Audio version of the article
A good control describes the organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) is reviewed independently at planned intervals or when significant changes occur. Ensure that information security compliance requirements are effectively addressed and maintained over time. In order to meet compliance requirements, it is necessary to continually review compliance methods, systems, and processes of departments that are affected by various policies, regulatory requirements, and laws to ensure that their approach to compliance is effective. It is good to get an independent review of security risks and controls to ensure impartiality and objectivity as well as benefit from fresh eyes. That doesn’t mean it has to be external, just benefit from another colleague reviewing policies in addition to the main author/administrator. These reviews should be carried out at planned, regular intervals and when any significant, security-relevant changes occur – ISO interprets regular to be at least annually. The auditor will be looking for both regular independent security review and review when significant changes occur, as well as take confidence there is a plan for regular reviews. They will also require evidence that reviews have been carried out and any issues or improvements identified in the reviews are appropriately managed.
A.5.35 Independent review of information security
The organization’s approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur.
To ensure the continuing suitability, adequacy and effectiveness of the organization’s approach to managing information security.
ISO 27002 Implementation guidance
The organization should have processes to conduct independent reviews. Management should plan and initiate periodic independent reviews. The reviews should include assessing opportunities for improvement and the need for changes to the approach to information security, including the information security policy, topic-specific policies and other controls. Such reviews should be carried out by individuals independent of the area under review (e.g. the internal audit function, an independent manager or an external party organization specializing in such reviews). Individuals carrying out these reviews should have the appropriate competence. The person conducting the reviews should not be in the line of authority to ensure they have the independence to make an assessment. The results of the independent reviews should be reported to the management who initiated the reviews and, if appropriate, to top management. These records should be maintained. If the independent reviews identify that the organization’s approach and implementation to managing information security is inadequate [e.g. documented objectives and requirements are not met or are not compliant with the direction for information security stated in the information security policy and topic-specific policies , management should initiate corrective actions. In addition to the periodic independent reviews, the organization should consider conducting independent reviews when:
a) laws and regulations which affect the organization change;
b) significant incidents occur;
c) the organization starts a new business or changes a current business;
d) the organization starts to use a new product or service, or changes the use of a current product or service;
e) the organization changes the information security controls and procedures significantly.
ISO/IEC 27007 and ISO/IEC TS 27008 provide guidance for carrying out independent reviews.
The overarching aim is for management to create and implement processes that cater for independent reviews of their information security practices.The independent review should be conducted by the Management. An independent review is necessary to ensure the continuing suitability, adequacy and effectiveness of organization’s approach to managing information security. The review should include assessing opportunities for improvement and the need for changes to the approach to security, including the policy and control objectives. Individuals carrying out these reviews should have the appropriate skills and experience. The results of the independent review should be recorded and reported to the management who initiated the review . These records should be maintained. Reviews should focus on any changes that are required to improve an organisation’s approach to information security, including:
- The information security policy.
- Topic-specific policies.
- Related controls.
If the independent review identifies inadequacies in the approach or implementation of information security, e.g. documented objectives and requirements are not met or not compliant with the direction for information security stated in the information security policies and standards, management should consider corrective actions. The organization that seeking for ISO 27001 certification (ISMS) must maintains a ‘Master List of Independent Information Security Reviewers. For each independent review, the certified ISO 27001 organization chooses reviewer(s) from its ‘Master List of Independent Information Security Reviewers’ and gets the review done. Reports submitted by the independent reviewers shall discussed immediately with the top management and the concerned department within the organization, and, necessary corrective and/or preventive actions are taken. The outcome of independent review and actions taken would be discussed in the subsequent management review as well. Alongside periodic reviews, it may be necessary to initiate ad-hoc reviews. These reviews can be justified across 5 key areas:
- Any laws, guidelines or regulations are amended which affect the organisation’s information security operation.
- Major incidents occur that have an impact on information security (data loss, intrusion etc).
- A new business is created, or major changes are enacted to the current business.
- The organisation adopts a new product or service that has information security implications, or makes underlying changes to a current product or service.
- Major changes are made to the organisation’s bank of information security controls, policies and procedures.
Such an independent review is required to ensure that the organization ‘s approach to information security management remains consistent, appropriate, and efficient. The analysis will include an assessment of improvement opportunities and the need to change the security approach, including policy and control objectives. Such a review would need to be conducted by people independently of the area being reviewed, e.g. an internal audit function, an independent manager, or a specialized external party organization. Those who conduct these reviews should have the skills and experience needed. The independent review results must be recorded and reported to the management responsible for initiating the review. These records are to be maintained. When, for example, the defined aims and objectives and needs of the company are not met in compliance with the guiding principle for security of information as set out in the information security policy. Reviewers should seek to establish whether or not information security practices are compliant with the organisation’s “documented objectives and requirements” stated within the information security policy, or any topic-specific policies.Management should pursue corrective measures. The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur. The objective is to ensure that information security is implemented and operated in accordance with the organizational policies and procedures. It is important to have unbiased reviews of information security organization programs and initiatives on a recurring basis in order to measure and ensure effectiveness. Often, these reviews are carried out by multiple parties: internal audit departments, external auditors, and assessments performed by contractors or consultants. It is also important that individuals performing reviews and assessments are qualified to do so. The primary objective of independent reviews is to measure effectiveness and ensure continuous improvements are made. In the event that your organization does not have an internal audit function, you may be able to develop a cooperative agreement with another organization or hire a consulting firm to conduct an audit and/or assessment of specific areas you need to have assessed. Note: For some organizations, an independent review may include representatives from legal counsel, an executive leadership team, and/or a system office.
