The joint IT subcommittee (SC 27) of the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) has just released a Technical Report 27008 designed to assist companies and organizations engaged in a review of information security controls. TC 27008 describes IT risk assessment and sets out guidelines for IT system documentation, continuous review and formal compliance.
A ground-up approach begins with an information security risk information gathering exercise—a literature search on previous incidents and near misses. The aim is to scope out the audit with a checklist of topics and a framework for future ‘fieldwork.’
Fieldwork itself consists of tests of systems in place that verify compliance with regulatory obligations, standards and best practices. Anti virus checks will include for instance, verification that these are in-place and refreshed across all computing platforms. Statistical sampling will likely be used if resources are limited.
A three phase—review, interview and test—approach is recommended, with in-depth drill down as appropriate. Interviews should include a representative sample of users with special attention to key stakeholders. Testing will span software, hardware and processes and will include access control, backups, contingency planning and (much) more. Testing can include blind, double blind and ‘grey box’ techniques. The TR concludes with recommendations for analysis and reporting and lengthy appendices of detailed procedures. The 44 page document is available for purchase.
This article originally appeared in Oil IT Journal 2011 Issue # 12.
For more information or to comment on this topic email here.