ISO 27001 Newsletter: Edition 17 Released

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

The latest issue of the newsletter covering the ISO information
security standards has been released today. A full copy is posted




Welcome to Issue 17 of The ISO 27000 Newsletter, designed to provide
news and background with respect to the ISO security standards. The
information provided is totally free to our subscribers and offers
guidance on practical issues and commentary on recent developments.

Covered in this issue are the following topics:

1)  Obtaining the ISO 27001 and ISO 27002 Standards
2)  Cell Phone / Mobile Phone Security
3)  Trials and Tribulations of an Information Security Officer
4)  More ISO 17799/27001 Frequently Asked Questions
5)  Using COBIT: The Acquisition Process
6)  Information Security News
7)  ISO 27000: The World Wide Phenomenon
8)  Business Continuity Management: Preparation and Risk
9)  ISO 27001/2: Common Mistakes Part 1
10)  Security Incident Response
11) ISO 27000 Related Definitions and Terms
12) It Couldn't Happen Here, Could It?

Appendix: Subscription Information

Obtaining ISO 27001 And ISO 27002

The most frequent question we field is "Where can I obtain a copy of
the standard?" The standard itself is available from:
This is the web site for the ISO 27000 Toolkit. This downloadable
package includes both ISO 27001 and ISO 27002, and was created to help
those taking the first steps towards addressing the standards. It
includes both parts of the standard, audit checklists, a roadmap, a
set of ISO compliant security policies, and a range of other items and
This is the BSI Online Shop, a vending site for downloadable copies of
the standards.

Cell Phone / Mobile Phone Security

The wide scale use of cell / mobile phones for business purposes has
brought with it a raft of new risks and potential exposures. These
devices can not only store voice messages (information), but text
messages, and often complex data, particularly with the advent of
internet browsable smartphones.

It is hardly surprising therefore that there has been a gradual
increase in the number of security breaches and consequential losses
resulting from phone theft or unauthorized phone access.

These issues are covered in a number of sections within ISO 27002.
These include Section 9.2.5 (Security of Equipment Off Premises) and
10.8.1 (Information Exchange Policies and Procedures). However, most
focus is applied within section 11.7.1: Mobile Computing and

The general objective of this section states: "The protection required
should be commensurate with the risks these specific ways of working
cause. When using mobile computing the risks of working in an
unprotected environment should be considered and appropriate
protection applied."

The section offers specific guidance with respect to the physical
protection of the device itself, cryptography of the data held,
backups of the data/information, and of course virus protection
(particularly relevant to smart phones).

We would argue that awareness is also a major factor with respect to
phone security. This type of device can very easily be taken for
granted, and the security aspects overlooked. The following is perhaps
a start point for a list to include in an awareness campaign for your
 - Do not openly display a cell/mobile phone: keep it out of sight in
a pocket or handbag
 - Always use your phone's security lock code or pin number
 - If possible, avoid using it in crowded areas
 - Properly mark your phone with your zipcode/postcode
 - If the phone is lost or stolen, report it straight away to the
police, your service provider, and your security officer
 - Be aware of your surroundings and the people near to you
 - Do not leave it unattended: keep it with you at all times
 - Make a note of your phone's IMEI number

Now is an excellent time to review this section (11.7.1) with respect
to the Cell Phones / Mobile Phones within your own organization. Our
crystal ball tells us that losses due to security exposure in this
area are going to increase significantly over the coming months and
years. Hopefully, our subscribers will be sufficiently prepared to
avoid being one of the major victims.

Trials and Tribulations of a Part-Time Information Security Officer
(Part 1)

Thursday was certainly a challenging day.  As the newly appointed part-
time Information Security Officer for Whithertech Associates I now
have responsibility for trying to hold together the Information
Security process. This is naturally in addition to all my normal

On Friday I was a little late and was greeted in the corridor by my
Director shouting that our network was down and our website had been
hacked and defaced. He said I should get downstairs and help June to
sort it out and, by the way, I should make more effort to get to work
on time.  I mumbled an apology and dashed off to see June, the acting
network administrator and webmaster, to try to find out what was

She was looking more than a little flustered when I arrived and said
that all hell seemed to be breaking loose. She had only been doing the
job for two weeks since our usual network administrator/webmaster Jack
had gone off on long term sick leave, and although she understood most
the technical aspects of the job, a lot of it was still new to her.
Jack was good at controlling the network but never wrote anything
down, so there were few procedures to follow.

