02.09.2019 | Daniel Felix Maurer
ISMS 2020 - A Tiger in Sheep's Clothing
Some people just want to run away when they read what is listed in Wikipedia under the keywords Information Security Management System and ISO/IEC 27001 and 27002. It talks about procedures and rules that need to be permanently maintained and continuously improved. What a boring thing to say! It smacks of hard work, effort and diligence - definitely not the kind of thing that knocks the modern nerd’s socks off!
But far from it: in all the years we’ve been hanging around in the IT world, we’ve learned one thing: the ISMS delivers! The ISMS is a great friend and loyal companion with whom you can successfully complete many an adventure without having to wake up the next morning with a terrible hangover.
And one more thing: Temet will of course be happy to show you how to make such a friend your own.
Brief history and meaning
The ISMS - in good German “Information Security Management System” - is something comparatively “old” in the still short history of information technology.
As early as the 80s and early 90s of the last century, there was a need to bring risk considerations in connection with the security of electronic data into a system that could be understood and implemented worldwide.
In 1995, the British Standards Institution (BSI) first published BS 7799, the precursor to ISO/IEC 27001 and 27002, which was developed by the Department of Trade and Industry (DTI) in conjunction with other parts of the UK government and published with the aim of providing managers and employees of a company with a model that would allow the introduction and operation of an effective ISMS.
Even then, the standard consisted of two parts: the so-called Code of Practice, in which technically oriented and differentiated security controls were listed, and a more general part, in which the principles of information security recognized as essential were formulated in a way that made them applicable in the day-to-day operations of a company.
The standard work enjoyed great popularity from the outset and was adopted almost unchanged by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2000 and republished with numerous clarifications and additions in two broadly supported rounds of consultations in 2005 and 2013.
Since then, the most recently valid standards ISO/IEC 27001:2013 and 27002:2013 have formed the basis for certification by state-accredited bodies and have been continuously developed further by the JCT1 (Joint Technical Committee 1) SC27 (Subcommittee 27) of the standardization organization, without this having led to a new edition to date.
However, the operation of an ISMS is supported by supplementary standards that focus on a sub-area of information security. Important recent standards include ISO/IEC 27017:2015 - Code of Practic for Cloud Services and - brand new from August 2019 - ISO/IEC 27701 Managing privacy with an ISMS.
ISMS as a core competence of Temet
From the very beginning, Temet has recognized the two standards ISO/IEC 27001 and 27002 as a blueprint for a well-functioning security-related management system and has promoted them to its customers. As members of ISO/IEC SC27, some of its consultants were able to represent the concerns of Swiss banks in the formulation of individual IT security controls and were able to push through one or two clarifications in the interests of the banks.
Temet therefore knows these standards inside out and is also aware of their sometimes controversial interpretation. We have deliberately decided against accreditation as an audit body for ISMS certification and concentrate on supporting our clients in the role of internal auditing and control of authority.
This means that we not only support our customers in setting up and implementing the ISMS, but also prepare them thoroughly for certification and re-certification by external auditors. It doesn’t hurt that we carry out audits ourselves and can therefore put ourselves in the shoes of an external auditor.
Without wanting to question the seriousness of the situation, we can assure you that certification can sometimes be a bit playful. It is not uncommon for auditors to take a sectarian approach to certain controversial inspections - with the hidden intention of challenging and testing the candidate without actually assessing them so harshly in the end. Those who know the critical points are less likely to be thrown off course. In the end, ISMS is less about perfect implementation and more about a control system that works effortlessly in stressful everyday life.
Unfortunately, “no goat licks it away” - without effective management, no technical security measure, no matter how excellent, is of any use. In fact, sometimes simple procedures, such as the withdrawal of rights in critical operational situations or the installation of a security control in the procurement process, are more useful than, for example, the introduction of complex technical monitoring systems. The ISMS standard is well suited to recognizing where one is more beneficial than the other and vice versa.
Outlook
The future holds many things that we know nothing about today. It is therefore better to remain open to new ideas without completely rejecting the tried and tested.
In some customer mandates, we have had to recognize that an old-school ISMS is no longer sufficient to meet the rapidly changing requirements.
This is particularly the case where software development and project plans are managed with agile processes and where artificial intelligence and Internet of Things are used intensively and “match-decisively”. In these situations, the hierarchically structured ISMS quickly reaches its limits in the peer-to-peer organized processes.
Nevertheless, the introduction and implementation of an ISMS should not be dispensed with in these situations either. Instead, the ISMS should be supplemented by other management tools. Ultimately, the greatest benefit of an ISMS is its ability to specify what should be done in terms of security in order to limit the risks. The biggest disadvantage of an ISMS, on the other hand, is that it contributes little to how something should be done in security. Other standards are better suited for this.
In our ISMS projects, we therefore supplement the ISO/IEC standards 27001 and 27002 with the NIST Cybersecurity Framework (v.1.1 https://www.nist.gov/cyberframework) and the Center of Internet Security Control (v.7.1; https://www.cisecurity.org/controls), depending on the focus of the project.
Where the ISMS standards indicate what is required and permitted, the technical security principles of the NIST Cybersecurity Framework describe the “how” in a fundamental way, e.g. through statements on access control and access management, through a UID concept or through the Least Privilege\ principle.
The Center of Internet Security’s controls go one step further and describe concrete measures from a bird’s eye view for better planning of the solution architecture. For example, they contain practical statements on entry services, security tokens, malware protection, connection protocols and application interfaces.
It is only in combination that the three frameworks really come into their own! Implementing such a protection system is challenging, but rewarding in the end. In this way, a _continuous ISMS improvement process really is introduced and enforced!
Information Security Management System (ISMS)
Daniel Felix Maurer is a cybersecurity expert with more than 30 years of experience as a consultant and manager. During this time, he has advised many companies and authorities on all aspects of information and IT security management and has written over a hundred security concepts, security architectures and risk analyses.
Daniel Felix Maurer, Managing Security Consultant