The Latest ISO 17799 and ISO 27001 Newsletter Published

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Reproduced below in full:



Welcome to the Issue 14 of the ISO27001/ISO17799 newsletter, designed
to provide news and information with respect to the ISO information
security standards. The information contained within newsletter is
absolutely free to our subscribers and provides guidance on various
practical issues, plus commentary on recent Information Security

Covered in this edition are the following topics:

1)  ISO 17799/27001 Toolkit Versions
2)  Recruitment and Security Risks
3)  BS25999 Published
4)  User Acceptance Testing: The Basics
5)  Information Security News
6)  More ISO 17799/27001 Frequently Asked Questions
7)  ISO17799 And SOX
8)  More Advice On SLAs
9)  ISO 17799: The World Wide Phenomenon
10) The Development of a Business Continuity Plan
11) ISO 17799 Related Definitions
12) Contributions

Appendix: Subscription Information

ISO 17799/27001 Toolkit Versions

We occasionally encounter confusion regarding different 'versions' of
the support toolkit for the standards. Hopefully we can clear this up.
There is only ONE version of the toolkit. The core elements are
described here:

The only variance to this statement is that it is possible to get this
toolkit inclusive of the BS7799-3 security risk assessment standard.
This is obviously slightly more expensive, and is sold from this page
on BSI's Standards Direct outlet:

Perhaps the cause of the confusion is that the toolkit is also sold via
a number of resellers. These own their own websites, but are
essentially affiliates to the main source.

Recruitment and Security Risks

Obvious potential weak links in your information security profile are
the new recruits that have recently joined your organization. If you do
not advise them about your information security requirements and train
them in your critical information security procedures in a timely
fashion, then they collectively may create a significant risk to the
organization and its information assets.

ALL management and staff are responsible for Information Security,
including those new to the organization. It is vital therefore that
they are brought 'up to speed' quickly to avoid unnecessary Information
Security breaches and related risks.

Information Security issues to be considered when addressing this
requirement include the following:
   - Confidential data may be lost, damaged or compromised by staff
with insufficient training.
   - Data may be lost in error or through negligence because staff do
not fully understand the risks involved.
   - Data may be lost because Information Security measures have been
installed incorrectly and their alarms and messages are misinterpreted.

   - Confidential information may be compromised if new staff are not
made aware of the scope of the organisation's Information Security

To overcome this potential weakness, we recommend that you set out the
critical security issues and procedures in an easy-to-understand
document or booklet and provide induction training immediately upon the
new recruit's arrival. Time is very much of the essense. The recruits
should also be obliged to sign a formal statement confirming that they
have read, and understand, this document.

BS25999 Published

The long awaited standard for business continuity, which supports ISO
17799 and ISO 27001, has been published. As with many international
standards, BS25999 will comprise two parts: a code of practice
(equating to ISO 17799) and a specification (equating to ISO 27001).

The first of these was published by BSI at the end of 2006. The
specification will appear later in the year.

The standard is designed to dovetail with the BCM section within ISO
17799. It covers topics as diverse as strategy and plan maintenance,
and even how to embed business continuity management into the
organizational culture.

BS25999 is bound to have a significant impact upon the whole area of
business continuity and disaster recovery planning. As the first
credible standard developed to provide objective metrics, it is not
hard to see why predictions are rife regarding positive insurance
implications, and marketing leverage for continuity sensitive services.

The standard can be obtained from BSI's Standards Direct online store
( ), or as part of the introductory BS
25999 Toolkit ( /). For up to date news on
this standard a dedicated site has emerged:

More ISO 17799/27001 Frequently Asked Questions

1) What Is ISO 27000 All About?
This is ISO's projected series of information security related
standards. ISO 27001 already exists, and it is proposed that ISO 17799
may be renamed to ISO 27002 later this year. For full and emerging
details we have identified a specific ISO 27000 news website:

2) Where Does COBIT Fit Into The Equation?
The last issue of this newsletter explained the mapping between ISO
17799 and COBIT in detail:

3) Has BS7799 Now Been Replaced?
BS7799-1 has evolved into ISO 17799. BS7799-2 has evolved into ISO
27001. However, BS7799-3 was published last year. This offers
guidelines for information security risk management, and it is expected
that it too will become an ISO standard in due course.

4) Is There A User Group For The Standards?
Yes. The international online user group for the standards can be found

5) What is IRCA?
IRCA ( ) is the International Register of Certified
Auditors, offering professional recognition of auditing competence.
Essentially, IRCA is the body which certifies auditors to audit against
the security standards.