We decided that the network was the priority so we put up a temporary
holding page on the website and then got hold of the network logs and
started to work through them. It was a lengthy process as Wednesday
night included the month-end processing and there were literally
thousands of entries. With few written procedures to explain the
complexities of the coding it took over an hour to identify a couple
of unusual log events affecting the network access. It also took some
while to track down the cause, but with some additional technical
support, and to cut a long story short, it was eventually identified
that an IT operator who left the company last week had "allegedly"
left some malicious code in the network control system, which had
partially wiped out the network access directories. I went to advise
my Director that the network should be back up running shortly while
June called up the back-up access directories and restored them. I
left my director fuming, having told me to make sure we collected good
admissible evidence to support a possible legal case.

We then got on with sorting out the website problem. We had thought
that the website was pretty secure but someone had managed to place
some pretty heavy "Triple-X" links onto our "Welcome" page.  The first
task was to change the passwords and get the website up and running
again, which we did from the back-ups that had now arrived from our
off-site storage. We then looked at the logs for the FTP server and
found that during the night the welcome page had been downloaded, the
additional content added, and then re-uploaded to the server.
Investigations into all this spurious activity are now ongoing
involving some of our auditing staff, but I have my own suspicions
that the same disgruntled IT operator may be involved.

Having lost most of Thursday on these incidents I needed to work
pretty late that night to catch up on my main job. I was also left
wondering if we could have managed the incidents better and got the
systems up and running more quickly than we did.

The main lessons I learned that day -
1) In future we must change all our passwords immediately when staff
with access permissions leave;
2) We need to consider purchasing some scanning software to help
detect malicious software and prevent it from causing future denial of
service incidents;
3) We must make sure we have MUCH better written procedures for
critical processes;
4) I will have to spend more time learning about my new duties from my
security manual; and finally,
5) I must go out and purchase a louder alarm clock before I end up
losing my job!

If any of the above sounds even remotely familiar.... you have work to
do! One resource which may greatly assist is the Information Security
Officer's Manual, which is designed to be a hands on reference for
anyone with any security responsibilities. For more information see:

More ISO 17799/27001 Frequently Asked Questions

1) What is accreditation?
An accreditation body is an organization which grants third parties
the authority to issue 'certificates' (to certify) against standards.
This third party is the 'certification company', which actually
certifies against the standard. Examples include: BSI, SGS and SAI

2) Why was ISO 17799 renamed to ISO 27002?
The rename was made with a view to ISO 27000 becoming a generic series
of standards related to information security (ISO 27001 was the

3) How should the organization's information security REQUIREMENTS be
ISO 27002 identifies 3 main sources:
- "Through risk assessment, threats to assets are identified,
vulnerability to and likelihood of occurrence is evaluated, and
potential impact is estimated"
- "The legal, statutory, regulatory and contractual requirements that
an organization, its trading partners, contractors and service
providers have to satisfy"
- "The particular set of principles, objectives and requirements for
information processing that an organization has developed to support
its operations".

4) Can I republish articles from the ISO27000 Newsletter (internally
or externally)?
Yes, subject to a link to our website (

5) Which controls are considered by the standard to be essential from
a legal perspective?
The following 3 areas of ISO 27002 are specifically highlighted in
this respect: data protection and privacy of personal information;
intellectual property rights; safeguarding of organizational records

6) What is ISO/IEC Guide 62?
This is intended for those bodies operating certification schemes,
rather than user organizations. It contains the general requirements
applicable to them.

7) What is FDIS?
Before ISO publish a standard it goes through a number of stages. FDIS
is one of these. The stages, in correct order, are:
NP: New Proposal (initial stage)
WD: Working Draft (development)
CD: Committee Draft (quality control)
FCD: Final Committee Draft (draft awaiting approval)
FDIS: Final Draft International Standard (almost ready)
IS: Published standard

Using COBIT: The Acquisition Process

ISO 27001/2 are of course the major international standards for
information security. However, several wide spectrum governance
frameworks exist which compliment these, the most well known being
COBIT. This widely used framework provides comprehensive controls and
guidance covering each key stage of the IT process.

