The brilliance of control objectives

Way back in the 1990's, BS 7799 introduced to the world a brilliant yet deceptively simple concept, the "control objectives".  

Control objectives are short, generic statements of the essential purpose or goal of various information security controls. At a high level, information security controls are intended to 'secure information' but what does that actually mean? The control objectives explain.

Here's an example:

7. System access control

 

7.1 Business requirement for system access

Objective: To control access to business information.

Access to computer services and data should be controlled on the basis of business requirements. This should take account of policies for information dissemination and entitlement.

At first glance, this control objective is self-evident in that the objective of an access control is obviously to control access but look again: the objective explicitly refers to 'business information' and the following notes emphasize business requirements and policies in this area. In other words, this security control has a business purpose. The reason for controlling access to IT systems is to secure business information for business reasons.

The standard didn't elaborate much on those business reasons, partly because they vary markedly between organizations. A bank, for instance, has different information facing different information risks than, say, a mining company or government department. They all have valuable information facing risks that need to be addressed, and system access control is likely to be applicable to each of them, but in different ways. There are subtleties here that the standard deftly sidestepped, leaving it to intelligent readers to interpret the standard according to their circumstances.

The standard went on to describe controls that would satisfy the objective, forming a strong link between the security measures employed and the business reasons for doing so. I've always treated the controls themselves as examples that illustrate possible approaches, reminders or hints of the kinds of things that might be useful to satisfy the control objectives. There are loads of different ways to secure access to IT systems, and as an experienced infosec pro I don't need a standard to list them all out for me in great detail, especially as those details depend on the situation and the business context (although the Germans have made a valiant attempt to do that!). Furthermore, there is a near-infinite set of possible controls if you consider all the combinations and permutations, parameters and variants, hence it is unrealistic to expect a standard to identify the one best way to do this. There isn't a unique solution to this puzzle.

So instead the succinct control objectives set us thinking about what we're trying to achieve for the business in each of the 30-odd areas covered. Brilliant!

The control objectives in BS 7799:1995 and the BSI/DTI Code of Practice that preceded it were well-written and remain relevant today. Unfortunately, they have been diluted over the years since BS 7799 became ISO/IEC 17799 then ISO/IEC 27002. I am disappointed to learn that the next release of '27002 may drop them altogether, severing a valuable link between business and information security ... but that doesn't mean they are gone altogether. Maybe I'll launch a collaborative project on the ISO27k Forum to elaborate on an updated set of control objectives, or maybe I'll just do it myself in my copious free time [not]. We'll see how it goes.