The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 1 is the Security Policy.

The Security Policy

The security policy normally describes:

The organisation's requirements for information security The scope of the Information Security Management System (ISMS), including business functions, areas and sites covered The general philosophy towards information security To be effective it should be clearly supported by senior management. Specific policies and procedures within the Information Security Management System (ISMS) must be consistent with the security policy. If a person encounters a situation that is not specifically mentioned in detail, the security policy should be a good general guide for actions required.

The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 2 is Organising Information Security.
Organising Information Security

The Organising Information Security section should describe:

How the organisation manages information security The responsibilities of each relevant person, committee or forum. Includes responsibilities for creating, revising and following procedures and policies Many companies will have a management structure that can support information security without major changes. In such companies, the only requirement may be that a few committees have "information security report" as a standard agenda item. An organisational security structure should be detailed, indicating:

Who staff can contact when they need help or advice Who staff should report to regarding security problems, difficulties or successes At the top of the structure should be the Board (or equivalent), which has overall responsibility for the organisation. Those responsible for following the policies and procedures should be arranged in a hierarchy below this level. Organisational security must include temporary staff, contractors and third parties with access to sites, equipment, people or information.

The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 3 is Asset Management.
Asset Management

Organisations are used to completing inventories of physical assets - for example, computers, printers, machinery, vehicles etc. But information is also recognised as a vital asset for every organisation. The value of specific information will depend on factors such as:

How much it cost to obtain How much it would cost to replace The extent of damage done to the organisation if it was disclosed to the public or a competitor An Information Asset Register (IAR) should be created, detailing every information asset within the organisation. For example:

Databases Personnel records Scale models Prototypes Test samples Contracts Software licences Publicity material The Information Asset Register (IAR) should also describe:

Who is responsible for each information asset Any special requirements for confidentiality, integrity or availability The value of each asset can then be determined to ensure appropriate security is in place.

The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 4 is Human Resources.
Human Resources

This covers aspects of job definitions and resourcing, to reduce the risk of human error and ensure that staff understand what their rights and responsibilities are concerning information security. Most organisations require staff to keep client information confidential. They also ask staff to report security incidents and perceived weaknesses. Appropriate personnel security ensures:

That employment contracts and staff handbooks have agreed, clear wording Ancillary workers, temporary staff, contractors and third parties are covered

Anyone else with legitimate access to business information or systems is covered It must deal with rights as well as responsibilities, for example:

Access to personal files under the Data Protection Act Proper use of equipment as covered by the Computer Misuse Act Staff training is an important feature of personnel security to ensure the Information Security Management System (ISMS) continues to be effective. Periodically, refreshers on less frequently used parts of the Information Security Management System (ISMS), such as its role in disaster recovery plans, can make a major difference when there is a need to put the theory into practice.

The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 5 is Physical and Environmental Security.
Physical and Environmental Security

This section details any physical aspects of access control to information and information systems. Ensuring that there is a proper environment for systems, records and staff is essential for maintaining confidentiality, integrity and availability of information. The following aspects should be considered:

Protection o of information and information systems from the elements is as important as protecting them from unauthorised people o of physical access, which should be restricted to authorised personnel. IT equipment is tempting to thieves, and can be damaged by accidents or sabotage

Maintenance of the physical operating environment in a computer server room is as important as ensuring that paper records are not subject to damage by mould, fire or fading. o of supporting equipment such as air conditioning plant or mains services
o

Physical controls can be difficult to manage as they rely to some extent on building structure, but good physical security can be very effective.

The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 6 is Communications and Operations Management.
Communications and Operations Management

The day-to-day operation of IT systems is fundamental to most organisations, and as such, security is vital. Keeping IT and communications systems secure is covered in this, the largest section of ISO/IEC 27002. Everything from acceptance criteria for new or updated systems to virus defence software and incident management procedures is described. Many of the issues covered apply to every IT system, irrespective of size, purpose, internal or external operation. Subsections include:

Networks Handling computer media Electronic commerce E-mail Publicly available systems (such as websites) This is a rapidly changing area of security. New viruses and hacking opportunities are the most publicised issues. However, many incidents are caused by poor system design and management as well as accidents or unauthorised access for 'playing' rather than malicious actions. Good security practice in communications and operations management ensures efficient and effective business systems.

