11

*Edit - Replies so far are re-stating what ISO 27K is and is not. We are aware of this, however the perception of ISO 27K is different. We do not have infosec professionals so we just want to know what other options are out there regardless of subjective opinion.

Example: (UK) Cyber Essentials Scheme. This requires implementing basic essential IT security controls, self-assessment and external review.

A similar question has been asked but without satisfactory reply. Full background:

  • We are a business of around 100 people in a few global locations.
  • We have been externally certified for ISO 27001, we have only excluded one item from the statement of applicability;
  • We do not have a dedicated Information Security professional.

We have become quite dissatisfied with the ISO 27K Standard for the following reasons:

  • Assessors are too focused on procedure and documentation rather than actual security
  • At no point during any external visits has any assessor even asked about actual web and IT security
  • Infractions in documentation generate far too much paperwork in addition to fixing any issues.
  • Inconsistency in approach by assessors in different countries
  • The amount of time required for maintaining the standard detracts from working on actual cyber security that is not required by the standard such as vulnerability scanning, port scanning, encryption etc etc.

We are mainly a UK/US business. We would like a more IT focused security standard that is recognised in those locations. The only real driver for our ISO standard is its appeal and recognition to our customers. All opinions welcome

user2514224
  • 119
  • 1
  • 5
  • 7
    Sounds like you're expecting an apple tree to give you oranges. To me, it looks like you want a vulnerability assessment/pentest, which is a different scope and purpose from 27001. Have you checked [Offensive Security](https://www.offensive-security.com/offensive-security-solutions/penetration-testing-services/) ? – Purefan Mar 07 '17 at 12:33
  • 1
    You don't explain what you want the standard to do for you. Do you want a set of guides that you can use as a replacement for a qualified InfoSec professional? Are you asking for a set of action items to *do* to secure your company? Do you want a vanity plate to post on your website to attract customers? – schroeder Mar 07 '17 at 16:26
  • 1
    @schroeder "The only real driver for our ISO standard is its appeal and recognition to our customers". Our ideal would be a security standard that has some industry recognition that includes actual basic cyber security recommendations and is less bureaucratic than ISO 27K. – user2514224 Mar 07 '17 at 18:07
  • 1
    @user2514224 then you might need to survey your customers for which standards they A) recognise and value, and B) which of those provide actionable guidelines. Most standard, though, are about helping the business align security to the business goals, and do not dictate what needs to be done. Hence, the need for at least a consultant to marry the goals with the guidelines of the standard to create something actionable. – schroeder Mar 07 '17 at 21:03
  • 3
    Have you looked into the ISF standard of good practice? Or the NIST guidelines? – Rory Alsop Mar 08 '17 at 11:59

4 Answers4

17

ISO27k is about the 'management of security', not about security itself. Auditors will be concerned by what you are doing to respond to the risks you have identified, if you are really doing what you're saying, what do you do when something deviates from what has been specified or to new risks, and how do you evaluate the efficiency of your measures.

So basically, they don't care what you are doing to stop ddos attacks (if this is one the risks you're exposed to), as long as you are doing something, and it is deemed efficient enough by a correct indicator.

ISO27k will never say 'this entity is secured', but 'this entity does manage its security well'.

You're not really looking for alternatives to ISO27k, but for something entirely different. There are plenty of standards you can comply to depending on what your business is.

M'vy
  • 13,033
  • 3
  • 47
  • 69
  • 2
    Thank you. I more or less understood that. The problem is the standard is perceived in different way to what it actually covers, including by customers. Purchasers see ISO 27K and think "great they have security". We would prefer a standard that works with us rather than against us, or else massively reduce the scope of applicability of 27K. – user2514224 Mar 07 '17 at 15:00
  • 1
    IS27k is based on continuous improvement, so while you comply to it, your security should always be improving. There is a baseline under which you can't possibly get certified though, so there's kinda is a sort of 'security level' certification, but it's not well defined nor recognised as such. – M'vy Mar 07 '17 at 15:03
1

PCI-DSS springs to mind as being more focused on practical measures. See https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard for an overview and some links.

I would qualify that suggestion by mentioning that I would consider PCI-DSS a good framework to use as a checklist of things you should think about putting in place. I have no experience with PCI-DSS certification, and I don't know that it would apply, or be desirable, in your situation.

If certification is a requirement/desire, I am not entirely sure I would focus on PCI-DSS.

As mentioned by @Purefan, focusing on vulnerability management is also a good area.

iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24
  • PCI-DSS is really only focused o one tiny subset of controls, and even within the PCI scope it is very limited. I would not use it as a good standard for anything outside protecting card data, and even then it is not ideal. – Rory Alsop Mar 08 '17 at 11:58
  • I had offered it up because it does have a reasonable amount of recognition, and does focus on measures, rather than processes. Generally, too, it isn't a massive stretch to `s/credit card data/data/`, and in that respect, it offers a pragmatic base (isolate sensitive systems, understand inter-system/inter-zone flows, beware wifi, and firewalls everywhere). It was the infrastructure aspects I had in mind when suggesting it (and maybe ease-of-convincing-the-suits) - I do agree PCI-DSS is not going to solve your security woes, I think it does help as a checklist of things you should be doing. – iwaseatenbyagrue Mar 08 '17 at 13:04
1

Part of a whole security are organizational security (having documented policies, processes, and procedures reduces the bus factor) and auditability (being able to show evidence that the security measures works as intended). Security that only focuses on technical security, but ignores the procedures are not complete security exercises.

ISO 2700x itself doesn't tell you what security measures you must take because every organizations have unique needs and requirements, while mitigation techniques is constantly evolving. The ISO 2700x framework is intended to guide an organization to figure out its security requirements, its risk appetite, and then develop a security plan that is consistent with the stated security requirement and risk appetite.

Being ISO 2700x compliant does not mean that you've got a good security measures in place. All that ISO 2700x compliance tells you is that the organization have made a conscious and informed decision on what measures to take or not to take to satisfy its own requirement. An ISO 2700x compliant organization can still be the most insecure company, if in the self assessments the organization decides to accept huge risks and decides to not implement controls.

If you're looking for a more technical security guidelines, you'd probably want to look into publications from OWASP project. If you handle credit card, you'd want to look into PCI-DSS. You'd also want to evaluate security requirements from your local laws, and any foreign laws or industry standard bodies you expect to need to deal with. They might have requirements regarding record keeping, handling PII, etc that you'd have to comply with and sometimes require specific mitigation techniques that you have to implement. You'd also want to keep up with security blogs and journals. You'd also want to play with automated penetration testing tools, and make friends with pentesters.

Be aware that these security guides are not complete organizational security assessment. Those technical guides complements ISO 2700x, not replace it.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
-1

There is a very good work from the BSI, called "BSI 100-1" Look here.

It is developed by the German Federal Office for Information Security.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Felix
  • 1
  • 1
    Can you explain *why* this is better than the ISO standard and why it might meet the OP's requirements? – schroeder Mar 07 '17 at 16:23
  • 2
    "Das BSI gleicht seit 2006 regelmäßig seine Standards an internationale Normen wie der ISO/IEC 27001 an." This standard has been since 2006 regularly aligned with ISO 27001 – M'vy Mar 07 '17 at 16:39
  • I agree with the answer although it's incomplete. BSI 100 includes (more or less) the ISO 2700x standards. However, the BSI is way more strict and specific on the concrete security measures a company needs to take to be compliant with the standard. It provides a whole technical manual on the specific technical security controls, not only organisational. – vinkomlacic Feb 20 '22 at 10:56