User Acceptance Testing: The Basics

User acceptance testing is a critical phase of any 'systems' project
and requires significant participation by the 'End Users'. To be of
real use, an Acceptance Test Plan should be developed in order to plan
precisely, and in detail, the means by which 'Acceptance' will be
achieved. The final part of the UAT can also include a parallel run to
prove the system against the current system.

The User acceptance test plan will vary from system to system but, in
general, the testing should be planned in order to provide a realistic
and adequate exposure of the system to all reasonably expected events
and threats. The testing can be based upon the User Requirements
Specification to which the system should conform.

As in any system though, problems will arise, and it is important to
have determined what should be the expected and required responses from
the various parties concerned; including Users; Project Team; Vendors
and possibly Consultants / Contractors.

In order to agree what such responses should be, the end users and the
project team need to develop and agree a range of 'severity levels'.
These levels will range from (say) 1 to 5 and will represent the
relative severity, in terms of business / commercial impact, of a
problem with the system, found during testing. Here is an example which
has been used successfully - '1' is the least severe; and '5' has the
most impact :-
1=2E Cosmetic Problem; e.g. colors; fonts; pitch size.
2=2E Minor Problem; both testing and live operations may progress. This
problem should be corrected, but little or no changes to business
processes are envisaged
3=2E Major Problem; testing can continue but this feature will cause
severe disruption to business processes in live operation
4=2E Critical Problem; testing can continue but we cannot go into
production (live) with this problem
5=2E Show Stopper i.e. it is impossible to continue with the testing
because of the severity of this error / bug

The users of the system, in consultation with the executive sponsor of
the project, must then agree upon the responsibilities and required
actions for each category of problem. For example, you may demand that
any problems in severity level 4, receive priority response and that
all testing will cease until such problems are resolved.

Even where the severity levels and the responses to each have been
agreed by all parties; the allocation of a problem into its appropriate
severity level can be subjective and open to question. To avoid the
risk of lengthy and protracted exchanges over the categorization of
problems; we strongly advised that a range of examples are agreed in
advance to ensure that there are no fundamental areas of disagreement;
or, if there are, that these will be known in advance and your
organization is forewarned.

Information Security News

1) A host of Google related vulnerabilities have recently been
discovered. These have largely focused around cookies, and have exposed
user documents, emails (via Googlemail or Gmail) and search histories.
All those so far identified have now been fixed, but this does
illustrate the increasing risks which are liable to occur as the search
company integrates more and more functions into its portfolio.

2) McAfee ( /) are reporting that once again the
nature of spam is changing. Whereas text based spam used to be the
order of the day, increasingly image spam is becoming the norm. Their
latest figures illustrate that this now accounts for around 65% of all
spam. Image spam uses images rather than text to deliver the usual
message types. This of course poses different types of challenges to
the anti-virus firms, but they are rapidly adapting. Yet another reason
to ensure that your AV software is bang up to date!

On a related note, and to make matters worse, the overall volume of
spam continues to increase, with message management firm Postini
( ) reporting that it now comprises 94% of all

3) Two traffic engineers in Los Angeles have been charged with hacking
a computer system to... disable traffic lights! It is alleged that this
was motivated as a result of an ongoing labour dispute.

4) OpenDNS ( ) report that the top five most
targetted phishing firms are: PayPal, Barclays Bank, eBay, Fifth Third
Bank and Bank of America, in that order. Unfortunately, phishing is yet
another area of increase in terms of volume, and enhanced
sophistication of attack techniques.

5) The importance of protecting your online identity has been
highlighted again this month by McAfee. They are reporting that online
identity theft has increased by 250% since the beginning of 2004. The
cost of the to the US economy is believe to be of the order of $40
billion per year, with the UK figure being about600 million per

ISO17799 And SOX

The impact of the Sarbanes-Oxley Act 2002 (the Act) has been
significant, not only on corporate America, but globally. Countless
internet pages have been devoted to understanding the Act and
developing and implementing the operational internal controls that are
necessary to meet its stringent requirements. As a result, many
organizations are using a variety of standards and guidelines to help
to meet a minimum level of compliance.