The supporting 'Control-IT COBIT Toolkit' (http:// provides valuable implementation support
for the framework and simplifies the implementation process. The
following snapshot, which is based on the toolkit guidance, covers the

Procurement procedures in respect of the purchase, lease or rental of
all technology based products and services need to be developed.
Internal control procedures covering these processes are to be
developed and approved incorporating these requirements and providing
the means to verify that these procurement control policies are being
complied with on an ongoing basis.

The Key Performance Indicators are:
*    Lower delays in meeting requests for new systems or IT equipment
*    Higher percentage of procurement requests met on time
*    Higher availability of comprehensive user and operations

The Process Critical Success Factors are:
*    Lower number of problems caused through poor acquisition procedures
*    Lower cost of maintaining systems
*    Lower cost of procuring systems

The IT Key Goal Indicator is:
*    Higher level of business system owner satisfaction with systems and

The compliance level measurement criteria are as follows:
*    NIL - No procedures exist to manage IT systems acquisition.  The
only procedures available relate to general purchases or goods and
*    POOR - Although the management is aware that IT systems acquisition
controls should be effectively controlled, there is no real
implementation of these ideals. There is very little integration or
liaison between business activities and systems acquisition
*    INADEQUATE - There is recognition that IT systems acquisition
controls should be in place and some efforts have been made to
identify some basic level rules. The quality of the procedures remains
fairly poor
*    BASIC - There is a defined process for controlling IT system
purchases but use of these procedures is inconsistent.  Actual
procedural content lacks conformity with agreed standards and these
deficiencies are not addressed satisfactorily
*    ACCEPTABLE - There is a reasonable degree of compliance with
approved IT system acquisition procedures and a defined framework for
review and approval.   The approach covers all systems and
applications.  Strategic management of the purchasing processes is
evolving and performance measurement and management is being
integrated into these processes
*    FULL - A formalized and comprehensive process for purchasing new
systems and equipment is in place and is followed in all cases. The
organization has a high level of technical awareness and can relate
system acquisition requirements and system quality criteria to
improving business performance levels

Overall, the above outlines a robust, consistent, and proven framework
within which to operate a sound system acquisition process. It is a
very good example of the COBIT approach, in that it illustrates the
provision of measures and indicators, which are outside the scope of
ISO 27001/2.

NOTE: A previous issue of the ISO 27000 Newsletter provided a detailed
mapping between ISO 27002 and COBIT:

ISO 27002 Chapter No.        4    5    6    7    8    9    10    11    12    13    14    15
Plan and Organize (PO)        L    H    L    L    H    H    H    H    L    L    M    L
Acquire and implement (AI)    H    M    M    L    M    H    L    L    L    L    L    L
Deliver and support (DS)    L    H    M    H    H    L    H    M    M    M    H    M
Monitor and evaluate (ME)    L    M    L    M    L    L    L    L    L    L    L    L

Key to level of matching between COBIT 4.0 and ISO 17799:2005
H = Reasonably good match
M = Some matching
L = Low level or no matching

Information Security News

1) Lottery Scams Are Latest Spam Fad
According to Microsoft (, 50% of spam emails
are currently lottery scams (usually inviting the victim to claim
their "winnings" or similar). Surprisingly, their poll also revealed
that 16% of recipients actually opened them, indicating an almost
complete lack of security awareness.

2) University Fined For Security Breach
The University of California has agreed to pay the U.S. Department of
Energy a $2.8 million fine as a result of a security breach at its Los
Alamos National Laboratory. The fine stems from an incident in which a
subcontractor's employee stole classified documents and stored others
on a USB drive in 2006.

3) Phishing Attack Increase
The Gartner ( ) annual survey has revealed that
the number of people receiving phishing emails has more than doubled
in the last 3 years (now estimated to be 124 million per year).
Victims of phishing scams in the United States lost $3.2 billion
during a 12-month period ending in August.

