Information technology -- Security techniques -- Guidelines for the assessment of information security controls

This document provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organization's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organization. This document offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations conducting information security reviews and technical compliance checks.

Technologies de l'information -- Techniques de sécurité -- Lignes directrices pour les auditeurs des contrôles de sécurité de l'information

General Information

Status
Published
Publication Date
13-Jan-2019
Current Stage
6060 - International Standard published
Start Date
19-Dec-2018
Completion Date
14-Jan-2019
Ref Project

RELATIONS

Buy Standard

Technical specification
ISO/IEC TS 27008:2019 - Information technology -- Security techniques -- Guidelines for the assessment of information security controls
English language
91 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

TECHNICAL ISO/IEC TS
SPECIFICATION 27008
First edition
2019-01
Information technology — Security
techniques — Guidelines for the
assessment of information security
controls
Technologies de l'information — Techniques de sécurité —
Lignes directrices pour les auditeurs des contrôles de sécurité de
l'information
Reference number
ISO/IEC TS 27008:2019(E)
ISO/IEC 2019
---------------------- Page: 1 ----------------------
ISO/IEC TS 27008:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC TS 27008:2019(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Structure of this document ........................................................................................................................................................................ 1

5 Background ................................................................................................................................................................................................................ 2

6 Overview of information security control assessments .............................................................................................. 3

6.1 Assessment process ............................................................................................................................................................................ 3

6.1.1 General...................................................................................................................................................................................... 3

6.1.2 Preliminary information ........................................................................................................................................... 3

6.1.3 Assessment checklists ................................................................................................................................................. 3

6.1.4 Review fieldwork ............................................................................................................................................................. 4

6.1.5 The analysis process ..................................................................................................................................................... 5

6.2 Resourcing and competence ....................................................................................................................................................... 5

7 Review methods .................................................................................................................................................................................................... 6

7.1 Overview ...................................................................................................................................................................................................... 6

7.2 Process analysis ..................................................................................................................................................................................... 7

7.2.1 General...................................................................................................................................................................................... 7

7.3 Examination techniques ................................................................................................................................................................. 7

7.3.1 General...................................................................................................................................................................................... 7

7.3.2 Procedural controls ....................................................................................................................................................... 8

7.3.3 Technical controls ........................................................................................................................................................... 8

7.4 Testing an validation techniques ............................................................................................................................................. 8

7.4.1 General...................................................................................................................................................................................... 8

7.4.2 Blind testing ......................................................................................................................................................................... 9

7.4.3 Double Blind Testing .................................................................................................................................................... 9

7.4.4 Grey Box Testing ............................................................................................................................................................... 9

7.4.5 Double Grey Box Testing ........................................................................................................................................10

7.4.6 Tandem Testing ..............................................................................................................................................................10

7.4.7 Reversal ................................................................................................................................................................................10

7.5 Sampling techniques .......................................................................................................................................................................10

7.5.1 General...................................................................................................................................................................................10

7.5.2 Representative sampling .......................................................................................................................................10

7.5.3 Exhaustive sampling ..................................................................................................................................................10

8 Control assessment process...................................................................................................................................................................10

8.1 Preparations ...........................................................................................................................................................................................10

8.2 Planning the assessment .............................................................................................................................................................12

8.2.1 Overview ..............................................................................................................................................................................12

8.2.2 Scoping the assessment ..........................................................................................................................................13

8.2.3 Review procedures .....................................................................................................................................................13

8.2.4 Object-related considerations ...........................................................................................................................14

8.2.5 Previous findings ..........................................................................................................................................................14

8.2.6 Work assignments .......................................................................................................................................................15

8.2.7 External systems ...........................................................................................................................................................15

8.2.8 Information assets and organization ..........................................................................................................16

8.2.9 Extended review procedure ................................................................................................................................16

8.2.10 Optimization .....................................................................................................................................................................16

8.2.11 Finalization ........................................................................................................................................................................17

8.3 Conduction reviews .........................................................................................................................................................................17

8.4 Analysis and reporting results................................................................................................................................................18

© ISO/IEC 2019 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC TS 27008:2019(E)

Annex A (Informative) Initial information gathering (other than IT) ............................................................................20

Annex B (informative) Practice guide for technical security assessments ................................................................24

Annex C (informative) Technical assessment guide for cloud services (Infrastructure as a

service) ........................................................................................................................................................................................................................60

Bibliography .............................................................................................................................................................................................................................91

iv © ISO/IEC 2019 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC TS 27008:2019(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents) or the IEC

list of patent declarations received (see http: //patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso

.org/iso/foreword .html.

ISO/IEC TS 27008 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.

This first edition of ISO/IEC TS 27008 cancels and replaces ISO/IEC TR 27008:2011.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
© ISO/IEC 2019 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC TS 27008:2019(E)
Introduction

This document supports the Information Security Risk Management process pointed out in ISO/

IEC 27001, and any relevant control sets identified

Information security controls should be fit-for-purpose (meaning appropriate and suitable to the

task at hand i.e. capable of mitigating information risks), effective (e.g. properly specified, designed,

implemented, used, managed and maintained) and efficient (delivering net value to the organization).