The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 7 is Access Control.
Access Control

Access control is about managing direct access to:

Information Computer applications Operating system facilities Effective control ensures that staff have appropriate access to information and applications, and do not abuse it. Management issues, such as periodic reviews of user accounts, can apply as much to IT systems as to physical access control systems. Confidentiality of information is best achieved by ensuring that people only have access to the information they actually need. If access rules are too detailed, managing them will be very difficult. If they are too general, people will have access to information or applications that they will never need. A balance must be struck depending on:

Needs of the business

Security features provided by the systems Trust in staff Consideration of security issues during system design, development and procurement will greatly enhance effectiveness. Look for:

Strong password enforcement Management of access rights to read, amend, process or delete information Analysis of what users require to do their job Analysis of the security features each system can provide

The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 8 is Information Systems Acquisition, Development and Maintenance.
Information Systems Acquisition, Development and Maintenance

Designing a new system with security in mind is more likely to result in effective and workable security features, than if you attempt to impose security on an existing (but insecure) system. This area includes:

Security requirements analysis and specification Application security Use of cryptography Security of system files If you develop your own systems, or have them developed for you, good practice in this area is essential to ensure that they work and information remains secure.

The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 9 is Information Security Incident Management.
Information Security Incident Management

This section deals with putting procedures in place to ensure information security events and weaknesses are reported through appropriate channels in order to allow corrective action to be taken. All employees, contractors and third party users need to be aware of their responsibilities to report any information security incidents as quickly as possible; as well as being aware of what procedures to follow. It is also important to have mechanisms in place to quantify and monitor incidents as well as collective evidence as required. To read more about this subject, go to Incident Management, which includes sections on reporting as well as forensics.

The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 10 is Business Continuity Management.
Business Continuity Management

Each organisation's business relies on its own staff, systems and, to some extent, other organisations. Anything from a burst water main to a terrorist attack on a foreign country can have a major effect on an organisation. As such, there must be a process for:

Managing business continuity plans Plans and Processes Plan development is one of the most important parts of business continuity management implementation (Stage 3 of the business continuity management process). Without workable plans the process will certainly fail. Plans are needed on three levels, as detailed below.
Level 1

At the highest level a crisis management process and plan is needed. This plan will be supported by other plans as necessary including:

Damage assessment plan Salvage plan Public relations plan Vital records plan

These are used to identify and respond to a service disruption, to ensure the safety of all affected staff members and visitors and to determine whether to implement the business recovery process.
Level 2

This should include key support functions, for example:

Accommodation and services plan Computer systems and network plan Telecommunications plan Security plan Personnel plan Finance and administration plan
Level 3

Each critical business area is responsible for the developing a plan to show individuals in recovery teams and a detailed task list for the recovery process. The owners of each plan must ensure that they have identified and agreed support and services required from other parties. There are many options for developing plans including traditional word processing documents, database packages or specialist planning and plan

development tools. Plans must be easily accessible and distributed to all personnel who have a part to play in a recovery. A useful tip is to create single crib sheets for each team. These might include:

Who owns the plan and who is responsible for updating it General responsibilities Assembly points and incident control centres, where applicable Departmental strategy Members of the recovery team and alternative contact details Other useful contacts Facilities to be provided at the recovery site Action list How to get to the recovery site

The IT recovery plan must contain all information needed to recover the computer systems, network and telecommunications in a disaster situation. It must also contain details of how lost data can be recovered and reconciled and how systems can be realigned. The plan should include:

Systems and applications restoration procedures 'Run-books' detailing the order of recovery of applications and data Business-driven data reconciliation Data integrity checking Security permissions

Business impact analysis Impact Analysis How much does your organisation stand to lose in the event of a disaster or other disruption? The purpose of a Business Impact Analysis (Stage 2 of the business continuity management process) is to assess the risk by identifying:

Critical business processes The potential damage or loss that may be caused to the organisation as a result of a disruption to critical business processes

This analysis determines what recovery facilities are provided and ensures that the organisation can allocate business continuity management resources in the most appropriate way. If a Business Impact Analysis is not undertaken, or is not done correctly, resources may be wasted on unnecessary services that do not fully support a recovery.
What should be included?