4) Anti-botnet Charges
In the US, the FBI has announced that it has charged eight men with
using internet 'botnets' to perform fraud and to launch other
malicious attacks. The men are alleged to have profited by lifting
sensitive credentials off their victims' computers, releasing DDoS
attacks and leasing 'zombie computers' to other parties.

5) Vista Security Fixes
Microsoft has released a detailed list of more than 300 security
patches within the upcoming initial service pack (SP1) for its Windows
Vista operating system. The complete list of SP1 service pack items is
posted on Microsoft's website

6) Security Gap
Gap, the clothing retail outlet, have admitted that the unencrypted
Social Security numbers of 800,000 job applicants was stolen from a
third-party vendor. The vendor contacted law enforcement authorities
about the breach.

7) Software Piracy Settlement
Six US based companies have recently settle claims with the Business
Software Alliance ( ) over use of unlicensed software
following self audits. The total settlement was for almost $700,000.

ISO 27000: The World Wide Phenomenon

Our source list for recent purchases of the standards always proves to
be a popular talking point. The most recent thousand or two is as

Argentina 7
Australia 29
Austria 8
Barbados 1
Belgium 14
Bermuda 1
Bosnia and Herzegovina 2
Brasil 24
Canada 139
Cayman Islands 1
Chile 5
China 22
Colombia 12
Costa Rica 1
Croatia 1
Cyprus 1
Denmark 15
Egypt 2
Estonia 1
France 14
Germany 67
Gibraltar 1
Greece 6
Hong Kong 19
Hungary 6
Iceland 1
India 48
Indonesia 7
Ireland 25
Israel 1
Italy 35
Jamaica 1
Japan 35
Jordan 1
Korea 4
Lebanon 1
Luxembourg 1
Malaysia 22
Malta 1
M=E9xico 31
Netherlands 60
New Zealand 10
Norway 9
Panama 1
Peru 1
Philippines 10
Poland 15
Portugal 6
R.O.C. 1
Romania 3
Russia 15
Saudi Arabia 19
Singapore 24
Slovak Republic 1
Slovenia 1
South Africa 29
Spain 33
Sultanate of Oman 1
Sweden 19
Switzerland 69
Taiwan 3
Thailand 1
Tunisia 1
Turkey 12
UK  384
United Arab Emirates 16
USA 568
Venezuela 1

The usual health warnings apply: these are sales through an online
credit card facility, so those cultures that are less familiar with
this type of commerce will be under represented.

Business Continuity Management: Preparation and Risk

ISO 27001 places a great deal of emphasis on implementing a business
continuity management regime (in fact it devotes a whole chapter to
this topic). The BCM objectives as defined within the standard are "to
counteract interruptions to business activities and to protect
processes from the effects of major failures of information systems or
disasters and to ensure timely resumption".

Usually, the better prepared you are, the more likely you will be to
meet this objective, and the more effective will be your recovery.
Unfortunately, many organizations do not properly embrace risk
assessment, and often start their business continuity project ill

It is important at the outset to have the full commitment of the Board
or Governing Body of the organization. Without this, problems
downstream are inevitable. An awareness campaign should follow, to
ensure that all staff are notified of that commitment.

The business continuity project can then be initiated (central to
which is the delivery of a business continuity plan). It is essential,
however, that this project is formal and structured.

Initial steps for the project itself will include defining scope, and
obtaining copies of all appropriate documents and information. A
formal risk assessment exercise must follow.

Initial emphasis on effective risk assessment will enable you to
predict different types of incidents with more accuracy. It will help
ensure that focus is applied to those areas to which it is most

This aspect of BCM involves analyzing the business processes and
identifying vulnerabilities through risk assessment and probability
analysis.  It includes the establishment of critical business
timeframes including recovery time objectives (RTO) and maximum
tolerable period of disruption (MTPD).  The RTO will represent the
time interval between the incident occurring and the time when a
measurable negative impact will result on the business whereas the
MTPD will represent the time interval between the incident occurring
and the time when the impact from the incident will become extremely
serious for the business.

