does the CEO or the group managing director get involved these questions are easily answered because you have all these processes in place and all you have to do is execute them versus an organization was probably not done ISO 27000 series now encountering a breach they have no clue what to do so you know in Asia we say you run around like a headless chicken well that's what's gonna happen whereas for an organization that actually has all these standards in practice you have all these policies you have all these procedures you just need the right people to execute them so that means the with the ISO rigorous assessment you may use the word and what happens is that the organizations would have an improved risk assessment and mitigation process yes so one of the things that ISO talks about ISO 27000 talks about is continuous improvement now it's not just as I mentioned earlier yes that the whole damning model takes about a year for you to actually complete right doesn't mean that yeah I finished my audit. Yeah I just hang hang my laurels and you know I chill back until the next one year audit no it doesn't work that way it talks about continuous improvement you find areas on how you could improve the process and you do those improvements because one of the things that you have to demonstrate to the auditors is how are you looking at continuous improvement right. It's not just to say yes this the standards today I met the standards that's it done and and you know I got my annual bonus because now is the bonus season for everyone I got my bonus and I'm very happy and I forget about it it doesn't work that way because continuous improvement is one of the areas of how I so promotes you to move further ahead in cybersecurity that's true and also as we mentioned you mentioned in the first episode one of the reasons we are doing this is because we don't want to be too focused on talking about breaches and stuff like that but with ISO how do you connect having ISO certification with the legal consequences of a breach well the first thing is yes definitely so the first thing is that you have proper processes for you to ensure that a breach is managed contained or eradicated as per the process that you've defined so number one is you are giving an assurance that yes breaches may happen but when it happens we know how to deal with it effectively right there may be lessons learned from the breach which can later be imported and embedded into the organization as part of the improvement process and these are all put in as part of an implementation of the standards so this can be done very easily for an organization that already uses the ISO standards. I think from here we can see that it's not only an effective protection system the management system but it also can helps in financial growth and benefits to business operations if implemented correctlyi. Yes you're absolutely right some organizations before they engage or doing before doing business with another party one of the questions they ask are you ISO 27000 certified right so the one of the things that I mentioned in the previous episode is that ISO certifications can both help and can be misleading let me explain that statement one of the requirements for an audit or for you to certify an organization is that you need to define a scope and the first thing you define the scope is which department or section is going to be audited so for example I might play cheeky and say if I'm a vendor I'm a system integrator I just want to tell people I got ISO 27000 series I'm secure but my scope of audit is my admin department not the delivery team so yes as an organization I am ISO certified but but there's a big but there but the team that's actually certified is not the delivery team it's the admin team so maybe you another parallel into ISO certifications I mean I'm not sure if you've heard of ISO 9001 yep it's well they use the term quality management system what I find misleading is that someone says oh I'm ISO 9001 certified I got very good quality well not necessarily so parallel about ISO 9001 is that if you produce bad products ISO 9001 simply says that you produce bad products consistently if you produce good products you will produce good products consistently so that that consistently is what for example ISO 9001 is right because we should be clear as to why we are promoting standards and we should also give the right level of awareness to all our listeners so that you don't get sidetracked because while yes we are talking a lot about good stuff about what the ISO has we've also seen in the market how it is used and how it is abused so as someone who now knows something about ISO standards you should also know how organizations do with it so one of the things I do is I ask them for the certificate and I ask them for what is the scope of the implementations for example if a data center provider says they are ISO 27001 certified okay well and good can I know what is your scope of certification is it the data center and if it's the data center how many data centers are you certifying so by the way for ISO 27001 you can also certify locations and it is if you're if you're having data centers it would be good for you to have if you have multiple data centers then you should have multiple locations or your data center locations as part of your certification scope of course some people would cheat and say yeah I got three locations I implement all my controls in one primary location so I just you know certify this one location and should be okay well if you're selling services then it's gonna look really misleading because your data may be replicated across different locations which may have less controls compared to the primary one where you have all of your controls so that's why I said the scope the coverage how extensive is your ISO implementation also makes a differentiating factor and how it can be used and abused yes and no in the sense that because if you look at ISO 