International - ISO Standards and Frameworks
The International Organization for Standardization ('ISO') is an international standard-setting body composed of representatives from 164 national standards bodies. ISO has developed several standards regarding information security management systems ('ISMS'), personal information management system ('PIMS'), privacy frameworks, and risk and impact assessments.
This Guidance Note provides an overview of some of the key standards issued by ISO.
2. ISO 27001
ISO 27001 describes how to establish, maintain and continually improve an ISMS. ISO 27001 is one of the most popular and commonly used information security standards, and countless organisations have certified against it for the purpose of demonstrating adequate security to customers, business partners and regulators. The latest revision of the ISO 27001 standard was published in 2013 (ISO/IEC 27001:2013).
Organisations that meet the requirements of ISO 27001 can be certified by an accredited certification body after successfully completing an audit against the standard. According to ISO, in 2016 more than 33,000 organizations globally held certification.
An ISMS is an organisation's systematic approach to managing and protecting the confidentiality, integrity and availability ('CIA') of information. More specifically, an ISMS includes the policies, procedures, guidelines, resources, activities and controls employed in pursuit of that aim.
For example, if the goal of a privacy team is to implement Privacy by Design - the proactive embedding of privacy into the design specifications of information technologies, network infrastructure and business practices - then the goal of an ISMS team would be to accomplish that very same thing, but with security, i.e., to implement 'Security by Design.'
Naturally then, an effective ISMS necessitates skilled decision-making, documented policies and procedures, awareness training, clear lines of responsibility and asset ownership, risk assessments and risk treatment plans, incident response, vendor management, internal auditing, and more.
2.2. Security and prevention
ISO 27001 provides a roadmap for a building a comprehensive ISMS and implementing only those security controls that make sense for the organisation based on a risk assessment. This roadmap includes determining both the internal and external issues that might affect security (including taking the interests of third parties into account) to determine scope and context, and then creating policies and procedures to match.
Specifically, Clause 4 of ISO 27001 requires that you document the internal and external factors affecting your ISMS, as well as the needs and expectations (including requirements) of any interested parties that are relevant to the ISMS, and that you take these things into account when determining the scope (i.e., the boundaries and applicability) of your ISMS. Finally, Clause 4 requires that the ISMS be formally documented and undergo continuous improvement.
Clause 5 is concerned with leadership and responsibilities - ensuring an organisation-wide commitment to information security, communicating a documented information security policy throughout the organisation, and having defined roles and responsibilities with respect to information security.
Clause 6 is about planning - including creating a documented procedure for identifying, assessing and treating information security risks and opportunities for improvement, as well as a process identifying information security objectives and creating detailed plans on how to achieve them. Risk treatment plans and ISMS objectives should be 'S.M.A.R.T.' -Specific, Measurable, Achievable, Relevant, and Time bound.
Clause 7 is about support for the ISMS. It requires that you allocate the resources necessary for achieving your objectives and to ensure continuous improvement of your ISMS, as well as ensuring that in-scope personnel have the necessary levels of information security education, training and experience. It also requires that you ensure organization-wide awareness of information security policies and procedures, and individual roles and responsibilities with respect to security (e.g., that information security is the responsibility of all personnel). Lastly, Clause 7 requires a documented policy and procedure for handling both internal and external communications about the ISMS, as well as a documented policy and procedure for ensuring the proper review and approval of new or updated ISMS documentation, as well as for proper control and handling of documentation.
Clause 8 is primarily about implementation of the plans set out in Clause 6. It requires that you undergo risk assessments at planned intervals or when significant changes are planned or occur, and that you document the results. It subsequently requires you to create and carry out risk treatment plans following the risk assessment, and to document the results of treatment. Finally, clause 8 requires you to create a “statement of applicability” that documents the ISO/IEC 27001:2013 Annex A controls that have deemed applicable to the ISMS.
Clause 9 requires that you conduct internal audits of the ISMS against the ISO/IEC 27001:2013 standard (including clauses 4-10 and applicable Annex A controls), and that you conduct management reviews of the ISMS at planned intervals.
Lastly, Clause 10 calls for a documented corrective action procedure for addressing 'nonconformities' with the ISO/IEC 27001:2013 standard. Non-conformities are typically identified during audits. Non-conformities identified during an external certification or surveillance audit are typically accompanied by deadlines for completing corrective actions, and in some cases a failure to correct a nonconformity can result in loss of certification.