Following a detailed risk analysis of the business and its processes,
suitable levels of safeguards and controls should be implemented that
will protect the business processes and product delivery

It is important to understand that none of the above tasks can be
short cut. Proper planning and preparation may seem to be a burden,
but the pay back could well be the survival of the organization

ISO 27001/2: Common Mistakes Part 1

David Watson was one of the earliest exponents of the standards, and
is one of the most well known industry figures. In this series of
articles for the ISO 27000 Newsletter he outlines some of the most
common errors and mistakes he has encountered over recent years:

Proper document control is often missing, not up to date or
inconsistent. It always amazes me how many people do not understand
how to use templates and styles in word processing packages;

Securing the boundaries of the scope and performing the risk
assessment on those assets defined within the scope is often a problem
area. Organizations often fail to look at the risks at the boundary of
the scope if they have offered a reduced scope (i.e. not the whole
organization, or stopping the scope at a boundary where a partner may
share a resource etc);

There is frequently a lack of traceability of the controls in the
Statement of Applicability (SoA) to the Risk Assessment and Treatment
Process (and back to the SoA);

Risk Assessments often just look at technical risks and forget that
the organization is a business with business risks;

Rarely do I see any formal acceptance of residual risk;

The SoA is often ill defined and difficult to use. Typically this is
one of the main documents that the CB Auditor will work with during
the audit and it has to be clear, link to all the appropriate places
or documents, and be understandable;

Lack of management commitment is a serious problem. Only too often do
I hear that the barest minimum of staff have been put on the project
and these are not ring fenced so the project suffers resource

Sometimes the organization has no idea of how or what to expect. I
recently had a case of someone asking for a quote to roll out ISO
27001/2. I said I would 'spec' it out for them after visiting them,
understanding their business and providing a full proposal. They
stated that they already had two proposals and just needed a third for
completeness. I asked if the others had visited and they said no, they
were local computer shops and had each quoted 5 days work and some
hardware to implement ISO 27002 on a scope of 200 self employed
associates, all using their own equipment with a common server and
network resources. The best thing about it was that it was to connect
to a UK government network. When I told them the Gap Analysis alone
could take that long, they said they were hoping for a fast
implementation and a half day seminar to implement the standard(s) was
suggested. As some (well actually most) of the associates could not
attend the half day - would that matter? I kid you not. I also guess
that they paid for their 5 days and that the IT Manager stated they
were compliant just so they could get connected.

There are often no standards and little or no documentation of the
Corporate Systems;

Rarely is there an effective and properly implemented change
management process. There are sometimes no formal change management
processes or records of change meetings available. Change management
meetings often have the wrong level staff attending, have whole
business areas that do not/will not get involved, and no minutes for
meetings to show changes successfully and unsuccessfully implemented;

There is often no management software for the network, or any form of
planning for the IT systems or capacity;

Rarely are Service Level Agreements in place and if they are they are
rarely monitored and used effectively. Sometimes the business has
unrealistic ideas of IT Service availability and the IT Department
cannot meet the requirements without serious investment, which the
business may not be willing to provide. This can lead to a breakdown
in relationships between business units and IT;

Often the Information Security Manager is not advised of new projects
or is so stretched that he cannot make the time to provide

I often find a backup process that does not provide full backup
integrity or recovery capability.

This can be an enormous can of worms, as policies are:
 - Often missing (Some companies do not even have a set of
 - Frequently out of date;
 - Often unknown by staff especially third parties and most especially
IT Contractors and Consultants;
 - Not enforced;

There are often no records to show who has received the policy with
supporting training, and there is rarely evidence of policy review.

Security Incident Response

Preparing to respond to security incidents and system malfunctions is
a key part of any security officer's duties. These potential incidents
should, of course, have been predicted through effective risk
assessment and probability analysis, and safeguards and controls
should have been put in place to reduce the impact of any such
incidents on the running of the business.  However the unexpected will
always occur.

The following guidance is provided within ISO 27001:
*    Advise relevant management and technical personnel about security
incidents promptly
*    Identify and report security weaknesses or potential shortfalls to
appropriate security personnel
*    Develop suitable procedures and responsibilities to ensure a fast
and orderly response to incidents.
*    Maintain incident statistics and learn from an analysis of incident
causes and outcomes
*    Collect admissible evidence where an incident may result in legal

No matter how many safeguards and controls that you implement it is
almost inevitable that a disruptive incident will occur at some time.
It is then down to a matter of how well you cope with the emergency
and how well you manage the aftermath. This will depend upon either
your well prepared and documented incident response procedures or your
"seat of the pants" management skills, or perhaps more likely, some
combination of both.  However, the objective is to minimize or limit
the damage from such incidents and to learn from the problem and
improve safeguards and controls to reduce the likelihood of further

Ironically, as with many key aspects of information security, this is
yet another issue for which a little planning and preparation can reap
enormous benefits when a worst case scenario occurs.

