What are "information assets"?

Control 5.9 in ISO/IEC 27002:2022 recommends an inventory of information assets that should be “accurate, up to date, consistent and aligned with other inventories”. 

 

Fair enough, but what are 'information assets'? What, exactly, are we supposed to be inventorying?

 

The standard refers repeatedly but enigmatically to "information and other associated assets" that an organisation’s Information Security Management System protects. The intended meaning of 'information asset' has been a bone of contention within ISO/IEC JTC 1/SC 27 for years, some experts and national bodies vehemently disagreeing with each other until, eventually, a fragile ceasefire was declared in order to move forward on the numerous standards projects that hinge on the term. 

 

Currently, '27002 provides a rather broad and unhelpful definition of "asset" as "anything that has value to the organisation" - paperclips, for instance, fall within the definition. Does that mean your ISMS should protect paperclips since, arguably, they are 'associated with information', albeit very low value assets. I know this is reductio ad absurdam but it illustrates the tar pit that SC 27 found itself in.

On a more pragmatic note, I have consciously taken a wide view of information assets in preparing a checklist of information assets for SecAware. I intend to set you thinking about the potential scope, purpose and focal points of your ISMS. You may feel that certain items on the checklist are irrelevant ... or the checklist might just open your eyes to entire categories of valuable information that you hadn't even considered. Whether they end up in or out of scope of your ISMS is for you and your management colleagues to determine. I'm simply giving you food for thought.

 

Click the image for instant access!

Authorised exemptions

Inspired by an exchange on the ISO27k Forum yesterday morning, I wrote and published a simple 2-page exemptions policy template for SecAware. 

In essence, after explaining what 'exemptions' are, the policy requires that they are authorised after due consideration by management, specifically the relevant Information Owners.

Exemption decisions should also be recorded, hinting at a process and some sort of exemptions log. I'm wondering now whether to write a procedure as well, including a basic log template as a starting point. I'm also contemplating writing something on accountability and responsibility, and perhaps generic incident management and post incident review procedures to accompany the incident management policy. 

 Click the image for instant access!

The business context for information risk and security

Although the organisational/business context is clearly relevant and important to information risk and security management, it is tricky to describe. 

In my opinion, clause 4 of ISO/IEC 27001 is so succinct that it leaves readers perplexed as to what 'context' even means.  It stops short of explaining how to determine and make use of various 'internal and external issues' in an Information Security Management System. 

So, to help clients, I wrote and released a pragmatic 5-page management guideline on this for the SecAware ISMS toolkit, expanding on this neat little summary diagram:

With about a thousand words of explanation and pragmatic advice, the guideline has roughly ten times as many words as clauses 4.1 and 4.2 ... or twenty times if you accept that the picture is worth a thousand words. It was written independently of, and complements, ISO/IEC 27003's advice in this area.

Although I am happy with the SecAware ISMS toolkit materials as they are, I'm always looking for improvement opportunities, ways to add more value for clients. I'm currently working on, or at least thinking about:

• A set of fundamental information risk and security principles;
• A guideline on the Risk Treatment Plan and Statement of Applicability;
• Something on security engineering, perhaps: lots of literature to study first.
  

The sadly neglected Risk Treatment Plan (LONG)

 

For some curious reason, the Statement of Applicability steals the limelight in the ISO27k world, despite being little more than a formality. Having recently blogged about the dreaded SoA, 'nuff said on that.

Today I'm picking up on the SoA's shy little brother, the Risk Treatment Plan. There's a lot to say and think about here, so coffee-up, settle-down, sit forward and zone-in.

ISO/IEC 27001 barely even acknowledges the RTP. Here are the first two mentions, tucked discreetly under clause 6.1.3:

44 infosec principles (Hinson tips)

Thinking about the principles underpinning information risk and security, here's a tidy little stack of 44 "Hinson tips" - one-liners to set the old brain cells working this chilly mid-Winter morning:

• Address information confidentiality, integrity and availability, broadly
• Address internal and external threats, both deliberate and accidental/natural
• Celebrate security wins: they are rare and valuable
• Complete security is unattainable, an oxymoron
  

WANTED: a set of infosec principles we can all agree on

The SecAware corporate information security policy template incorporates a set of generic principles for information risk and security such as "Our Information Security Management System conforms to generally accepted good security practices as described in the ISO/IEC 27000-series information security standards." and "Information is a valuable business asset that must be protected against inappropriate activities or harm, yet exploited appropriately for the benefit of the organization."

Despite being reasonably happy with the 7 principles I selected, I would prefer to base the policy on a generally-accepted set of infosec principles, akin to the OECD Privacy Principles first published with remarkable foresight way back in 1980.  

 

There are in fact several different sets of principles Out There, often incomplete and imprecisely stated. Different authors take different perspectives, emphasizing different aspects, and the contexts and purposes also differ. 

 

It will be an 'interesting' challenge for ISO/IEC JTC 1/SC 27 to tease out, elaborate on, fine-tune and hopefully reach consensus on a reasonably succinct, coherent, comprehensive set of generally-applicable 'concepts and principles' for the next edition of ISO/IEC 27000. 

 

I just hope the learned committee doesn't end up specifying a racehorse looking something like this ...

 

The Matrix, policy edition

Inspired by an insightful comment on LinkeDin from an SC 27 colleague on the other side of the world (thanks Lars!), I spent most of last week updating the SecAware security policy templates and ISO27k ISMS materials.