2.3. Accountability and record keeping
The stated goal of Clause 8 of ISO 27001 is to develop and maintain appropriate safeguards for organizational assets. Specifically, Clause 8.1 requires that organisations identify and clearly label important data assets. This inventory protocol includes requirements for clear definitions of ownership and acceptable uses for the data. Clause 8.2 continues by requiring data sensitivity classifications, labeling, and access controls based upon these sensitivity levels. Clause 9 also contains relevant guidance on the creation and maintenance of an access control policy.
2.4. Vendor management
ISO 27001 includes vendor oversight and control as critical components of appropriate data security protocols. Clause 8 requires organisations to identify what processing actions are outsourced and ensure that these processes are a controlled part of the security program.
Clause 9 builds off of Clause 8, requiring organisations to review, document, and maintain oversight of security programs which may include scheduled risk assessments and audits to confirm that customer data is secure.
Additional, more specific guidance is found in controls A.15, governing 'supplier relationships,' and A.18.1, governing compliance with contractual requirements. Control A.15 addresses security concerns where the organization is vulnerable to vendor ('supplier') access to personal data. It requires risk mitigation by limiting data access and by entering agreements to impose security responsibility and assign liability.
Control A.18 contemplates compliance with agreements where the shoe is on the other foot and the organisation is acting as the supplier, requiring compliance with the customer's security requirements.
2.5. Incident and breach
ISO 27001 requires mechanisms both to quickly identify security incidents and to report them through the necessary established channels. This control (A.16) is designed to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
The fundamental elements underpinning an ISO 27001 compliant response plan are a clear chain of command, established identification and reporting procedures, and the reporting of any unusual activity or incidents by employees and contractors. As with all ISO 27001 requirements, documentation and continued updating are key.
3. ISO 27701
ISO 27701 is a privacy extension to ISO 27001 and ISO 27002, providing additional guidance for the protection of privacy. It was published on 6 August 2019, with a draft of the standard shared for public comment from 12 December 2018 to 25 February 2019. ISO published, on 6 August 2019, the standard, in collaboration with Microsoft Corporation and the French data protection authority ('CNIL'), to assist organisations in managing privacy information and meeting regulatory requirements such as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Standard specifies the requirements for establishing, implementing, maintaining and continually improving a privacy-specific information security management system for protecting personal data. ISO 27701 also specifies requirements for a Privacy Information Management System (PIMS). The standard is intended to be a certifiable extension to ISO 27001. In other words, organisations that are planning to certify to ISO 27701 will need ISO 27001 certification as a precursor.
ISO 27701 aims to:
- supplement the ISMS with a PIMS and privacy-specific controls;
- recognise overlap between different privacy laws and reduce complexity;
- build an evidence-based privacy program and demonstrate compliance through accredited third-party certification; and
- serve as the basis for a potential GDPR certification mechanism.
The published ISO 27701 standard:
- outlines the relationship between the PIMS and the ISMS (i.e., how ISO 27701 relates to ISO 27001);
- lays out PIMS requirements for data controllers and processors;
- lists applicable privacy-related controls for controllers and processors; and
- maps privacy-related controls to GDPR and other relevant ISO standards (29100, 27018 and 29151).
4. ISO 27017
ISO 27017 is a guideline for code of practice for information security controls based on ISO 27002 for cloud services. This standard is intended to assist organizations whose business model is fully or partly dependent on cloud services. ISO 27017 recognises the potential of additional and unpredictable security risks which may arise in cloud services and provides recommendations accordingly. It provides guidelines on responsibilities of parties who are involved in the cloud service, especially in supplier, or customer and service provider context. It also provides guidelines on conducting risk assessment and implementing controls for both service providers and customers. Further, ISO 27017 provides industry and department specific guidance on implementation of security controls in cloud services in the following context:
- human resource security;
- asset management;
- access control;
- cryptography controls;
- physical and environmental security;
- operations security;
- communications security;
- system acquisition, development and maintenance;
- supplier relationships;
- information security incident management;
- information security aspects of business continuity management; and
5. ISO 29100
ISO 29100 provides a framework for organisations to supplement their existing security program to incorporate privacy principles and controls. An organisation can place the security controls by developing the following:
- a common privacy terminology;
- defining the actors and their roles in processing personally identifiable information ('PII') (ISO 29100 provides the nature of relationships that may arise between a controller, processor, third party and data subjects. Under this standard, a third party is considered a new controller);
- describing privacy safeguarding considerations (ISO 29100 provides personal attributes in various contexts that, as combination or stand-alone, may be considered PII. An organisation is required to provide information to data subjects on being potentially identified through those attributes. The data subjects must also be provided with mechanism to limit processing of the attributes); and
- Providing references to known privacy principles for information technology (there is a list of eleven privacy principles that an organisation is required to implement in order achieve this standard, which goes well beyond e.g. the OECD Privacy Principles).
