Protecting information assets using ISO/IEC security standards.

• Author: Evans, Lois

The ISO/IEC 27000 Information technology--Security techniques series of standards takes a risk management approach that will enable information professionals to contribute to an information security management system featuring the controls needed to protect information assets against external and internal threats.

Since 2005, an estimated 5,000 data breaches involving 675 million individual records have taken place worldwide, according to a November 7, 2015, article in The Economist, "Data Breaches in America: The Rise of the Hacker."

In the United States, data breaches have occurred across many industry sectors, including:

* Government defense (e.g., U.S. Army, U.S. State Department, National Security Agency)

* Finance (e.g., Morgan Stanley, JP Morgan Chase, Wells Fargo)

* Retail (e.g., Target, eBay, Home Depot, Staples)

* Communications and entertainment (e.g., Yahoo, Tumblr, Sony Pictures)

* Online service providers (e.g., Dropbox, Epsilon, Evernote)

* Medical services (e.g., Anthem, Complete Health Systems, Advocate Health and Hospitals)

While the responsibility for information security has escalated to the executive level, many executives do not understand the threats their organizations face and find it difficult to keep up-to-date on the responses and products needed. As a result, some organizations lack sufficient protection while at the same time over-spend for it, paying $100 for every $50 of loss prevented, according to The Economist article "Cyber-Crime and Business: Think of a Number and Double It," published January 17, 2015.

ISO/IEC 27000 Is 'Family' of Standards

The ISO/IEC 27000 Information technology--Security techniques series of standards provides the information that executives and other stakeholders need to develop and operate a customized information security management system (ISMS) that is based on clearly communicated objectives and controls and incorporates features experts believe are essential for managing information as an asset.

The series, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), includes nearly 20 standards. The first three, ISO/IEC 27000, ISO/IEC 27001, and ISO/IEC 27002, describe the vocabulary, requirements, and code of practice, while the balance provide general instructions for governance, security risk management, measurement, and auditing, as well as sector-specific instructions for finance, cloud services, energy utilities, and health. (See the "ISO/ IEC 27000 Information technology Security techniques Series" sidebar for the complete list of standards in this series.)

The series takes a risk management approach, enabling each organization to tailor its ISMS to its own business environment to protect a range of information assets (e.g., financial, personally identifiable, confidential, and third-party) against specific threats and vulnerabilities.

In essence, the ISO/IEC 27000 series is to information security what the ISO 9000 series is to quality assurance--a comprehensive set of standards that provides best practice recommendations for organizations of any type or size. Importantly, the standards are battle tested: stemming from a 1995 British security standard (BS7799), they have been in place since 2005 and are reviewed and updated regularly.

ISO/IEC 27001 Is Series' Foundation

The key to the ISO/IEC 27000 series is ISO/IEC 27001:2013 Information security management systems --Requirements. At 23 pages, ISO/ IEC 27001 can be read through in one sitting, yet contains enough information to direct a months-long project. The first half consists of 10 narrative sections outlining the general requirements for an ISMS, while the second half consists of an annex listing the 14 key control objectives required for ISO/IEC 27001 compliance.

An easy way to approach the document is to skim through the narrative sections, read the annex to get a sense of the extent of an ISMS, and then return to the first section for a more...