Previous article n series – Audit: Types of Audit Reports
ISO/IEC 27001:2013 Domains
Upon passing the audit process, an organization can have its information security management system (ISMS) certified by ISO/IEC 27001:2013. An ISMS will typically ensure that a structured, measured, and ongoing view of security is taken across an organization, allowing security impacts and risk-based decisions to be properly managed. Of crucial importance is the top-down sponsorship and endorsement of information security across the business, highlighting its overall value and necessity.
NOTE: ISO/IEC 27001:2013 provides a “certification,” while SOC 1, 2, and 3 are referred to as “audit reports.” There are 14 domains or areas under the management of an ISMS:
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptography
- Physical and Environmental Security
- Operations Security
- Communications Security
- System Acquisition, Development, and Maintenance
- Supplier Relationships
- Incident Management
- Business Continuity Management
- Compliance
ISO/IEC 27002:2013
ISO/IEC 27002:2013 provides guidelines for organizational information security standards, including the selection, implementation, and management of controls, taking into consideration the organization’s information security risk environments. It is designed to be used by organizations that intend to select controls within the process of implementing an ISMS based on ISO/IEC 27001:2013. It can also be used by organizations to implement commonly accepted information security controls and develop their own information security management guidelines.
Unlike 27001:2013, this is more of a guideline than a standard, providing a “Code of Practice for Information Security Management,” which lists security control objectives and recommends a range of specific security controls according to industry best practices, leaving it up to the organization to decide what level of control is appropriate, given the risk tolerance of the specific environment under the scope of the ISMS.
NIST SP 800-53r5: Security and Privacy Controls for Federal Information Systems and Organizations
The primary goal and objective of the NIST SP 800-53 standard is to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.
It requires that risk be assessed, and the determination made if additional controls are needed to protect organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the United States.
The NIST SP 800-53r5 standard, Security and Privacy Controls for Information Systems and Organizations, underwent its fifth revision in September 2020.
Primary updates and amendments from the fourth revision include:
- Assumptions relating to security control baseline development
- Expanded, updated, and streamlined tailoring guidance
- Additional assignment and selection statement options for security and privacy controls
- Descriptive names for security and privacy control enhancements
- Consolidated security controls and control enhancements by family with baseline allocations
- Tables for security controls that support development, evaluation, and operational assurance
- Mapping tables for international security standard ISO/IEC 15408
While the NIST Risk Management Framework provides the pieces and parts for an effective security program, NIST SP 800-53r4 is aimed at U.S. government agencies focusing on the following key components:
- Multitiered Risk Management
- Security Control Structure
- Security Control Baselines
- Security Control Designations
- External Service Partners
- Assurance and Trustworthiness
- Revisions and Extensions
- Selecting Security Control Baselines
- Tailoring Security Control Baselines
- Creating Overlays
- Documenting the Control Selection Process
- New Development and Legacy Systems
An updated NIST SP 800-53r5, Security and Privacy Controls for Information Systems and Organizations, embarks on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices. Those safeguarding measures include security and privacy controls to protect the critical and essential operations and assets of organizations and the personal privacy of individuals. The ultimate objective is to make the information systems we depend on more penetration resistant to attacks, limit the damage from attacks when they occur, and make the systems resilient and survivable.
The major changes to the publication include:
- Making the security and privacy controls more outcome based by changing the structure of the controls
- Fully integrating the privacy controls into the security control catalogue, creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls
- Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects, and mission/business owners
- Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework
- Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks
- Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability