ISO 27001 and ISO 27002 Newsletter: Issue 16 Published

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

The latest edition of the ISO 27000 information security newsletter
has been published today. A full copy is produced below:


THE ISO 27001 and ISO 27002 NEWSLETTER - ISSUE 16

Welcome to Issue 16 of The ISO 27000 Newsletter, designed to provide
news and background with respect to the ISO security standards. The
information provided is totally free to our subscribers and offers
guidance on practical issues and commentary on recent developments.

Covered in this issue are the following topics:

1)  ISO 27001 and ISO 27002 Standards
2)  Covering the Risks from Teleworking
3)  More ISO 17799/27001 Frequently Asked Questions
4)  Advising the Authorities following a Threat or an Incident
5)  Information Security News
6)  ISO 27000: The World Wide Phenomenon
7)  What should a Request for Proposal contain?
8)  ISO 27000 And BS25999 (Business Continuity)
9)  The Benefits of Adopting ISO 27001/2
10) Deciding how much Risk is Acceptable
11) ISO 27000 Related Definitions and Terms
12) It Couldn't Happen Here, Could It?

Appendix: Subscription Information


As we have received a number of emails regarding the current versions
of the standards, we will clarify these at the outset:

ISO 27001 was last published towards the end of 2005. This is the
current version of the 'Specification for an Information Security
Management System'.
ISO 27002 was published in July 2007, as a simple rename of ISO
17799:2005. This is the current version of the 'Code of Practice for
Information Security'.

ISO 27000 is the generic name for this series of information security

Both standards can be obtained:

1) Stand alone from Standards Direct:

2) As part of the starter and implementation kit for the standards,
the The ISO 27000 Toolkit ( ). This also
includes aligned security policies, a roadmap, checklists and a

Advice On Covering the Risks from Teleworking

In the light of several recent cases of security breaches via
teleworking exposures, it is worth reflecting that ISO 27002 provides
related guidance and support (Section 11.7.2).

Teleworking is the use of communications technology to enable remote
working from an external location. These activities can represent a
high risk area unless adequately protected with applicable controls
and follow-up.  Before allowing these activities, therefore,
organizations should ensure that suitable policies and procedures have
been implemented covering the information security aspects of
teleworking operations.

In particular the following should be taken into consideration:

=B7    Physical security of teleworking site/location
=B7    Suitability of teleworking environment
=B7    Security of communications
=B7    Threat of unauthorized access to information and resources
=B7    Protection of wireless systems
=B7    Protection of intellectual property rights
=B7    Compliance with software licensing requirements
=B7    Suitability of anti-virus and firewall arrangements

The bottom line is that teleworking should only be authorized where
appropriate security arrangements and controls are demonstrably in
place. These safeguards and controls should fully protect against
equipment and information theft; unauthorized access to confidential
data; unauthorized remote access to the organizations internal systems
and networks.

More ISO 17799/27001 Frequently Asked Questions

1) How does the ISO 27001 certification process work?

The process is much the same as for other ISO standards, such as ISO
9001. The clearest representation of this we have seen on the internet
is in the ISO 27001 section of (ISO 27001 Certification)

2) Is there actually an ISO 27000 standard?

No. Although one is proposed, ISO 27000 is currently just the generic
name covering the standards within the series.

3) Are all the controls in ISO 27002 mandatory?

No. The idea is that they should be selected based upon risk
assessment and the guidelines offered in ISO 27001.

4) Does BS7799 still exist?

BS7799 was the original standard upon which ISO 27002/17799 was based.
When the latter was published a different 7799 standard was developed,
known as BS7799-2. This eventually evolved to become ISO 27001. Last
year a third 7799 standard was produced: BS7799-3. This is a standard
covering risk analysis: "Guidelines for information security risk
management". This too may eventually evolve into an ISO standard.

Advising the Authorities following a Threat or an Incident

ISO 27002 requires that organizations maintain appropriate contacts
with relevant authorities following a threat or significant incident.
Although the standard does not attempt to define exactly what
"appropriate contact" represents, it does provide some assistance on
how such compliant contact could be achieved.  ISO 27002 recommends
that procedures are put in place that give clear guidance on when and
by whom authorities (including law enforcement, fire department,
supervisory authorities, government bodies) should be contacted.  Such
procedures should cover information security incidents, particularly
where danger exists to individuals or where it is possible that laws
may have been broken by the perpetrators.

Where the organization is under the specific or general supervision of
an outside regulatory body it is important that the regulatory body is
kept up to date on recent information security incidents affecting the
industry, as it can help them to alert other industry participants and
provide general guidance to the supervised entities on how to avoid
similar problems.

If any incidents have occurred that could have caused contamination,
affecting other premises or buildings, the residents need to be
informed as well as the authorities.  If an incident has occurred that
may have caused contamination of the water supply, the water suppliers
should be informed immediately together with the emergency services.
Where cyber-crime which affects website or broadband availability is
involved, the internet service provider should be informed so that
they can take appropriate action to try to avoid similar attacks in
the future and to minimize the potential impact on their other

Contacts with authorities following an incident could also include
health and safety authorities, telecommunication providers, other
emergency services, and other regulatory bodies.

This is one of those issues that is often not properly considered
until it is too late, and which can lead to more serious impact than
necessary. There is no better time than now to review these and other
external communication matters within your organization...

Information Security News

1) This years annual survey by the Computer Security Institute (http:// shows that average annual loss for a US based business
is now $350,424. This is a massive increase on last years figure
($168,000). It also showed that for the first time financial fraud
loss was greater than losses caused by virus attack.

2) The Chinese People's Liberation Army (PLA) have been accused of
attacking both US and UK government computer systems. The Financial
Times reports that US government figures believe the Chinese military
was behind a major Pentagon military computer network hack in June,
which resulted in more than 1,500 computers going offline. The
Guardian reports that the Foreign Office and other UK government
departments also came under attack by Chinese hackers

3) Pfizer has recently admitted that as many as 34,000 staff profiles
were stolen taken in a security breach last year.

4) The US Department of Justice ( ) has announced
that a 23 year old man has pleaded guilty to stealing credit card,
bank account and Social Security numbers via spam and phishing emails
sent specifically to AOL users. Working with other unidentified
individuals, between 2002 to 2006 he used malicious software to
collect AOL account names from chat rooms. He then sent electronic
greeting cards purporting to be from Hallmark, which when opened
downloaded a Trojan which prevented account access unless personal
information was entered.

5) 20% image spam emails captured last month contained a scam PDF
document, according to research by messaging security vendor
MessageLabs ( ). A number of messaging
security vendors are also reporting that Excel attachments are
increasingly being used for spam.

In another report, Sophos ( ) reveals that 80% of
newly infected web pages are legitimate websites which have been
compromised by malware.

6) The United Nation's website was hacked last month and defaced with
anti-American slogans. A page intended to display statements from the
UN Secretary General was attacked using an SQL injection, which is a
common method for this type of hack. Having restored the page, the UN
are investigating, and have stated that they will be implementing a
number of changes to prevent a repetition.

ISO 27000: The World Wide Phenomenon

Our source list for recent purchases of the standards always proves to
be a popular talking point. The most recent thousand or two is as

Argentina 6
Australia 26
Austria 9
Barbados 1
Belgium 11
Bermuda 1
Bosnia and Herzegovina 2
Brasil 21
Canada 132
Cayman Islands 1
Chile 6
China 20
Colombia 12
Costa Rica 1
Croatia 2
Cyprus 1
Denmark 14
Egypt 3
Estonia 1
France 11
Germany 64
Gibraltar 1
Greece 7
Hong Kong 17
Hungary 7
Iceland 1
India 39
Indonesia 5
Ireland 26
Israel 1
Italy 34
Jamaica 1
Japan 29
Jordan 1
Korea 4
Lebanon 1
Luxembourg 1
Malaysia 19
Malta 2
M=E9xico 29
Netherlands 55
New Zealand 12
Norway 14
Panama 1
Peru 1
Philippines 9
Poland 12
Portugal 7
R=2EO.C. 1
Romania 4
Russia 11
Saudi Arabia 14
Singapore 21
Slovak Republic 1
Slovenia 1
South Africa 22
Spain 28
Sultanate of Oman 1
Sweden 16
Switzerland 62
Taiwan 4
Thailand 1
Tunisia 1
Turkey 14
UK  379
United Arab Emirates 19
USA 546
Venezuela 1

The usual health warnings apply: these are sales through an online
credit card facility, so those cultures that are less familiar with
this type of commerce will be under represented.

Security Product/Service Acquisition: What should an RFP contain?