6. ISO 27005
ISO 27005 provides guidelines assisting the implementation of the risk management aspects of ISO 27001. The standard covers various aspects of information security risk management, including:
- establishing a context for risk management;
- defining risk evaluation and acceptance criteria;
- steps for identifying, analyzing and evaluating risks; and
- implementing risk treatment plans and conducting ongoing monitoring and review of risks.
However, ISO 27005 does not provide any specific method for risk management. Organisations need to define their own approach. An organisation can do so by referring to:
- the scope of the organisation's ISMS;
- the context of the organisation's risk management; or
- the industry sector of the organisation.
It is worth noting that ISO 27005 does not contain direct guidance on the implementation of the ISMS requirements specified in ISO 27001. The methodologies under ISO 27005 to implement an ISMS is based on the asset, threat and vulnerability risk identification method that is no longer required by ISO 27001. ISO 27005 applies to all types of organizations, no matter it is a commercial enterprise, a government agency, or a non-profit organisation. The standard applies when an organisation intends to manage risks that can compromise the organisation's information security. ISO 27005 can be used by:
- an organisation's manager and staff concerned with information security risk management; and
- external parties supporting an organisation's information security risk management.
ISO 27005 refers to concepts, models, processes and terminologies set in ISO 27001 and ISO 27002.
7. ISO 29101
ISO 29101 builds on the privacy framework provided by ISO 29100 to help an organisation define its privacy safeguarding requirements as they relate to PII processed by any ICT system. Privacy safeguarding requirements, in some countries, are considered synonymous with data protection and data privacy requirements and are the subject of data protection and data privacy legislation. ISO 29101 provides a description of a high-level architecture framework and associated controls for the safeguarding of privacy in ICT systems that store and PII. The privacy architecture framework described in ISO 29101 includes:
- a consistent, high-level approach to the implementation of privacy controls for the processing of PII in ICT systems;
- guidance for planning, designing, and building ICT system architectures that safeguard the privacy of PII principals by controlling the processing, access and transfer of personally identifiable information; and
- shows how privacy enhancing technologies (PETs) can be used as privacy controls.
ISO 29101 applies to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII, with a primary focus on ICT systems designed to interact with PII principals. The privacy architecture framework defined in ISO 29101 features:
- specific concerns for ICT system that process PII;
- lists components for the implementation of such systems; and
- provides architectural views contextualizing these components
8. ISO 29151
ISO 29151 establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of PII. It further specifies the guidelines based on ISO 27002, focusing on controls related to the protection of PII. This standard is applicable to PII controller and creates a code of practice meet requirements identified by risk and impact assessments related to PII, completing the framework created by ISO 29100 (Privacy Framework) and ISO 29134 (Privacy Impact Assessment). The specification mirrors ISO 27002, adding new controls tailored for the protection of PII or otherwise specifying when ISO 27002 controls are sufficient, while also providing implementation guidelines. Following the framework of ISO 29100, the controls are divided into 12 categories:
- consent and choice;
- purpose, legitimacy and specification;
- collection limitation;
- data minimization;
- use, retention and disclosure limitation;
- accuracy and quality;
- openness, transparency and notice;
- individual participation and access;
- information security; and
- privacy compliance.
9. ISO 29134
ISO 29134 provides guidelines for conducting privacy impact assessments ('PIA') and structuring PIA reports. The standard provides scalable PIA guidelines starting from the earliest possible stages of an initiative. The standard applies to organisations of all types and sizes, no matter the organization is a public company, a private company, a government entity or a not-for-profit organization. ISO 29134 is relevant to your organisation if your organisation uses data processing systems/programs or provides services that process PII. ISO 29134 helps organisations in:
- determining when PIAs are necessary (threshold analysis);
- preparing PIAs (i.e., personnel, resources, scope, stakeholder engagement);
- identifying information flows;
- identifying, analysing and evaluating privacy risk;
- implementing risk treatment plans and follow-up steps; and
- creating PIA reports.
ISO 29134 intends to use security controls from multiple sources. The sources include:
- other ISO/IEC frameworks, such as ISO 27002 (for security controls) and ISO 29151 (for PII protection controls);
- other comparable national standards; and
- security controls defined by the person responsible for conducting the PIA.