The main change was to distinguish conformity from compliance - two similar terms that I admit I had been using loosely and often incorrectly for far too long. As I now understand them:

• Compliance refers to fulfilling binding (mandatory) legal, regulatory and contractual obligations;
  
• Conformity concerns fulfilling optional (discretionary) requirements in standards, agreements, codes of ethics etc. 

It's a fine distinction with implications for the associated information risks, given differing impacts:

• Noncompliance may lead to legal enforcement action (fines/penalties), other costly sanctions (such as more intrusive monitoring by the authorities and perhaps revocation of operating licenses) and business issues (such as reputational damage and brand devaluation, plus the costs of defending legal action). 
• The consequences of nonconformity may be trivial or nothing at all if nobody even cares, but can also involve business issues such as inefficiencies, excess costs and so on, particularly if customers, business partners, the authorities or other stakeholders are seriously concerned at management's apparent disregard for good security practices.

Certification of an organisation's ISMS, then, demonstrates its conformity with, not compliance to, ISO/IEC 27001 - well in most cases anyway, where management voluntarily chooses to adopt and conform to the standard. If they are obliged by some mandatory, legally-binding requirement (an applicable law or regulation, or perhaps terms in a formal contract with a supplier or customer, perhaps due to a law or regulation that pplies to them), I guess they must comply.

 

Putting that another way, nonconformity is an option. Noncompliance isn't.

Anyway, having adjusted the terminology and tweaked the SecAware materials, I took the opportunity to prepare two new 'bulk deal' packages - a comprehensive suite of information security policy templates, and a full set of ISO27k ISMS materials. I'm hoping to persuade customers to spend invest a little more for greater returns. 

The SecAware policies, for instance, are explicitly designed to work best as a whole, an integrated and coherent suite as opposed to an eclectic collection of policies on various discrete topics. In recent years, I have developed a spreadsheet to track the mesh of relationships between policies:

Yellow blobs on the matrix indicate touch-points between policies, issues of common concern. For example, blobs in the access control policy column mean the policy is related in some way to policies on business relationships, clear desk and screen, cryptography, database security and so on. 

If, say, a organisation has an access control policy but currently lacks a policy on the information risk and security aspects of business relationships (e.g. with its Internet and cloud service providers), that may represent a gap in its policy framework unless the access control policy happens to cover business relationship security as well. Likewise with all the other related aspects. While technically it would be possible for the access control policy to cover the lot, in practice that would be 'suboptimal', resulting in an unfocused, unweildy, convoluted and confusing policy, especially if each policy went into detail on related topics.

[Trust me, I know. BTDT. Years back I developed an 'Information security policy manual' as a single document. It was a headache to maintain and having grown to about 150 pages, a nightmare to read and understand. The 'policy suite' approach with a collection of topic-specific policies works better for me and our clients.]

The relationships are bidirectional, by the way: access control is relevant to business relationship security, and vice versa. That markedly simplifies the matrix since blobs to the right of the black diagonal would be a mirror image of those to the left.

The matrix is a surprisingly useful policy management tool, a simple, visual way to maintain the complex relationships between policies in the suite. A few days ago, for instance, I added entries for three new policies on responsible disclosure, threat intelligence and data masking/redaction. Updating the matrix involves determining, for each policy, which related areas are significant enough to merit blobs. It's worth checking that the linked policies don't both cover the same issues, at least not in any detail and especially not in conflicting terms - although, having personally written and regularly maintained these policies for decades, I already have a pretty good idea about what the related policies do and don't say. It's getting harder, though, as the suite approaches 80 topic-specific policies (!) plus 8 Acceptable Use Policies and an overarching Corporate Information Security Policy and, frankly, I'm getting on a bit.

The security architectural objective is to ensure that all relevant policy matters are covered clearly and unambiguously, leaving no significant gaps or overlaps. The policies need to interlock, supporting each other and strengthening the entire control construct. That's important from a governance perspective since policies are a primary mechanism for exerting management direction and control over the organisation.

So, there you have it, a Hinson tip for managing a complex mesh of information security or indeed other policies, something worth contemplating at least. I commend it to the house.

ISO/IEC 27400 IoT security and privacy standard published

To celebrate the publication of ISO/IEC 27400:2022 today, we have slashed the price for our IoT security policy templates to just $10 each through SecAware.com.

IoT policy is the first of the basic security controls shown on the 'risk-control spectrum' diagram above, and is Control-01 in the new standard ...

Do you have a security policy on IoT? If not, does that mean IoT is out of control in your organisation? Even if you do, what does it say? Is it valid, appropriate, worthwhile, sufficient?

 

The spectrum diagram shows quite a variety of risks and controls, but it is merely a summary, selected highlights. Attempting to cover them all in a policy document would be counterproductive - in fact, general employees can barely cope with a much-simplified one-page 'acceptable use policy'.

 

The new ISO/IEC 27400 standard takes a broad perspective with copious advice on information security and privacy for the designers, manufacturers, purchasers, users and administrators of IoT things.

The dreaded Statement of Applicability (LONG)

Subclause 6.1.3 of ISO/IEC 27001:2013 requires organisations to define and apply an information security risk treatment process to:

a) select appropriate information security risk treatment options, taking account of the risk assessment results;

The 'risk treatment options' (including the information security controls) must be 'appropriate' and must 'take account of ' (clearly relate to) the 'risk assessment results'. The organisation cannot adopt a generic suite of information security controls simply on the basis that they have been recommended or suggested by someone - not even if they are noted in Annex A.

b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;

NOTE Organizations can design controls as required, or identify them from any source.