Issue 39 – June 2012
This article was written by Prof Edward Humphreys and first appeared in ISO Focus+, March 2012 and is summarised here with permission from ISO. Prof Humphreys is Chair of the working group responsible for the development and maintenance of the ISO/IEC 27000 family of Standards.
A broad range of International Organization for Standardization (ISO)/IEC (International Electrotechnical Commission) Standards address key issues faced by the world's fast-growing information and communications technology (ICT) industry. These include preventing cyber-attacks, ensuring information security, and maintaining business continuity.
A common business tool in most organisations, ICT serves many business purposes and is used in a wide range of business applications and processes. Their use requires associated services provided within an organisation, for example through an internal ICT services department, or through a third party.
Up and running
Over recent years, cloud computing has become a fashionable term for the delivery of services such as applications as a service, software as a service, and infrastructure as service.
An example is data storage in a third-party cloud server. This can reduce an organisation's costs as it does not need to manage and maintain its own server. There is a possible downside too – can the cloud provider manage the ICT and data storage service efficiently, securely, and effectively?
This raises issues of how to provide effective ICT service management and information security. For example, if the cloud service provider is in one country and the provider of personal data is in another, how does the cloud provider protect its customers? In addition, how does the cloud provider conform to national laws when its clients are geographically dispersed around the world?
ICT services management also has a key role in the delivery of ICT services. If these are implemented properly it can increase efficiency and cost-effectiveness, increase flexibility in the use of ICT resources and applications, reduce response times, and improve quality of service.
To achieve these benefits, information security plays a key role in ensuring effective service delivery.
In the case of critical national infrastructure, service provision needs to be carefully considered. Appropriate solutions and controls are necessary for ICT service management, ICT readiness and preparedness for dealing with disasters and continuity issues, incident handling, and information security.
To guarantee delivery, critical infrastructure requires many services to be able to work together. Examples include medical, food, energy, utility, and emergency services. Most of these rely on ICT-based systems to keep services up and running.
In cyber-attacks or other disasters, it is essential to be able to recover ICT systems to restore services quickly. Before an incident occurs, it is also necessary to have effective early warning, detection, and monitoring systems in place.
Best practice guidelines
The delivery of effective ICT service management is addressed by the ISO/IEC 20000 (Information technology – Service management) family of Standards. Information security issues are addressed by the ISO/IEC 27000 (Information technology – Security techniques) family of Standards. There are also sector and application specific information security Standards such as ISO/IEC 27011 for telecom services.
One area covered by ISO/IEC 20000 is service availability and continuity management. This addresses key questions such as:
- what level of customer service does the service level agreement guarantee?
- what does the service provider need to do to deliver this level of service?
- what does the service provider need to do to withstand an online denial-of-service attack?
- what if the service provider experiences a malware attack on its systems?
- does the service provider have the information security controls in place to deal with these cyber-attacks and maintain its services?
ISO/IEC 20000 features several processes to maintain service availability while tackling problems such as cyber-attacks and system failures. These processes include service continuity and availability monitoring and testing, incident handling and problem management, capacity management, and information security management.
In the case of information security, ISO/IEC 20000 is linked with the information security management system Standard ISO/IEC 27001, which provides a full range of solutions to assist service providers with protecting their systems.
One of the important aspects of system protection is to understand the risks the service provider faces. A risk-based process, ISO/IEC 27001 requires the service provider to undertake a risk assessment to help it decide what information security controls should be implemented to ensure service availability and continuity.
ISO/IEC 27005 provides guidance on risk management for service providers that implement ISO/IEC 27001.
Given the importance of information security to the provision of ICT services, ISO/IEC 27013 is being developed to consider the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000.
The 'other' business options
Additional Standards in the ISO/IEC 27000 series provide guidance and service, and application specific controls to support service providers. For example, ISO/IEC 27031 applies to any organisation developing its ICT readiness to deal with incidents or threats, therefore ensuring business continuity.
ISO/IEC 27035 provides organisations with guidance on information security incident management. This Standard describes a basic set of documents, processes, and routines. It also gives guidance to external organisations supplying information security incident management services.
ISO/IEC 24762 gives guidelines on the provision of ICT disaster recovery (ICT DR) services as part of business continuity management. This applies to both in-house and outsourced ICT DR service providers of physical facilities and services.
In cloud computing, ISO/IEC JTC 1/SC 27, IT Security techniques, is developing two new Standards: ISO/IEC 27017 covers cloud-specific information security controls and ISO/IEC 27018 considers controls for personal data. Both of these Standards are being designed and developed to work alongside ISO/IEC 27001.
The ongoing development of Standards on information security and ICT service management gives individuals, governments, and businesses the security and peace of mind they need.
Note: You can order ISO and IEC Standards from www.standards.co.nz or call 0800 782 632 during business hours or email email@example.com. Members of Standards New Zealand receive a 20% discount on all Standards. Visit our membership page for more information.
- ISO/IEC 20000-1:2011 Information technology – Service management – Part 1: Service management system requirements
- ISO/IEC 20000-2:2012 Information technology – Service management – Part 2: Guidance on the application of service management systems
- ISO/IEC TR 20000-3:2009 Information technology – Service management – Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1
- ISO/IEC TR 20000-4:2010 Information technology – Service management – Part 4: Process reference model
- ISO/IEC TR 20000-5:2010 Information technology – Service management – Part 5: Exemplar implementation plan for ISO/IEC 20000-1
- ISO/IEC 24762:2008 Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services
- ISO/IEC 27000:2009 Information technology – Security techniques – Information security management systems – Overview and vocabulary
- ISO/IEC 27001:2005 Information technology – Security techniques – Information security management systems – Requirements
- ISO/IEC 27002:2005 Information technology – Security techniques – Code of practice for information security management
- ISO/IEC 27003:2010 Information technology – Security techniques – Information security management system implementation guidance
- ISO/IEC 27004:2009 Information technology – Security techniques – Information security management – Measurement
- ISO/IEC 27005:2011 Information technology – Security techniques – Information security risk management
- ISO/IEC 27006:2011 Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems
- ISO/IEC 27007:2011 Information technology – Security techniques – Guidelines for information security management systems auditing
- ISO/IEC TR 27008:2011 Information technology – Security techniques – Guidelines for auditors on information security controls
- ISO/IEC 27010:2012 Information technology – Security techniques – Information security management for inter-sector and inter-organizational communications
- ISO/IEC 27011:2008 Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
- ISO/IEC 27031:2011 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity
- ISO/IEC 27033-1:2009 Information technology – Security techniques – Network security – Part 1: Overview and concepts
- ISO/IEC 27033-3:2010 Information technology – Security techniques -– Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues
- ISO/IEC 27034-1:2011 Information technology – Security techniques – Application security – Part 1: Overview and concepts
- ISO/IEC 27035:2011 Information technology – Security techniques – Information security incident management
- AS/NZS ISO 31000:2009 Risk management – Principles and guidelines
- ISO cloud computing committee – update on working groups progress, Touchstone, May 2012
- New ISO information technology Standards – service management systems, information security risk management, and security of biometric data online, media release, 14 September 2011
- Information technology – new ISO/IEC service management Standard, media release, 11 July 2011
- Hackers – new ISO/IEC Standard proposes a solution, media release, 4 May 2011