A 5.36 Compliance with policies, rules and standards for information security
Compliance with the organization’s information security policy, topic-specific policies, rules and standards should be regularly reviewed.
To ensure that information security is implemented and operated in accordance with the organization’s information security policy, topic-specific policies, rules and standards.
ISO 27002 Implementation guidance
Managers, service, product or information owners should identify how to review that information security requirements defined in the information security policy, topic-specific policies, rules, standards and other applicable regulations are met. Automatic measurement and reporting tools should be considered for efficient regular review.
If any non-compliance is found as a result of the review, managers should:
a) identify the causes of the non-compliance;
b) evaluate the need for corrective actions to achieve compliance;
c) implement appropriate corrective actions;
d) review corrective actions taken to verify its effectiveness and identify any deficiencies or weaknesses.
Results of reviews and corrective actions carried out by managers, service, product or information owners should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews when an independent review takes place in the area of their responsibility.
Corrective actions should be completed in a timely manner as appropriate to the risk. If not completed by the next scheduled review, progress should at least be addressed at that review.
Department Managers have a compliance responsibility to make sure that applicable security procedures related to their area of control are implemented and performed correctly to achieve compliance with internal security policies and standards. Department managers are responsible for all initial and recurring security incident policy training of workforce members, and for enforcing computer and data security policies and standards. Managers should identify how to review and assess that information security requirements defined in policies, standards and other applicable regulations are met. If any non-compliance is found as a result of the review, managers should:
a) Identify the causes of the non-compliance;
b) Evaluate the need for actions to achieve compliance;
c) Implement appropriate corrective action;
d) Review the corrective action taken to verify its effectiveness and identify any deficiencies or weaknesses.
Results of reviews and corrective actions carried out by managers should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews when an independent review takes place in the area of their responsibility
Many organizations are considering the implementation of Governance, Risk, and Compliance (GRC) solutions to automate compliance reviews and reporting, as well as assisting with determining corrective actions that need to be managed. ISMS managers should regularly review the compliance of information processing and procedures within their area of responsibility Managers will determine how information security criteria identified in policies, standards, and other regulations are to be assessed. For efficient routine analysis, automated measuring and reporting tools should be considered.If any failure to comply results from the review are detected, managers should:-
- Identify the reasons of failure to comply;
- Assess the need for compliance measures;
- Implement effective remedial measures;
- Review the steps taken to verify their efficiency and recognize any deficiencies or vulnerabilities.
Details of the managers’ assessments and disciplinary measures should be reported and documented. If an independent review takes place within its area of responsibility, administrators will report the findings to individuals conducting independent reviews
Policies are only effective if they are enforced and compliance is tested and reviewed on a regular periodic basis. It is usually the responsibility of the line management to ensure that their subordinate staff complies with organizational policies and controls but this should be complemented by occasional independent review and audit. Where non-compliance is identified, it should be logged and managed, identifying why it occurred, how often it is occurring and the need for any improvement actions either relating to the control or to the awareness, education, or training of the user that caused the non-compliance. The auditor will be looking to see that both; Proactive preventative policies, controls, and awareness programs are in place, implemented, and effective; and Reactive compliance monitoring, review, and audit are also in place. They will also be looking to see that there is evidence of how improvements are made over time to ensure an improvement in compliance levels or maintenance if compliance is already at 100%. This dovetails into the main requirements of ISO 27001 for 9 and 10 around internal audits, management reviews, improvements, and non-conformity too. Staff awareness and engagement is also important to tie into this part for compliance confidence.
Technical compliance should be reviewed, either by IT or as part of an independent review, preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Alternatively, manual reviews (supported by appropriate software tools, if necessary) by an experienced system engineer could be performed. If penetration tests or vulnerability assessments are used, caution should be exercised as such activities could lead to a compromise of the security of the system. Such tests should be planned, documented and repeatable. Any technical compliance review should only be carried out by competent, authorized persons or under the supervision of such persons. Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards. Automated tools are normally used to check systems and networks for technical compliance and these should be identified and implemented as appropriate. Where tools such as these are used, it is necessary to restrict their use to a few authorized personnel as to possible and to carefully control and coordinate when they are used to prevent compromise of system availability and integrity. Adequate levels of compliance testing will be dependent on business requirements and risk levels, and the auditor will expect to see evidence of these considerations being made. They will also expect to be able to inspect testing schedules and records. Technical compliance reviews are also performed by many organizations. From vulnerability and DLP (data loss prevention) assessments to penetration testing, there are a number of technical solutions available to help information security teams conduct effective reviews of IT infrastructure and the information life cycle (processing, transmitting, storing). Some of these tools can disrupt business and IT operations if used by untrained individuals, which leads some campuses to use third parties for these purposes. However, these examinations are just a ‘snapshot’ at a point in time and must be repeated at recurring intervals in order to become an effective method or process.
If you need assistance or have any doubt and need to ask any question contact me at email@example.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.