The ISO 27000 Newsletter: Issue 15 Released

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

The latest quarterly issue has now been released. For those interested
in this set of standards (which include ISO 27002, formerly calledISO
17799), the full version is provided below:




Welcome to the Issue 15 of The ISO 27000 Newsletter, designed to
provide news and background with respect to the ISO security
standards. The information provided is absolutely free to our
subscribers and offers guidance on practical issues and commentary on
recent incidents.

Covered in this issue are the following topics:

1)  ISO 17799 Becomes ISO 27002
2)  Logic Bomb Dangers Highlighted
3)  The History of The Information Security Standards
4)  Information Ownership Issues
5)  More ISO 17799/27001 Frequently Asked Questions
6)  Information Security News
7)  ISO 27000: The World Wide Phenomenon
8)  The SLA: Prioritization
9)  ISO 27000 Related Definitions and Terms
10) It Couldn't Happen Here, Could It?
11) Contributions

Appendix: Subscription Information

ISO 17799 BECOMES ISO 27002

Following the decision taken by ISO last year, ISO 17799 has finally
been renamed to ISO 27002. The change of name is simply that: a change
of name. The purpose is to align it more closely to ISO 27001 in terms
of perception.

Of course, the name change could be misleading, as some people my
erroneously believe that other changes have been applied. They
haven't. We therefore issue two clear recommendations:

1) If you already have a copy of ISO 17799:2005, you do not need to
replace it with ISO 27002. The documents are identical except for
references to the name.

2) On their website, ISO simply put up ISO 17799:2005, without even a
new cover or any changes within. A single sheet accompanied it with
the words "Replace '17799' with '27002'". However, the full
replacement, with name changes applied to the document itself, can be
obtained from Standards Direct ( /


To accommodate the change of name, the supporting 'ISO 17799 Toolkit'
has also been renamed. It has also been updated, notably the policies,
the roadmap and the presentation.

It is documented on the following website:

Logic Bomb Dangers Highlighted

The recent case of a former US Government contractor pleading guilty
to sabotaging Navy computers highlighted the need for constant
vigilance with respect to so-called 'logic bombs'.

Also known as 'slag code' and commonly associated with 'disgruntled
employee syndrome', a logic bomb is a piece of program code buried
within another program, designed to perform some malicious act. Such
devices tend to be within the province of technical staff (non-
technical staff rarely have the access rights and even more rarely the
programming skills required) and operate in two ways:-

1=2E    'Triggered Event' - for example, the program will review the
payroll records each day to ensure that the programmer responsible is
still employed. If the programmer's name is suddenly removed (by
virtue of having been fired) the Logic Bomb will activate another
piece of code to slag (destroy) vital files on the organization's
system. Smarter programmers will build in a suitable delay between
these two events (say 2-3 months) so that investigators do not
immediately recognize cause and effect.

2=2E    'Still Here' - in these cases the programmer buries coding similar
to the Triggered Event type but in this instance the program will run
unless it is deactivated by the programmer (effectively telling the
program - "I am still here - do not run") at regular intervals,
typically once each quarter. If the programmer's employment is
terminated unexpectedly, the program will not be deactivated and will
attack the system at the next due date. This type of Logic Bomb is
much more dangerous, since it will run even if the programmer is only
temporarily absent (eg through sickness, injury or other unforeseen
circumstances) at the deactivation point. The fact that it wasn't
meant to happen just then is of little comfort to organization with a
bombed system.

Logic bombs demonstrate clearly the critical need for audit trails of
activity on the system, as well as strict segregation of duties and
access rights between those staff who create systems (analysts,
developers, programmers) and the operations staff who actually run the
system on a day-to-day basis.

The History of The Information Security Standards

Examination of the past often illuminates the present. This is
certainly the case in terms of untangling the different acronyms and
numbers associated with the information security standards.

The embryo of the security standards was actually a document published
by the UK Government's DTI in 1992. The was the 'Code of Practice',
for Information Security Management. This was subsequently upgraded by
BSI (the British Standards Institute) who published 'BS 7799-1 - Code
of Practice for Information Security' in 1995. BSI enhanced this
document, and also published a second part: BS7799-2, which was a
specification for security management, in the late nineties.

