Information security

assurance
An overview for implementing an information
security assurance programme
July 2010
Published by
Information Security Forum Limited

Tel: +44 (0)20 7213 1745

Fax: +44 (0)20 7213 4318
E-mail: [email protected]
Web: www.securityforum.org

Project team
Martin Tully
Jason Creasey

Review and quality assurance

Jeff Thompson

Design
Louise Liu

Key to symbols

Member quote

Note

Project related material available on MX

Warning

Key

Warning

This document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum
(ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on isfinfo@securityforum.
org.

Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.

This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information
Security Forum Limited accept no responsibility for any problems or incidents arising from its use.

Classification: Restricted to ISF Members and ISF Service Providers

Information security assurance • Information Security Forum www.securityforum.org

Contents

Part one: Introduction

This report 1
Purpose 1
Audience 2
Basis for this report 2
Project deliverables 3

Part two: Defining information security assurance

Overview 4
Positioning information security assurance 4
What is corporate governance? 5
What is information security governance? 5
What is security assurance? 8
The relationship between information security assurance and audit 9
Comparing security assurance with security audit 10

Part three: Establishing an information security assurance programme

Overview 11
Drivers for adopting a security assurance programme 11
Key components of a security assurance programme 12
The security assurance process 13
Specialised activities 14

Part four: Implementing an information security assurance process

Overview 15
Implementing an information security assurance process 15
Challenges faced when implementing a security assurance process 16
Meeting the challenge 17
Using ISF tools to implement security assurance 18
Phase 1: Identify security requirements 19
Phase 2: Implement control framework 21
Phase 3: Monitor and evaluate controls 24
Phase 4: Initiate improvements 27

Part five: The way forward

Conclusion 28
Making security assurance work in practice 28

Acknowledgements 30

www.securityforum.org Information Security Forum • Information security assurance

The ISF Security Model
The ISF have developed a security model to support organisations in designing their approach to addressing information security
and to give them a basis for identifying the key aspects of an information security programme. The ISF provides insights, best
practice standards and tools which address each aspect of the model to aid organisations in enhancing their information security
environment.

The ISF Security Model is shown below.

Compliance The policy, statutory and contractual

obligations relevant to information security which
Risk The potential business impact and must be met to operate in today’s business world to
likelihood of particular threats materialising – avoid civil or criminal penalties and mitigate risk.
Governance The framework by which policy
and the application of control to mitigate risk
and direction is set, providing senior management
to acceptable levels.
with assurance that security management
activities are being performed correctly

TE
and consistently.

PR

CH
PE

OC

NO
OP
CO

ES

LO
RIS

LE
MP

GY
GO

LIA
VE
E
NG
RE

NC
RN
SE
HA

AR

E
XC

AN
CH
EE

&R

CE
DG

EP
LE

OR
OW

TS
KN

TOOLS AND METHODS

Technology The physical and technical
infrastructure, including networks and end
Process Business processes, applications
points, required to support the successful
and data that support the operations and
People The executives, staff and third parties deployment of secure processes.
decision making.
with access to information, who need to be
aware of their Information Security responsibilities
and requirements and whose access to systems and
data need to be managed.

A pdf copy of the ISF Security Model can be downloaded from the ISF’s Member Exchange System (MX), which can
be used to clearly describe to your team and others (management, potential Supply Chain or other Membership
prospects) the key aspects of the information security environment within your organisation.

Aligning this report with the ISF Security Model

Using a rating from very low to very high, the way in which this report aligns with the ISF Security Model is shown in the table
below.

Governance Risk Compliance People Process Technology

Very high Medium High Low Medium Very low

Information security assurance • Information Security Forum www.securityforum.org

Part 1: Introduction

This report

This report provides an overview of information security assurance and includes high-level actions to consider when implementing

Part one
an information security assurance programme enterprise-wide. As a central part of this programme, a repeatable security
assurance process is outlined that can be applied to individual environments within an organisation. This process will help an
organisation: identify security requirements; implement a control framework; monitor and evaluate associated controls; and
initiate improvements.

This report is based on the findings from a total of 16 ISF Member workshops held worldwide, as part of the Security Assurance:
ISO 27000 and beyond project, which discussed key issues associated with security assurance and explored how the Information
Security Management System (ISMS) in ISO/IEC 27001 could be used – but typically not in isolation – to help provide information
security assurance. Consequently, this report primarily looks at security assurance from the perspective of (and performed by)
an information security function.

ISO/IEC 27001

“This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing,
maintaining and improving a documented ISMS within the context of the organisation’s overall business operations and
related risks. It specifies requirements for the implementation of security controls customised to the needs of individual
organisations.

The ISMS is designed to protect information assets by a risk management approach and to give confidence to interested
parties.”
ISO/IEC 27001 – Information technology; Security techniques;
Information security management systems

There was no overall consensus at the workshops on the definition or coverage of security assurance. In particular
external auditors or assessors may take a different view. Furthermore, some attendees referred to information
security assurance as enterprise-wide security management.