The Request for Proposal (RFP) is the document produced requiring a
potential supplier to propose a solution to a specified system
requirement.  The RFP is sent by the organization to each of a
selected or pre-qualified list of vendors, with the intention that
each vendor responds with a written proposal detailing how they will
provide the solution, and the terms and conditions of such supply.
Typically, an RFP will include some or all of the following items :

=B7    Covering letter - introductory letter explaining what is expected
and required.
=B7    Introduction - introductory paragraph, stating the purpose of the
RFP, and the date by which submissions should be made.
=B7    Organization Overview - overview of the organization and its
=B7    Project Overview - aims and objectives of the project.
=B7    Key Requirements and Constraints - specification of the key system
requirements and any constraints.
=B7    Scope Limitations - precise boundaries of the solution in terms of
location, people (numbers), organizational units, type of user etc.
=B7    Vendor questionnaire - questionnaire which requires a response from
the vendor to demonstrate how their solution will meet the stated
=B7    Specific contractual or other requirements  - any material
contractual requirements which they should be aware of prior to their
response to the RFP.

It is extremely important that all vendors are treated equally and
fairly and, as such, it is worth spending adequate time in order to
plan for and prepare the RFP. Information provided to one vendor, as a
result of (say) a one on one meeting, and not provided to other
vendors, would be viewed as biased or uncompetitive and could result
in difficulties, especially where you expect to use that vendor in the
future. Therefore, if it is necessary to provide additional
information as a result of an enquiry from one vendor, it should be
provided to all.

The RFP construct is another issue which should be embraced by the
information security and other corporate policies. If it isn't covered
by yours, an urgent review is highly recommended.

ISO 27000 And BS25999 (Business Continuity)

Business continuity management is a core aspect of information
security, and thus, appropriately, has an entire section of ISO 27002
dedicated to it (Section 14). This documents potential controls to
identify and reduce risks, and "limit the consequences of damaging
incidents, and ensure that information required for business processes
is readily available". It is one of the most important sections of the
standard from a business perspective.

However, the overall scope of business continuity management exceeds
this remit. It embraces the role of anybody who has responsibility for
delivery of any operation (IT or non-IT), and thus the continuity of
that operation.

For this reason BSI have published a specific standard for Business
Continuity Management (BCM), known as BS25999. This establishes the
processes, principles and terminology for BCM, and provides a defined
system based upon BCM good practice. It is intended for use for all
levels of the organization, and for organizations of all shapes and

BS25999 defines a lifecycle approach, documenting the following
elements: Business continuity programme management; Strategy
Determination; Understanding the organization; Developing a continuity
response; Exercise, maintenance and review; Embedding into the
corporate culture. In due course (probably early next year) a
certification process and scheme for the standard will be introduced.

The standard of course was developed with the ISO 27001/2 in mind, and
thus compliments these, with appropriate cross references. It is
likely to emerge as one of the most important standards in the
information security arena.

More information on this can be obtained from 'BS25999 World', at:

The Benefits of Adopting ISO 27001/2

There are of course a wide range of benefits and advantages in taking
on the standards. These will vary from organization to organization.
The following is an extracted starter list of some of the most common
advantages reported:

Improved Security
Adopting the standards undoubtedly drives the process to improve
information security, and reduce risk.

Management and others can be more assured of the quality of a system
or other entity if a recognized framework is followed.

Compliance with (or certification for) an international standard can
be used to demonstrate due diligence.

The standard is often used as a measure of status within a peer
community. Compliance with it can provide a benchmark for both the
current position and future progress.

Systems from diverse parties are more likely to work together in
harmony if they follow a common guideline or structure.

Security Awareness
Implementation of the standard always results in greater security
awareness within the organization.

Because the implementation of ISO 27001 requires the involvement of
both business and technical management, greater Information Technology
and Business alignment often results.

Differentiation (Marketing)
Adherence (or certification) with the standard is often used as a
positive differentiator in the commercial market.

Where to start?

The obvious starting point is to actually obtain the standards
themselves, or better still, the toolkit (see above). From there,
review the contents and research externally (with respect to the
standard - see previous editions of this newsletter), and internally
(with respect to scoping).

With the requisite knowledge you should soon be positioned to set your
objectives, define the scope, and create a project plan. The adventure

Deciding how much Risk is Acceptable

A key part of formulating and establishing information security
policies for your organization is in deciding how much risk is
acceptable and how to minimize unacceptable risk. This process
initially involves undertaking a formal risk assessment which is a
critical part of any ISMS.

Fortunately, the ISO 27000 standards provide some guidance on how this
risk assessment process is to be undertaken.  This guidance is
summarized and annotated below:

=B7    Use systematic approach to estimate magnitude of risks (risk
=B7    Compare estimated risks against risk criteria to measure the
significance of the risk (risk evaluation)
=B7    Define the scope of the risk assessment process to improve
effectiveness (risk assessment)
=B7    Undertake risk assessments periodically to address changes in
assets, risk profiles, threats, safeguards, vulnerabilities and risk
appetite (risk management)
=B7    Risk measurement should be undertaken in a methodical manner to
produce verifiable results (risk measurement)

The risks identified through this process will then need to be
"treated". This will involve looking at existing safeguards and
potential new safeguard upgrades that will be employed to reduce the
frequency of incidents occurring and/or reduce the impact from such
incidents.  It will also be necessary to assess the effectiveness of
these safeguards.

Quoted text here. Click to load it
That is the remaining risks after the risks and vulnerabilities have
been "treated".  These residual risks must be reviewed to ensure that
the results are both accurate and realistic and also that they
represent an acceptable level of risk for the organization.
Realistically, this must be done by the Board in close co-operation
with the executive management team. If the residual risk levels are
considered to unacceptably high then further treatment will be
necessary, involving additional investment in appropriate safeguards
and controls.

Future editions of this newsletter will consider risk in much more
detail, and will outline future likely developments with respect to
international standardization in this field.

ISO 27000 Related Definitions and Terms

Vendor Support
Vendor support can be a major source of information security risk.
Although a system may meet functional requirements, if the vendor does
not have adequate support arrangements (e.g. an office within the same
state, or even country) you should question this aspect most
carefully. Vendors will always play down this aspect, for they wish to
make the sale. However, your system and hence your information, is at
risk if you are unable to obtain adequate support within a reasonable
time frame.

Virtual Private Network - VPN
A Virtual Private Network - or VPN, is a network which emulates a
private network, although runs over public network lines and
infrastructure. Using specialist hardware and software, a VPN may be
established running over the Internet. The use of encryption and a
'tunneling protocol' maintains privacy. Because public networks are
used, the cost of a VPN is a fraction of that of a traditional private

A virus is a form of malicious code and as such it is potentially
disruptive. It may also be transferred unknowingly from one computer
to another.  The term Virus includes all sort of variations on a
theme, including the nastier variants of macro-viruses, Trojans, and
Worms, but, for convenience, all such programs are classed simply as
'virus'.  Viruses are a very real problem for both organization and
individual computer users and are normally dealt with through the
installation of firewalls and virus checkers.

Individual who is not a regular user of the system and has no
registered/recognized ID or password.

Visitor Password
A visitor password is a generic password, with extremely limited
access rights, to be used by visitors. Use of such passwords should be
rigorously controlled.

Volume Testing
Volume Testing, as its name implies, is testing that purposely
subjects a system (both hardware and software) to a series of tests
where the volume of data being processed is the subject of the test.
Such systems can be transactions processing systems capturing real
time sales or could be database updates and or data retrieval.  Volume
testing will seek to verify the physical and logical limits to a
system's capacity and ascertain whether such limits are acceptable to
meet the projected capacity of the organization's business processing.

It Couldn't Happen Here, Could It? True Stories:

1) The Security Administrator's world: A password admin scam:
"Whenever my Boss annoys me, I secretly change the password to his e-
mail account. When he can't log on, he'll moan and complain for 5
minutes, cursing the computer. Then he'll come groveling to me for
help. Once he's groveled enough, I re-enter the right password from my
office, go to his and watch him look like a dummy while I log-on

2) Hacking, of course, is often depicted in high profile movies,
usually in a sensationalized and totally inaccurate manner. However,
it has recently been brought to our attention that the scenes in one
of the most well known films of recent times, The Matrix (Reloaded),
are in fact a genuine recreation. Trinity uses Nmap to find a suitable
target server, and then uses an actual old exploit (SSH1 CRC32) to
hack into it.  The timing of the incident in the film actually pre-
dates the discovery of that exploit, leading to speculation that
Trinity actually discovered it (in the film's scenario of course).

However, back to 'the real world', such is the accuracy of the scene
that the UK's Scotland Yard Computer Crime Unit actually issued an
official warning that viewers should not be tempted to emulate it!

3) Password rules are designed to force the end user into creating
strong passwords, which are in theory less susceptible to brute force
attack. However, our recent probe into real life implementations of
this policy revealed some outrageously disturbing findings:
- one online service severely limited the number of potential password
combinations by restricting the use of most special non-alphabetic
characters "Password contains forbidden characters # . @.... "
- an online bank required passwords to be exactly 6 characters long
- another service provider set user account default passwords as a
selection of digits from the recipients SSN.

In all cases we have protected the identities of the offending
organizations... not that they deserve it!

Have you got something to say on the standards, or a fresh insight or
some information which might benefit others?  If so, please feel free
to submit your contribution to us. Sponsors are also welcome.

ISO 27001 and ISO 27002 Newsletter

Site Timeline