A key issue in implementing the SOX requirements is in measuring and
planning acceptable levels of compliance for the IT systems so that
CEOs, CFOs and CIOs are able to comfortably certify that the levels of
controls over the financial reporting processes are adequate. The main
three standards and guidelines available are considered to be ISO17799,

ISO17799 offers a structured range of policy driven controls to manage
the business process including in-depth coverage of technology based
systems. COSO focuses on internal controls required across the
organization to manage the financial and operational processes so that
the financial reporting processes can be relied upon. COBIT provides a
detailed range of control objectives that enables the organization to
manage its technological processes and provides additional guidance to
measure the level of compliance with each aspect of the process through
the provision of a series of benchmarks.

The Act requires that a suitable level of compliance is achieved across
a range of critical processes and this level of compliance has to be
effectively reconfirmed every 90 days. Each critical process should be
subject to ongoing measurement against an agreed benchmark and
compliance should be targeted within an agreed range that accurately
reflects the corporate governance requirements.

ISO17799 is now widely seen as an international standard that is able
to provide practical benefits towards achieving an acceptable level of
corporate compliance with respect to this, and is increasingly becoming
an integral part of the corporate necessity to demonstrate commitment
via a metrics related position.

More Advice On SLAs

Excellent sources of data that can be used for upgrading your service
level agreements are complaints received from customers, and issues
raised within customer satisfaction and employee opinion surveys.

A well designed customer satisfaction survey should encourage customers
to provide comments about areas where the performance does not meet
their expectations. You should attempt to elicit additional information
about such problems so that these comments can be followed up and
perceived problems examined and corrected.  Very often these
expectations can be created from misleading wording of clauses in the
service level agreement and it is important to ensure that this wording
reflects the realistic situation and creates acceptable and attainable

For perceived problems to be turned into useful information that can be
analyzed and corrected, it is necessary to ask the right questions in
the survey and provide effective follow-up.  Complaints should always
be recorded, analyzed, reviewed and reported to management who are
ultimately responsible for performance and customer satisfaction

The service level agreement should contain clear information on what is
the expected level of performance that the organization is committing
to. The last thing the customer wants is a nasty surprise on
performance levels.  Be both open and transparent on performance level
targets or you will likely end up with an unhappy customer and a
tarnished reputation.

Note: This article was supplied by the authors of the Service Level
Agreement Toolkit ( ), which offers guidelines
and templates to manage the creation of a professional SLA.

ISO 17799: The World Wide Phenomenon

Our source list for recent purchases of the standard always proves to
be a popular talking point. The most recent thousand or so is as

Argentina 5
Australia 23
Austria 11
Barbados 2
Belgium 11
Bermuda 1
Bosnia and Herzegovina 1
Brasil 15
Canada 112
Cayman Islands 1
Chile 6
China 11
Colombia 12
Costa Rica 1
Croatia 1
Cyprus 2
Denmark 16
Egypt 5
Estonia 1
France 12
Germany 59
Gibraltar 1
Greece 6
Guatemala 1
Hong Kong 14
Hungary 8
Iceland 2
India 23
Indonesia 4
Ireland 26
Israel 2
Italy 32
Jamaica 2
Japan 15
Jordan 1
Korea 3
Lebanon 1
Luxembourg 1
Malaysia 14
Malta 3
M=E9xico 24
Netherlands 41
New Zealand 12
Norway 18
Panama 1
Peru 1
Philippines 6
Poland 9
Portugal 8
R=2EO.C. 3
Russia 7
Saudi Arabia 10
Singapore 18
Slovak Republic 1
Slovenia 2
South Africa 15
Spain 29
Sultanate of Oman 1
Sweden 14
Switzerland 49
Taiwan 5
Thailand 2
Tunisia 1
Turkey 7
UK  351
United Arab Emirates 11
USA 512
Venezuela 1

The usual health warnings apply: these are online card sales, so those
cultures that are less familiar with this form of commerce will be
under represented.

The Development of a Business Continuity Plan

Despite the undoubted strides being made by some well resourced
organizations towards an acceptable level of compliance with
international standards such as ISO 17799 and BS 25999, for the
majority of companies the approach to business continuity remains
rather haphazard.  Part of the reason for this is a lack of expertise
and experience in developing the relatively complex documentation which
is to be followed in the event of a serious incident, and part due to
an ongoing lack of resources and time.