9001 one of the objective is that it needs to be able to demonstrate that it's able to consistently provide that quality that yes requirements so therefore you know consistently is part of the objective of 9001 you're absolutely right that's why I said if you consistently make bad products you still must alright then as part of the MS that's the case isn't it you see you might certify and say I'm you see I saw 9001 and now we're deviating a little bit into quality management system 9001 you're just saying your parameter says that I must meet this benchmark requirements and your benchmark is low you will definitely meet it right if your benchmark is higher then you may not meet your requirements and you know at the end of the day who defines the the numbers to say that for example your mask facial mask that your meeting must have you know three nanometers or filter and all that you might say okay forget about three nanometers make it five nanometers we'll just market it as kf94 mass we don't have to tell people how detailed we do as far as QMS is concerned your parameter says five nanometers you will still meet five nanometers because your QMS is so that's why I say you can meet consistently poor quality that's why I say consistently poor quality that's why I say quality not doesn't say good quality of bad quality right so the point to say is that I mean I know I know we're deviating a bit into 9000 series but it is something that organizations or people who understand ISO need to know because just because you have ISO certification now what are the gotchas or the catch so now prof you know if you're looking at an organization that says the ISO certified you know what to look for well we have to do an audit to know all right well technically you don't have to do an audit but if you just look at their certification documents their scope and all that they'll give you a clear idea it will tell you which which section is being it's being audited you know what is the certification scope what is inclusive what is exclusive and from there you can identify ah this is okay or this is not good you know I think what's good about the ISO is that they are usually generic not vendor specific exactly you're absolutely right you know so that's one of the things I love about ISO standards you just hit the nail right at the spot which I forgot to cover is that there is no specific technology that ISO says you must have you decide so you may have chicken brand firewall or a duck band firewall or a geese brand firewall perfectly fine as long as you can demonstrate correct so it's it's definitely a matter of poor decisions or poor choices not so much the folk of the standard yeah the standards gives you a reference point what are the things I need to have so for example if a CISO goes into an organization and says okay I got to start cyber security I got to start this in this organization this is a green field for me where do I start what do I do what are the things I need to look at right so the ISO gives you a guide as to where to start what are the controls you need you might be surprised to go into a green field and find that some of the controls may already be there as part of group practices the network team may already have a firewall in there great but are the firewall rule sets managed properly well maybe that's an area to improve right so you usually don't start from the ground because a lot of organizations that you engage today have some level of cybersecurity built-in either their product or to their services all you need to do is find that Delta or what we call it as a gap and work on those gaps and maybe even prioritize if there are too many gaps look at what is the key burning issues prioritize so put out the fire first stem the bleed and then look at how you can move forward and improve controls so the ISO gives you that catalog of controls and just because there's about 90 plus or 60 plus controls doesn't mean that you have to follow everything right let me check how many controls are there for the new for this 2022 ISO we have four sections with 93 controls so while we may have 93 controls and ISO it doesn't mean that you have to meet all the 93 controls there may be controls which may not be relevant to you at all and we'll go into more details when we talk about the audit process how to build an ISO work program or a project on implementing ISO what are the areas to look at to give the listeners a clearer idea as to how do you kick-start this initiative right right and as you said I think it is possible to still suffer from a breach or any other form of attacks even though there is compliance to the ISO standards because if the risk assessment is blocked then definitely there won't be sufficient security in the organization but on top of that I think we can also look at the culture of understanding the value of this certification in the organization and for that to happen it requires management commitment as well as individual responsibility throughout the entire organization otherwise you know having these standards alone it will only give a best practice framework but it may not go very far in terms of achieving the objectives and effectiveness of what it's intended for spoiler alert you just mentioned one of the sections which is part of ISO document which highlights about management commitment now we will go through the document in our subsequent episodes and we will cover this area so ISO recognizes that you can't just simply say that yeah yeah I meet these requirements there's a requirement to have a management committee and all that we will go through in much greater depth when we get there in our subsequent episodes yep till then all right it's both me and prof signing off bye bye bye thanks for joining us this week on security lab make sure to visit our website at security lab Asia where you can subscribe to this show in iTunes Spotify or RSS so you'll never miss a show you(gentle music)[BLANK_AUDIO]