In 2000 ISO finally appeared on the scene, adopting BS 7799-1 and
renaming it to ISO 17799:2000. However, it wasn't until 2005 that they
eventually adopted BS7799-2, which became ISO 27001:2005. ISO 17799
was re-published in the same year, and as explained above, was renamed
to ISO 27002 in July 2007.

Also in 2005 BSI published BS7799-3. This is 'Guidelines for
information security risk management'. Again, the chances are that
this will eventually evolve into an ISO standard (possibly ISO

So we thus have:
ISO 27002:2005 - Code of Practice
ISO 27001:2005 - Specification for an ISMS
BS7799-3 - Risk Management.

It is not actually quite this simple though... because ISO are
attempting to 'normalize' their entire numbering system. They want all
their information security standards to be similarly numbered. That is
reasonable of course, but many would argue what is not reasonable is
simply to rename documents at a random point in time, rather than on
the next upgrade.

The full numbering intention is documented on the ISO 27000 Directory
website ( ).

Information Ownership Issues

It is essential that the ownership of information systems, data and
files is formally established within the organization. This formal
assignment invariably brings with it a more serious approach, 'top
down', to the whole issue of information security.

Historically, all electronic systems and data files were considered to
be "owned" by the IT department, but over recent years ownership has
correctly moved towards the areas or individuals who actually create
the information, or who are ultimately responsible for the data and
systems output.

Usually, the person who creates, or initiates the creation or storage
of the information, is the designated owner. In an organization,
possibly with divisions, departments and sections, the owner becomes
the unit itself with the person responsible being the designated
'head' of that unit.

The Information owner is normally responsible for ensuring:-

=B7    that an agreed classification hierarchy is put in place and that
this is appropriate for the types of information processed for that
business / unit;
=B7    that all information is classified and stored into the agreed types,
and that an inventory (listing) is created;
=B7    that each document or file within each of the classification
categories, has its agreed (confidentiality) classification appended
to it.
=B7    that for each classification type, the appropriate level of
information security safeguards are available (e.g. the logon controls
and access permissions applied by the Information Custodian provide
the required levels of confidentiality)
=B7    that periodically there is a check to ensure that information
continues to be classified appropriately and that the safeguards
remain valid and operative.

If a designated owner of information leaves the organization, it is
important to ensure that a new owner or custodian is immediately
appointed to protect the approved levels of confidentiality and
approve or decline access requests.

Many organizations have seen a demonstrable improvement in the
cultural approach to security as a result of ownership clarification.
It is a move certainly long overdue for those whose IT departments are
still seen as data owners.

More ISO 17799/27001 Frequently Asked Questions

1) Where Do I Start with an ISMS?
The start point most often recommended for the implementation of a
formal Information Security Management System (ref: 27001) is a
definition of scope. This is in fact pure logic. Unless you define
your boundaries you are unlikely to get too far without encountering
significant difficulties. The scoping exercise itself is often quite

2) Is there a Forum Dedicated To the Standards?
Yes. The biggest forms part of the ISO 27001 and ISO 27002 User Group
( )

3) Where Do I Find a List of Certified Companies?
There is no global list, as companies tend to be certified via
national accredited bodies. However, there is an international
voluntary register hosted by the
ISO 27002 And ISO 27001 Open Guide ( /

4) How many companies are now certified?
At the last count this was well in excess of 2,000.

5) What is ISO Guide 62?
This guide contains the requirements applicable to an Accreditation
Body (which subsequently bestows authority to issue certificates).

Information Security News

1) Sophos ( ) reports that malware is increasingly
being spread via web pages, rather than via email, with sites in China
and Hong Kong accounting for more than half the total. Most affected
sites are victims themselves, having been compromised by hackers. In a
separate report,  Pandalabshttp ( /
virus_info/pandalabs/) report that malware detections increased by
over 170% last year. Trojans now represent more than half of such
attacks, with Bots on 14 percent and backdoors on 13.

2) A recent survey by Network Box ( ) of
250 small businesses demonstrated an alarming indifference to
security. 62 per cent had no system in place to protect against
phishing, whilst a staggering 99% did not know how often their anti-
virus software was updated.

3) The University of Missouri became the latest in a string of
universities to suffer a serious security breach when hackers obtained
more than 20,000 Social Security numbers (SSNs). Using IP addresses
from China and Australia, the hackers made thousands of queries over a
span of hours, obtaining one SSN at a time.