One of the first tasks we undertake when clients ask us to assist them
with their business continuity planning project is to review their
current level of documentation that is to be used for dealing with
emergencies. Some of the basics are usually in place including support
and back-up arrangements for most of the critical systems, health and
safety procedures, and some form of escalation process. The first
process that we usually find to be missing is a formally structured
management led risk assessment of the vulnerabilities to particular
threats, and a measurement of the potential impact that a loss of a
critical system or process would have on the organization's bottom
line and customer loyalty.  Without this management led risk analysis
to drive the continuity process, any recovery procedures are unlikely
to focus on the most important issues for survival.

To persuade scarce management resources to become positively involved
in the business continuity planning process, you probably have to
firstly achieve buy-in and commitment from the Board and senior
executive management. Once you have commitment from the top of the
organization to put proper risk led procedures in place to ensure
continuity, then the overall process becomes much easier to sell to
other levels of management.  This is important, as there is a lot of
hard work in developing a well structured and coherent plan that is
capable of minimizing the impact of all serious disruptive events.

Business continuity is not a process that should be led by the
technical areas, but one that must be led by management. The technical
areas will contribute significantly to the overall process but the
ultimate impact of a disruption to the business process will fall on
senior management, and they therefore should be responsible for
ensuring that the recovery process meets the underlying business needs.

Of course, using tools that make the whole process easier and therefore
less resource hungry can be a very cost effective method of putting the
process on a more professional footing. The BCP Generator
( ) is the most well known product on the
market for simplifying the whole planning approach. With its
inter-active guidance and comprehensive templates, which cover each
stage of the process, it is without doubt the most popular BCP solution
currently available. It is in fact used by over 7,000 organizations, in
over 120 countries, which are remarkable statistics.

Using a combination of recognized standards, methods and tools will not
only significantly aid continuity and reduce risks, but will actually
produce a substantial range of other tangental benefits. These will be
explored in a future edition.


In each ISO 17799 and ISO 27001 Newsletter we will include a selection
of terms and definitions to unravel and explain some of the jargon and
strange language used by Information Security professionals. In this
edition, we have provided a selection of terms that all start with the
letter 'H'.

An electronic exchange of signals between pieces of equipment (fax
machines, computers, computers and printers, etc.,) to establish that
each has the necessary protocols installed to allow communication
between the units; sometimes, also to confirm identities so that
transmissions are routed to the correct destination.
An extension of the normal confirmation routine is the Challenge
Handshake that is a demand for proof of identity and authorization.

Hose and Close
An off-putting practice of some Technical Support/Help Desk staff. In
response to a question from a distressed user, Support responds with a
deluge of technobabble which the user doesn't understand, issues a
series of abstruse command instructions, which the user cannot follow,
and then hangs up before the user can come back with a request for a
simple explanation.
The tech support staff can mark another tick on the 'support provided'
sheet, but the user is not only no further forward, but may also have
been charged a premium rates per minute - just to be made to feel
Happily, there are a growing number of Tech Support hotlines which do
communicate in plain language.

Routine care of a computer system to ensure that it is kept running in
the most efficient manner. Housekeeping will normally include: routines
to delete items such as temporary files (which are no longer required),
identify and remove duplicates of files, check the integrity of the
disk records and the magnetic coatings on the disk surfaces, and
generally tidy up the filing system.
Housekeeping should not be restricted to the main system. It is just as
useful for desktop machines and laptops - considering the circumstances
under which they are used!

Hot Desking
A relatively new approach to working whereby staff do not have their
own, dedicated facilities, but share them with other workers - i.e.
there are fewer desks and computers than there are staff.
Two kinds of situation are common :-
1=2E Call centers and similar functions which run 24x7 on shifts. As one
staff member logs off and leaves, another takes over, logging on with a
new ID and password.
2=2E 'Field' staff such as sales representatives check in to base to
complete paperwork, upload/download files, etc.. Such staff will use
any desk/computer that happens to be free.
In either case, password control systems and audit trails are essential
to monitor which user is doing what, with which machine.

Hardware Inventory
Master Hardware Inventory - A detailed list of all hardware owned by
the organization, showing, amongst other things:- type, make, model,
specifications, cost, location, user(s), and asset reference number.
Unit Hardware Inventory - an equally detailed list of hardware in order
of user (individual or department). This sheet may be used for Audit
checks to confirm that any given user still has the equipment detailed
and no unauthorized additions, removals, or modifications have been

Have you got something to say on the standards, or a fresh insight or
some information which might benefit others?  If so, please feel free
to submit your contribution to us. Sponsors are also welcome.

ISO 17799 and ISO 27001 Newsletter  

Site Timeline