Specifically the Business Impact Analysis will identify impacts resulting from an inability to undertake normal business processes. Impacts are measured against particular scenarios - for example, the inability to provide call centre services for a period of time. The impact analysis should concentrate on those scenarios where the impact on critical business processes is likely to be greatest. It will include:

'Hard' impacts - financial loss, breach of law, regulations, or standards, failure to achieve agreed service levels, increased costs of working 'Soft' impacts - political, corporate or personal embarrassment, loss of competitive advantage, loss of credibility

Consideration will also be given to how the degree of damage or loss is likely to escalate after a service disruption. This will enable identification of the minimum critical requirements for the continued operation of the business process, and the timescale within which such requirements should be provided. These requirements include:

The staffing, skills, facilities and services (including the IT applications and data recovery requirements) necessary to enable critical and essential business processes to continue operating at a minimum acceptable level The time within which minimum levels of staffing, facilities and services should be recovered The time within which all required business processes and supporting staff, facilities and services should be fully recovered

This information can be collected through interviews or workshops with senior members of the business areas. It is important that respondents have a good understanding of their business including an appreciation of dependencies on other departments. The Business Impact Analysis enables each business area to understand at what point the unavailability of their business process would become untenable within the organisation - immediately, after a day, week, month or so on. This in turn allows the most appropriate continuity mechanisms to be determined to meet these business requirements.
Other Considerations

The Business Impact Analysis should also consider any implications associated with loss of integrity of information, and for IT systems the impact of the loss of data. With the move to direct data entry and online transaction processing, consideration of how data will be reconciled is an essential part of the recovery process. In most cases, business processes can be re-established without a full complement of staff, systems and other facilities, while still maintaining an acceptable level of service to clients and customers.The business recovery objectives should therefore be stated in terms of:

The time within which a predefined team of core staff and stated minimum facilities must be recovered The timetable for recovery of remaining staff and facilities The point to which data must be recovered

Implementation and testing Testing The purpose of testing (Stage 3 of the business continuity management process) is to:

Raise the level of confidence in the ability to recover from a systems failure Raise awareness and implement training processes within the organisation as early as possible

An initial technical test can usually be completed without the need to involve the business. However, for subsequent tests it is prudent to involve the business as a whole. This will help to improve capability, and aid mutual understanding of the activities and resources needed to achieve the common goal of business recovery. A full technical test will replicate as far as possible the stand-by arrangements, including the recovery of business processes and the involvement of external parties. This should test completeness of the plans and confirm:

Time objectives. For example, time taken to recover key server applications Staff preparation and awareness Staff duplication and potential over commitment of key resources. For example, a systems administrator being required to support a number of modular plans (help desk, operations, networks and communications) Responsiveness, effectiveness and awareness of third parties and service provider

It is also necessary to ensure that the business recovery teams are tested. This can include familiarisation with the recovery site, and the provision of examples that will test the team response to a relevant scenario. All tests, whether technical or non- technical must have clearly defined objectives and critical success factors which will be used to determine the success or otherwise of each exercise.

Business continuity management considers the risks within an organisation and ensures that core processes keep running during adverse events. Tests do not have to be carried out 'for real', but could be 'paper exercises'. A review procedure to ensure that the plans are workable, and are sufficiently general to cover the most likely occurrences, is also necessary.

To read more about this subject, see our separate Business Continuity Management section.

ISO/IEC 27002 Section 11 The Information Security Standard ISO/IEC 27002 is divided into eleven main sections. Section 11 is Compliance.
Compliance

Every organisation within the United Kingdom is required to comply with UK and EU law. Within the scope of the Information Security Management System (ISMS), each organisation should list the main laws that affect its activities. Within the UK, these include:

Health and Safety legislation The Data Protection Act The Computer Misuse Act The Designs, Copyrights and Patents Act and The Human Rights Act

Compliance with these is a legal requirement, and implementing BS 7799 is a good way of ensuring that your business does comply. For further information see our Legislation section.