International ICT Standards from information security to service management

Issue 39 – June 2012

This article was written by Prof Edward Humphreys and first appeared in ISO Focus+, March 2012 and is summarised here with permission from ISO. Prof Humphreys is Chair of the working group responsible for the development and maintenance of the ISO/IEC 27000 family of Standards.

A broad range of International Organization for Standardization (ISO)/IEC (International Electrotechnical Commis­sion) Standards address key issues faced by the world's fast-growing information and communications technology (ICT) indus­try. These include preventing cyber-attacks, ensuring information security, and maintaining business continuity.

A common business tool in most organisa­tions, ICT serves many business purposes and is used in a wide range of business applications and processes. Their use requires associated services provided within an organisation, for example through an internal ICT services department, or through a third party.

Up and running

Over recent years, cloud computing has become a fashionable term for the delivery of services such as applications as a service, software as a service, and infrastructure as service.

An example is data storage in a third-party cloud server. This can reduce an organisation's costs as it does not need to manage and maintain its own server. There is a possible downside too – can the cloud provider manage the ICT and data storage service efficiently, securely, and effectively?

This raises issues of how to provide effective ICT service management and information security. For example, if the cloud service provider is in one country and the provider of personal data is in another, how does the cloud provider protect its customers? In addition, how does the cloud provider conform to national laws when its clients are geographically dispersed around the world?

ICT services management also has a key role in the delivery of ICT services. If these are implemented properly it can increase efficiency and cost-effectiveness, increase flexibility in the use of ICT resources and applications, reduce response times, and improve quality of service.

To achieve these benefits, information security plays a key role in ensuring effec­tive service delivery.

In the case of critical national infra­structure, service provision needs to be carefully considered. Appropriate solu­tions and controls are necessary for ICT service management, ICT readiness and preparedness for dealing with disasters and continuity issues, incident handling, and information security.

To guarantee delivery, critical infrastruc­ture requires many services to be able to work together. Examples include medical, food, energy, utility, and emergency services. Most of these rely on ICT-based systems to keep services up and running.

In cyber-attacks or other disasters, it is essential to be able to recover ICT systems to restore services quickly. Before an incident occurs, it is also necessary to have effective early warning, detection, and monitoring systems in place.

Best practice guidelines

The delivery of effective ICT service management is addressed by the ISO/IEC 20000 (Information technology – Service management) family of Standards. Information security issues are addressed by the ISO/IEC 27000 (Infor­mation technology – Security techniques) family of Standards. There are also sector and application specific information security Standards such as ISO/IEC 27011 for telecom ser­vices.

One area covered by ISO/IEC 20000 is service availability and continuity manage­ment. This addresses key questions such as:

  • what level of customer service does the service level agreement guarantee?
  • what does the service provider need to do to deliver this level of service?
  • what does the service provider need to do to withstand an online denial-of-service attack?
  • what if the service provider experi­ences a malware attack on its systems?
  • does the service provider have the information security controls in place to deal with these cyber-attacks and maintain its services?

ISO/IEC 20000 features several pro­cesses to maintain service availability while tackling problems such as cyber-attacks and system failures. These pro­cesses include service continuity and availability monitoring and testing, inci­dent handling and problem management, capacity management, and information security management.

In the case of information security, ISO/IEC 20000 is linked with the information security management system Standard ISO/IEC 27001, which provides a full range of solutions to assist service providers with protecting their systems.

One of the important aspects of system protection is to understand the risks the service provider faces. A risk-based pro­cess, ISO/IEC 27001 requires the service provider to undertake a risk assessment to help it decide what information security controls should be implemented to ensure service availability and continuity.

ISO/IEC 27005 provides guidance on risk management for service providers that implement ISO/IEC 27001.

Given the importance of information security to the provision of ICT services, ISO/IEC 27013 is being developed to consider the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000.

The 'other' business options

Additional Standards in the ISO/IEC 27000 series provide guidance and service, and application specific controls to support service providers. For example, ISO/IEC 27031 applies to any organisation develop­ing its ICT readiness to deal with incidents or threats, therefore ensuring business continuity.

ISO/IEC 27035 provides organisations with guidance on information security inci­dent management. This Standard describes a basic set of documents, processes, and routines. It also gives guidance to external organisations supplying information security incident management services.

ISO/IEC 24762 gives guidelines on the provision of ICT disaster recovery (ICT DR) services as part of business continuity management. This applies to both in-house and outsourced ICT DR service providers of physical facilities and services.

In cloud computing, ISO/IEC JTC 1/SC 27, IT Security techniques, is developing two new Standards: ISO/IEC 27017 covers cloud-specific information security controls and ISO/IEC 27018 considers controls for personal data. Both of these Standards are being designed and developed to work alongside ISO/IEC 27001.

The ongoing development of Standards on information security and ICT service management gives individuals, governments, and businesses the security and peace of mind they need.

Note: You can order ISO and IEC Standards from www.standards.co.nz or call 0800 782 632 during business hours or email enquiries@standards.co.nz. Members of Standards New Zealand receive a 20% discount on all Standards. Visit our membership page for more information.

Related Standards

  • ISO/IEC 20000-1:2011 Information technology – Service management – Part 1: Service management system requirements
  • ISO/IEC 20000-2:2012 Information technology – Service management – Part 2: Guidance on the application of service management systems
  • ISO/IEC TR 20000-3:2009 Information technology – Service management – Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1
  • ISO/IEC TR 20000-4:2010 Information technology – Service management – Part 4: Process reference model
  • ISO/IEC TR 20000-5:2010 Information technology – Service management – Part 5: Exemplar implementation plan for ISO/IEC 20000-1
  • ISO/IEC 24762:2008 Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services
  • ISO/IEC 27000:2009 Information technology – Security techniques – Information security management systems – Overview and vocabulary
  • ISO/IEC 27001:2005 Information technology – Security techniques – Information security management systems – Requirements
  • ISO/IEC 27002:2005 Information technology – Security techniques – Code of practice for information security management
  • ISO/IEC 27003:2010 Information technology – Security techniques – Information security management system implementation guidance
  • ISO/IEC 27004:2009 Information technology – Security techniques – Information security management – Measurement
  • ISO/IEC 27005:2011 Information technology – Security techniques – Information security risk management
  • ISO/IEC 27006:2011 Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems
  • ISO/IEC 27007:2011 Information technology – Security techniques – Guidelines for information security management systems auditing
  • ISO/IEC TR 27008:2011 Information technology – Security techniques – Guidelines for auditors on information security controls
  • ISO/IEC 27010:2012 Information technology – Security techniques – Information security management for inter-sector and inter-organizational communications
  • ISO/IEC 27011:2008 Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
  • ISO/IEC 27031:2011 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity
  • ISO/IEC 27033-1:2009 Information technology – Security techniques – Network security – Part 1: Overview and concepts
  • ISO/IEC 27033-3:2010 Information technology – Security techniques -– Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues
  • ISO/IEC 27034-1:2011 Information technology – Security techniques – Application security – Part 1: Overview and concepts
  • ISO/IEC 27035:2011 Information technology – Security techniques – Information security incident management
  • AS/NZS ISO 31000:2009 Risk management – Principles and guidelines

Related articles

Published in business and ICT.