This document explains how to assess an organization’s information security controls against those and

other objectives in order either to confirm that they are indeed fit-for-purpose, effective and efficient

(providing assurance), or to identify the need for changes (improvement opportunities). The ultimate

aim is that the information security controls, as a whole, adequately mitigate information risks that the

organization finds unacceptable and unavoidable, in a reasonably cost-effective and business-aligned

manner. It offers the flexibility needed to customize the necessary reviews based on business missions

and goals, organizational policies and requirements, known emerging threats and vulnerabilities,

operational considerations, information system and platform dependencies, and the risk appetite of the

organization.

Please refer to ISO/IEC 27007 for guidelines for information security management systems auditing and

ISO/IEC 27006 for requirements for bodies providing audit and certification of information security

management systems.
vi © ISO/IEC 2019 – All rights reserved
---------------------- Page: 6 ----------------------
TECHNICAL SPECIFICATION ISO/IEC TS 27008:2019(E)
Information technology — Security techniques —
Guidelines for the assessment of information security
controls
1 Scope

This document provides guidance on reviewing and assessing the implementation and operation of

information security controls, including the technical assessment of information system controls, in

compliance with an organization's established information security requirements including technical

compliance against assessment criteria based on the information security requirements established by

the organization.

This document offers guidance on how to review and assess information security controls being

managed through an Information Security Management System specified by ISO/IEC 27001.

It is applicable to all types and sizes of organizations, including public and private companies,

government entities, and not-for-profit organizations conducting information security reviews and

technical compliance checks.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management

systems — Overview and vocabulary

ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information

security controls based on ISO/IEC 27002 for cloud services
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the

following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
4 Structure of this document

This document contains a description of the information security control assessment process including

technical assessment.
Clause 5 provides background information.
Clause 6 provides an overview of information security control assessments.
Clause 7 presents review methods.
Clause 8 presents the control assessment process.
© ISO/IEC 2019 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC TS 27008:2019(E)
Annex A supports initial information gathering.
Annex B supports technical assessment.
Annex C supports technical assessment for cloud services.
5 Background

Information security controls are the primary means of treating unacceptable information risks,

bringing them within the organization’s risk tolerance level.

Parts of an organization's information security controls are usually realized by the implementation of

technical information security controls.

An organization's technical security controls can be defined, documented, implemented and

maintained according to technical information security standards. As time passes, internal factors

such as amendments of information systems, configurations of security functions and changes of

surrounding information systems, and external factors such as advance of attack skills can negatively

affect the effectiveness of information security controls and ultimately the quality of the organization's

information security standards. Technical assessment is included in ISO/IEC 27002, as one of the

controls. A technical assessment is generally performed either manually and/or with the assistance

of automated tools. A technical assessment may be performed by a role not involved in executing the

control, e.g. a system owner, or by staff in charge of the specific controls, or by internal or external

information security experts.

The output of technical assessment accounts for the actual extent of technical compliance with

information security implementation standards of the organization. This evidence provides assurance

when the status of technical controls comply with information security standards, or otherwise the

basis for improvements. The assessment reporting chain should be clearly established at the outset of

the assessment and the integrity of the reporting process should be assured. Steps should be taken to

ensure that:

— from the outset determine and ensure the appropriate competence in those performing the test(s) —

see 6.2,

— relevant accountable parties receive, directly from the information security auditors, an unaltered

copy of the technical assessment report;

— inappropriate or unauthorized parties do not receive a copy of the technical assessment report from

the information security auditors; and

— the information security auditors are permitted to carry out their work without hindrance/

interference violating the segregation of duty principle.

Information security control assessments, and technical assessments in particular, can help an

organization to:

— identify and understand the extent of potential problems or shortfalls in the organization's

implementation and operation of information security controls, information security standards

and, consequently, technical information security controls;

— identify and understand the potential organizational impacts of inadequately mitigated information

security threats and vulnerabilities;
— prioritize the identified information security risk mitigation activities;

— confirm that previously identified or emergent information security vulnerabilities and threats

have been adequately addressed; and/or

— support budgetary decisions within the investment process and other management decisions

relating to improvement of organization's information security management.
2 © ISO/IEC 2019 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC TS 27008:2019(E)
6 Overview of information security control assessments
6.1 Assessment process
6.1.1 General

For assessments the assigned information security auditors need to be well prepared, both on the

control side as well as on the testing side (e.g. operation of applicable tools, technical aim of the test).

Elements of the assessment work can be prioritized according to the perceived risks but also planned to

follow a particular business process or system, or simply designed to cover all areas of the assessment

scope in sequence.