ISO 27000 Related Definitions and Terms

In this edition of the ISO 27000 Newsletter we look at those
definitions and terms related to ISO 27001 and ISO 27002 that commence
with the letter "A".

Audit Trail
A record, or series of records, which allows the processing carried
out by a computer or clerical system to be accurately identified. It
can also allow verification of the authenticity of amendments,
including details of the users who created and authorized them.

Authentication refers to the verification of the authenticity of
either a person or of data (e.g. a message may be authenticated to
have been originated by its claimed source). Authentication techniques
usually form the basis for all forms of access control to systems
and / or data.

The process whereby a person approves a specific event or action. In
companies with access right hierarchies it is important that audit
trails identify both the creator and the authorizer of new or amended
data.  It is an unacceptably high risk situation for an individual to
have the power to create new entries and then to authorize those same
entries themselves.

Auto Dial-back
A security facility designed to ensure that 'dial up' links to the
organization's communications network may only be accessed from
approved/registered external communication links.  The computer holds
a list/register of user IDs and passwords together with pre-assigned
communication contact numbers.  When a remote call is received from
one of these users the computer checks that ID and password match and
then cuts off the connection and dials back to the 'registered'
communication contact number held in the computer files.  This system
works well with fixed locations such as remote branches but may be
inconvenient for staff who move around a lot.  The drawbacks may be
overcome by using a mobile telephone (connected to a laptop computer)
as the registered dial-back  - subject to the security requirements of
protecting such items against theft or eavesdropping.

Ensuring that information systems and the necessary data are available
for use when they are needed.  Traditionally, computer systems were
made available for staff use by the IT department in the early
morning, and then closed down again by the IT staff before running
their 'End of Day' routines.  Availability was thus the poor relation
of Confidentiality and Integrity in security terms. However the
extension of the working day (for example because of trading with
different time zones) and the growth of 24x7 systems means that
availability has become a much more important element of Information
Security work.

It Couldn't Happen Here, Could It? True Stories:

1) User-Ids Count Too (True Story: case)

Organizations correctly stress the importance of password
confidentiality. They also urge users to choose sensible passwords,
which cannot be easily guessed.

Sometimes, however, this is not taken quite as seriously as it should
be. For example, selecting a password of March2008 may appear to be
adequate if a system only allows three invalid attempts (for instance)
before locking the account. Unfortunately, in the real world, security
exposure doesn't always work along such lines.

In one case, the format of an organization's USER-ID's was discovered
by an external party. This was always six characters, comprising a
three character project-code followed immediately by the users
initials. He then attempted to logon using one common rotating
password (such as july2007) against a known project code (txy)
followed by every three character combination possible (txyaaa,
txyaab, txyaba, etc).

Because only one failed access attempt occurred against each user-id,
the attack was not noticed. He was thus able to continue until
eventually, over a period of time, he gained access. He then wreaked

The moral of this story is two fold:
- password construct policies should be enforced rigorously
- user-ids are in fact company confidential data

2) Quotation Corner:

"He who laughs last has probably made a back-up".

"When you reach to the point at which you understand your computer,
it's probably obsolete."

"What is the difference between Windows and a virus? Viruses rarely
fail." (Sorry, Microsoft)

Have you got something to say on the standards, or a fresh insight or
some information which might benefit others?  If so, please feel free
to submit your contribution to us. Sponsors are also welcome.


We hope that you have found this issue to be informative and useful.
Subscription is entirely free (although 'opt-in' only). Please feel
free to pass this copy on to your friends and colleagues. If your
friends or colleagues wish to receive the newsletter directly, they
should simply send an email to: with a title of

ISO 27001 and 27002 Newsletter

Site Timeline