ISO27k Conference, San Francisco

I'm at the 27k Summit for the Americas ISO27k conference at the South Francisco Conference Center near the airport this week, hoping to meet you!

The conference has several parallel themes and streams, including:

• Getting started with ISO27k - for people who want to get into this stuff
• Metrics - for people who need to measure and improve this stuff
• Cloud security and IoT - hot topics
• Compliance - a meta-theme since laws, regs and standards compliance is a strong driver for all the above

If I have time I'll update this post with info as the conference proceeds ....

• Jim Reavis from the Cloud Security Alliance gave a keynote about the proliferating cloud and IoT systems, globally expanding. CSA's CCM compliance/controls mapping is well worth looking at, while the CSA STAR program is a popular certification scheme for cloud providers.
  
  
• Dan Timko from Cirrity explained the ISO27k ISMS implementation and certification process, including the pre-certification followed a few months later by the stage 1 audit and just 5 weeks later the 'real' stage 2 certification audit. Most of the implementation effort went into documentation - documenting their policies and existing processes. For example, informal meetings 'didn't happen' if there was no record to prove it to the auditors, so meeting minutes etc. are much more common now.
  
  
• Richard Wilshire from Zygma gave a brief introduction to the forthcoming thoroughly revised version of ISO/IEC 27004 on metrics (called 'measures' or 'measurements' in ISO-speak: 'metrics' is a forbidden word!) supporting the ISMS specified in ISO/IEC 27001. He covered the basic questions about metrics e.g. why measure (for accountability and to drive ISMS performance in the right direction, and for compliance with 27001 clause 9.1 of course), what to measure (mostly the status of systems, controls and processes), when to measure (periodic data generation, analysis and reporting, plus ad hoc or event-driven metrics with analysis and reporting triggered by events or threshold values), who measures (several part-time roles suggested in the standard). The new version of 27004 should hopefully fall off the ISO glacier some time next year.
  
  
• Walt Williams from Lattice explained about developing metrics for business needs, not just for ISO27k compliance reasons. Setting goals helps e.g. a commonplace goal such as having zero privacy incidents directly suggests a simple metric. Reviewing goals and metrics drives improvement in your metrics.
  
  
• Gary Hinson from IsecT (me!) spoke about using GQM and PRAGMATIC to select/design, improve and get value from security metrics, in the ISO27k context, meaning information security for business sake. It seems to me that 'security metrics' are too often based around the availability of data generated automatically by technical security controls such as antivirus systems and firewalls, with little obvious relevance to the business. Tech-driven security metrics are not valued by general managers, whereas business-driven security metrics are right on-topic.
  
  
• Michael Fuller from Coalfire talked about ISO/IEC 27018, a standard about adapting/using the controls from ISO/IEC 27002 to ensure privacy for public cloud services. CSA STAR got another mention as a structured way of not just putting appropriate controls in place, but in an assured/certifiable form (with 3 levels, the lowest of which I believe is 'just' an assertion of compliance).
  
  
• Jorge Lozano from PwC addressed the design of metrics concerning performance of an ISO27k ISMS, based on the measurement requirement specified in 27001 and the metrics advice in 27004. He outlined a few example metrics similar to those appended to 27004, in a tabular format describing, on one screen per metric, its purpose, the way it is measured, and defined objectives or goals (target values and timescales). He then showed how the example metrics might be reported. Jorge recommended using risk-driven metrics because management understands risk. [I would argue that metrics should be business driven for the same reason, but in practice these are similar and complementary approaches.]
  
  
• Sumit Kalra from bpmcpa spoke about using ISO27k for compliance with multiple obligations, from the perspective of a compliance auditor. Sumit argued that all today's [information security related] compliance requirements are fundamentally the same, with relatively minor differences in the details but 'a structured approach' in common, hence it doesn't particularly matter which way you approach the process.
  
  
• Amit Sharma from Amazon Web Services briefly introduced AWS but mostly spoke about AWS security. Issues include: visibility (clouds are, well, cloudy!); security controls (e.g. customers should use data encryption, AWS or customers can manage private keys); auditability and monitoring (of manual and automated activities behind the scenes, and security status); tech complexity and 'polymorphism' (ongoing infrastructural changes are challenging for customers, especially for agile e.g. DevOps companies making frequent releases); compliance and regulatory interest (e.g. ISO/IEC 27001, PCI, HIPAA & other certifications); planning and coordinating stuff involves collaboration between multiple teams and takes time and management. Customers who don't use all the automated tools for reprovisioning etc. but do stuff manually can cause problems for AWS [they lose some control - the struggle between AWS and customers to control the IT environment resembles that between traditional IT departments and 'the business']. Standardization helps (e.g. sensible defaults, templates) plus automation.
  
  
• David Cannon from CertTest spoke about a cookie-cutter approach to quickly rolling out secure platforms and apps, which he called "an ISMS" with a very narrow scope (the narrower the better, it seems ... if your goal is to hoodwink management or business buyers, that is).
  
  
• Alan Calder from IT Governance spoke on using ISO27k for GDPR and NIS compliance i.e. privacy/data protection (for the EU, including service providers serving EU clients) coming into effect in May 2018. Alan gave a good background briefing about how the EU as a whole governs privacy for EU citizens, and on the forthcoming regs ... with citizen rights, compensation and fines up to 20 million Euros or 4% of global turnover (!), and fundamental privacy principles (as opposed to mandating explicit controls and tick-box compliance). The principles include informed consent, data protection, the right to be forgotten, data breach reporting within 72 hours etc. Alan mentioned the lapsed Safe Harbor and forthcoming Privacy Shield agreements between the EU and USA.
  
  
• Rob Giffin from Avalution Consulting presented on business continuity, using ISO 22301 (and other standards in the series) along with other management systems including an ISO27k ISMS (hence synergies mean collaboration is mutually beneficial). The implementation activities are similar e.g. clarify the goals of BCM (in business activity terms), the scope, the resources, the business contacts, the plans, the support tools ... 

Overall, the conference was a melting pot for ISO27k-related topics and professionals in the field, both greybeards and newbies. It was good to see so much interest in the standards, and so much free exchange of information. As with other conferences, the presentations were valuable and so were the off-line discussions and contacts with peers and friends, old and new.