4) According to Symantec ( ), Image Spam still
accounts for more than 25% of all spam. This is essentially a
technique which uses embedded images to bypass phishing filters.
Whilst this is down from earlier in the year, the daily rates indicate
a high level of variance. Spam itself accounts for 65 percent of all
email at the SMTP layer.

5) A video clip was recently posted on YouTube showing union
protestors examining trash awaiting collection outside Chase Bank in
New York. The video (
) shows
loan application forms and other sensitive data being examined by the
Service Employees International Union supporters. The clip again
illustrates that low tech security issues remain a constant threat.

6) An audit has revealed that the IRS (The US Internal Revenue
Service) lost almost 500 PCs in the 3 year period to the middle of
2006.It is believed that the personal information of at least 2,000
taxpayers could have been compromised as a result. The IRS have
subsequently stated that they are "taking aggressive steps to further
secure government equipment and protect sensitive data to mitigate the
risk of potential identity theft or other fraudulent activity."

ISO 27000: The World Wide Phenomenon

Our source list for recent purchases of the standard always proves to
be a popular talking point. The most recent thousand or so is as

Argentina 6
Australia 25
Austria 10
Barbados 1
Belgium 12
Bermuda 1
Bosnia and Herzegovina 2
Brasil 16
Canada 122
Cayman Islands 1
Chile 7
China 18
Colombia 14
Costa Rica 1
Croatia 2
Cyprus 2
Denmark 12
Egypt 4
Estonia 1
France 10
Germany 65
Gibraltar 1
Greece 7
Hong Kong 16
Hungary 9
Iceland 1
India 29
Indonesia 5
Ireland 24
Israel 1
Italy 37
Jamaica 1
Japan 25
Jordan 1
Korea 2
Lebanon 1
Luxembourg 1
Malaysia 18
Malta 2
M=E9xico 28
Netherlands 52
New Zealand 15
Norway 17
Panama 1
Peru 1
Philippines 10
Poland 11
Portugal 7
R=2EO.C. 2
Romania 5
Russia 10
Saudi Arabia 14
Singapore 19
Slovak Republic 1
Slovenia 1
South Africa 19
Spain 27
Sultanate of Oman 1
Sweden 16
Switzerland 59
Taiwan 4
Thailand 1
Tunisia 1
Turkey 11
UK  371
United Arab Emirates 16
USA 542
Venezuela 1

The usual health warnings apply: these sales are through an online
credit card outlet, so those cultures that are less familiar with
ecommerce will be under represented.

The SLA: Prioritization

As previous editions of the newsletter have demonstrated, the SLA can
prove to be an important tool with respect to information security,
particularly regarding service availability. One such aspect pertains
to prioritization.

The purpose of defining and prioritizing problems within service level
agreements is to ensure that resources are concentrated on resolving
the most critical incidents, ensuring that these are resolved on a
basis reflecting their seriousness with respect to impact on the
Client. It enables the Client to understand how the incident
management process will be operated and the Supplier to concentrate
scarce resources towards resolution of the incidents themselves.

To this end, it is important that the potential impact of the incident
on the Client's business is properly defined.

The SLA should thus contain a suggested structure for classifying
problems, and the supplier and client should both ensure that this
structure meets their requirements.  A suggested simplified structure
is given below:

Problem         Priority Status        Impact
Priority 1        Mission critical    Serious financial impact
Priority 2        Extremely urgent    Significant financial impact
Priority 3        Urgent            Medium financial impact
Priority 4        Medium priority    Minimal financial impact
Priority 5        Low Priority        No financial impact

Information Source: The SLA Toolkit (http://www.service-level -

ISO 27002 Related Definitions and Terms

In each ISO 27000 Newsletter we include a selection of terms and
definitions to unravel and explain some of the jargon and strange
language used by IT and Information Security professionals. In this
edition, we provide a further selection of terms that all start with
the letter 'F'.

Finagle's Law
The 'folk' version of Murphy's Law, fully named 'Finagle's Law of
Dynamic Negatives' and usually rendered 'Anything that can go wrong,
will.'. One variant favored among hackers is 'The perversity of the
Universe tends towards a maximum.'. The label 'Finagle's Law' was
popularized by SF author Larry Niven in several stories depicting a
frontier culture of asteroid belt miners. This 'Belter' culture
professed a religion and/or running joke involving the worship of the
dreaded god Finagle and his mad prophet Murphy.