When an individual information security control assessment commences, the information security

auditors normally start by gathering preliminary information, reviewing the planned scope of work,

liaising with managers and other contacts in the applicable parts of the organization and expanding the

risk assessment to develop assessment documentation to guide the actual assessment work. Supporting

information can be found in Annexes A to C.
6.1.2 Preliminary information
Preliminary information can come from a variety of sources:

— books, Internet searches, technical manuals, technical security standards and policies of the

organization, and other general background research into common risks and controls in this area,

conferences, workshops, seminars or forums;

— results of prior assessments, tests, and audits, whether partially or fully aligned with the present

assessment scope and whether or not conducted by information security auditors (e.g. pre-release

security tests conducted by information security professionals can provide a wealth of knowledge

on the security of major application systems);

— information on relevant information security incidents, near-misses, support issues and changes,

gathered from IT Help Desk, IT Change Management, IT Incident Management processes and similar

sources; and

— generic assessment checklists and articles by information security auditors or information security

professionals with expertise in the area related to the scope of the assessment.

It is recommended to review the planned assessment scope in light of the preliminary information,

especially if the assessment plan that originally scoped the assessment was prepared many months

beforehand. For example, other assessments can have uncovered concerns that are worth investigating

in more depth, or conversely, have increased assurance in some areas, allowing the present work to

focus elsewhere.

Liaising with managers and assessment contacts at this early stage is an important activity. At the

end of the assessment process, these people need to understand the assessment findings in order to

respond positively to the assessment report. Empathy, mutual respect and making the effort to explain

the assessment process significantly improve the quality and impact of the result.

6.1.3 Assessment checklists

While individuals vary in the way they document their work, many assessment functions utilize

standardized assessment processes supported by document templates for working papers such as

assessment checklists, internal control questionnaires, testing schedules, risk-control matrices, etc.

The assessment checklist (or similar) is a key document for several reasons:

— it lays out the planned areas of assessment work, possibly to the level of detailing individual

assessment tests leading to anticipated/ideal findings;
© ISO/IEC 2019 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC TS 27008:2019(E)

— it provides structure for the work, helping to ensure that the planned scope is adequately covered;

— the analysis necessary to generate the checklist in the first place prepares the information security

auditors for the assessment fieldwork that follows. Completing the checklist as the assessment

progresses, starts the analytical process from which the assessment report will be derived;

— it provides the framework to record the results of assessment pre-work and fieldwork and, for

example, a place to reference and comment on assessment evidence gathered;

— it can be reviewed by audit management or other information security auditors as part of the

assessment quality assurance process; and

— once fully completed, it (along with the review evidence) constitutes a reasonably detailed historical

record of the review work as conducted and the findings arising that can be required to substantiate

or support the review report, inform management and/or help with planning future reviews.

Information security auditors should be cautious of simply using generic review checklists written by

others as, aside from perhaps saving time, this would probably negate several of the benefits noted above.

6.1.4 Review fieldwork

The bulk of review fieldwork consists of a series of tests conducted by the information security

auditors, or at their requests, to gather review evidence and to review it. It is often done by comparison

to anticipated or expected results derived from relevant compliance obligations, standards or a more

general appreciation of good practices. For instance, one test within an information security review

examining malware controls can check whether all applicable computing platforms have suitable

antivirus software. Such review tests often use sampling techniques since there are rarely sufficient

review resources to test exhaustively. Sampling practices vary between information security auditors

and situations. They can include random selection, stratified selection and other more sophisticated

statistical sampling techniques (e.g. taking additional samples if the initial results are unsatisfactory,

in order to substantiate the extent of a control weakness). As a general rule, more exhaustive testing

is possible where evidence can be gathered and tested electronically, for example using SQL queries

against a database of review evidence collated from systems or asset management databases. The

assessment sampling approach should be guided, at least in part, by the risks attached to the area of

operations being assessed.

Evidence collected in the course of the review should normally be noted, referenced or inventoried

in the review working papers. Along with review analysis, findings, recommendations and reports,

review evidence need to be adequately protected by the information security auditors, particularly

as some is likely to be highly sensitive and/or valuable. Data extracted from production databases for

review purposes, for example, should be secured to the same extent as those databases through the

use of access controls, encryption, etc. Automated review tools, queries, utility/data extract programs,

etc. should be tightly controlled. Similarly, printouts made by or provided to the information security

auditors should generally be physically secured under lock and key to prevent unauthorized disclosure

or modification. In the case of particularly sensitive reviews, the risks and, hence, necessary information

security controls should be identified and prepared at an early stage of the review.

Having completed the review checklist, conducted a series of review tests and interviews with

relevant parties and gathered sufficient review evidence, the information security auditors should be

in a position to examine the evidence, determine the extent to which information security risks have

been treated, and review the potential impact of any residual risks. At this stage, a review report of

some form is normally drafted, quality reviewed within the review function and discussed with

management, particularly management of the business units, departments, functions or teams most

directly reviewed and possibly also other implicated parts of the organization.
The evidence should be dispassionately reviewed to check that:
— there is sufficient review evidence to
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.