Fit for Purpose
Fit for Purpose is a general expression which can be useful to ensure
that Information Security solutions are appropriate for your
organization. Vendors will sometimes attempt to 'fit' their solution
to your problem. Fit for Purpose is an expression which, when used
within the solution negotiation context, places an onus of
responsibility upon the vendor to ensure that its solution is (indeed)
fit for the purpose which their client expects.
Example : a well known systems company contracted for the sale of
their system. Inclusive in the price was one of week training in the
system. During implementation it became apparent that one week for
training was totally inadequate. The customer successfully claimed
(prior to legal action) that the supplier's solution was inadequate
and hence not fit for purpose. When considering Information Security
solutions, it is good practice to remind any potential suppliers in
your requirement that the solution must be fit for purpose.

A message indication, sometimes, but not always, a warning to a user,
which appears when a certain event takes place. For example, an
inventory monitoring program may well 'flag' certain products when
stocks fall below a predetermined level, to alert the user to re-
order. An alternative use is to warn of an event which will take place
in the future, but has not yet occurred, for example, a financial
institution aware of large check-based transaction on a customer's
account may 'flag' the account to avoid an unauthorized overdraft.
Flags may be generated manually or automatically, depending on
circumstances. In the case of the stock monitoring this would be
automatic, while the check transaction example would be processed
manually. Automatic flags serve a useful purpose in drawing users'
attention to situations which otherwise may be overlooked.

'Flame' is abusive communication by E-mail or posting to a newsgroup,
which attacks an individual or organization for some real or imagined
grievance. The real problem is broader than that of a few rude e-
mails: flame represents the anarchistic side of the Internet. The
flame may start with only one abusive message, but it is broadcast so
widely that large numbers of unconnected browsers join in - often on
both sides of the argument. This can lead to 'Flame Wars', where the
traffic load becomes so high that communications network performance
degrades, and E-mail boxes become blocked - as is the case with
bottlenecking and mail bombing. Problems for companies may arise if a
member of staff has used an organization's e-mail address to start the
flame - another reason to monitor staff activities. Flame has some
redeeming features. Deeply unpleasant (or disturbed) individuals who
posted lengthy racist (or sexist, or some other -ist) diatribes have
found themselves flamed off the Net....

Literally, software provided for free - no charge. This is not as
uncommon as might be expected. Major software developers often give
away old versions of their products to allow users to try them at no
charge and, hopefully, succeed in tempting them to purchase the
current release.  Independent developers may give away small programs
to establish a reputation for useful software, which then enables them
to charge. Cover disks attached to a computer magazine often contain
Freeware. As with Shareware, Freeware should be approached with
caution, and staff dissuaded from trying out their new Freeware on
organization equipment.


Most editions of The ISO 27000 Newsletter features at least one TRUE
story of an information security related incident or its

1) In case you ever wondered why the term 'dumb users' emerged:

Login: yes
Password: i dont have one
password is incorrect

Login: yes
Password: incorrect

2) A genuine quote: "Morons. These people who live in my apartment
complex are connected to my wireless. They must think they're super-
cool hackers by breaking into my completely insecure network.
Unfortunately, the connection works both ways. Long story short, they
now have loads of (censored) on their computer."

3) Finally, not a true story (or is it?), but funny regardless.

The six phases of an ISO 17799 implementation (adapted):
Search for the guilty
Punishment of the innocent
Praise for the non-participants

Have you got something to say on the standards, or a fresh insight or
some information which might benefit others?  If so, please feel free
to submit your contribution to us. Sponsors are also welcome.


We hope that you have found this issue to be informative and useful.
Subscription is entirely free (although 'opt-in' only). Please feel
free to pass this copy on to your friends and colleagues. If you do
not wish to receive further copies, simply email us at the address
below with a title of 'Un-subscribe'.

If your friends or colleagues wish to receive the newsletter directly,
they should simply send an email to: with a title of

Finally, the publishers accept no liability or responsibility for
errors or omissions in this newsletter. This also applies to any loss
or damage caused, arising directly or indirectly, by the use of or
reliance on the information contained within.

ISO 27000 Newsletter

Site Timeline