Purpose

Workshop attendees agreed that one of the main objectives for an information security function is to provide assurance
to senior management internally that information risks are being managed enterprise-wide. The purpose of this report is to
help Members understand the concepts associated with information security
assurance, upon which Members can build an enterprise-wide information Further reading
security assurance programme. Security Audit of Business Applications
Reporting information risk
To avoid repetition the term ‘information security assurance’ is Information Risk Management
often abbreviated to ‘security assurance’ throughout this report. in Corporate Governance
INFORMA

Reporting information
TION
SECURITY

risk
FORUM

g organisati
ons
urity solutions

audit of
January 2010 considera

Security applications
ble
. Members
which
can
nts, while

business June 2010

Informatio
n Risk
Managem

Informa
tion Risk
ent in

Manage
men
Corporate

Corporate t in
Governanc

WORKSHOP Governanc
REPOR e T
e: Workshop
Report

December
2003

www.securityforum.org Information Security Forum • Information security assurance 1

 Part 1: Introduction

Audience

This report will be of particular interest to the following:

Part one

• information security managers, directly responsible for the implementation of the information security assurance programme
• information security professionals who select or apply information security controls as part of an information security assurance
process for an individual environment
• internal auditors, risk managers and managers of other business departments who may get involved in a security assurance
programme.

Basis for this report

This report is based on work carried out as part of an ISF workshop project which included:

• Desktop research and analysis on the subject of information security assurance

• Interviews with expert Members about implementing an information security assurance programme
• Feedback from third party experts in security assurance and audit
• Member discussions at 16 workshops held globally
• Analysis of the key points from a range of documents relating to security assurance, such as ISACA’s IT Assurance Framework.

All meeting minutes and Member presentations delivered are available on the ISF’s Member Exchange System (MX).

The Security Assurance: ISO 27000 and beyond workshops were run in association with the Security Audit of Business
Applications workshops to help distinguish between the key activities of these similar but distinctly different projects.

In total approximately 290 attendees attended the workshops and the majority of attendees were information security
professionals, along with significant attendance by representatives of security audit and security assurance departments.

2 Information security assurance • Information Security Forum www.securityforum.org

 Part 1: Introduction

Project deliverables

The main deliverable from this Security Assurance: ISO 27000 and beyond project was the workshops themselves. This brief

Part one
summary report is one of four additional deliverables associated with the project. The other three deliverables are:

• A spreadsheet Mapping ISF tools to the ISO/IEC 27001 Information Security Management System
(ISMS) – designed to assist Members in understanding which ISF tools can be used to support the 0DSSLQJ,6)WRROVWRWKH,62,(&
,QIRUPDWLRQ6HFXULW\0DQDJHPHQW6\VWHP,606

6HFXULW\ Assurance:

implementation of the Information Security Management System (ISMS), which is part of the ISO/ ISO 27000 and beyond project

British Standards are reproduced with the permission of the British Standards Institution (BSI) under licence number 2010JK0005. Copyright subsists in all BSI publications. British Standards can be obtained in PDF or hard copy formats from
the BSI online shop: www bsigroup com/Shop or by contacting BSI Customer Services for hardcopies only: Tel: +44 (0)20 8996 9001 Email: cservices@bsigroup com

IEC 27001 framework.

• A Directory of information security principles, standards and corporate governance – provides Members
Directory of information security principles,
standards and corporate governance

with a source of reference to assist in the identification of information security-related principles,

standards and corporate governance.
• Member input into third party liaison activities – strategic support for the development of information
security-related standards and guidance for the information security professional, including:
– ISO Liaison – building on the ISF’s position within the ISO SC27 committee by formally contributing
towards the development of:
o ISO/IEC 27001: Information technology – Security techniques – Information security
management systems – Requirements;
o ISO/IEC 27002: Information technology – Security techniques – Code of practice for – information security management;
o ISO/IEC 27014: Governance of information security (currently a working draft that is not available to view by the general
public).
– COBIT development – taking part in ISACA workshops responsible for producing COBIT version 5.
– Security principles collaboration – establishing principles for information security professionals to follow, in association with
ISACA and (ISC)².

www.securityforum.org Information Security Forum • Information security assurance 3

 Part 2: Defining information security
assurance
Overview

Security assurance is concerned with the effective implementation of information security management enterprise-wide. This part
of the report positions information security assurance in relation to corporate governance and information security governance.
It then provides a more detailed definition of information security assurance and puts it in context with other types of assurance.

Positioning information security assurance

Before defining information security assurance, ISF Members agreed that it was important to understand the topics that directly
influence information security assurance.

From a business perspective, corporate governance (eg legislation such as the Turnbull, King and Dey reports) and information
security governance (eg guidance such as the emerging ISO/IEC 27014 – Governance of Information Security and IT Governance
Part two

Institute’s IT Governance Framework) both have a significant influence on information security assurance. Therefore information
security assurance can be positioned as shown in Figure 1 below.

Positioning assurance

Corporate governance

Information security governance

Information security assurance

Figure 1: Positioning security assurance

Corporate governance and information security governance typically provide direction and set strategy for information security
within an organisation. Activities associated with this strategy are then implemented as part of an information security assurance
programme. More information is provided about the governance topics and how they relate to information security assurance
on the following pages.

4 Information security assurance • Information Security Forum www.securityforum.org

 Part 2: Defining information security assurance

What is corporate governance?

The ISF’s workshop report: Information Risk Management in Corporate Governance defined corporate governance at a very high-
level to be concerned with how the organisation is directed and managed within its operating environment. According to the
report, corporate governance can be considered in more detail across six key areas.

No Area Content
1 Board conformance The structure and composition of the Board (and its
committees).
2 Board performance and The effectiveness with which the Board discharges its
Board
effectiveness duties.
Perspective
3 Strategy, planning and The way in which the Board ensures financial
monitoring accountability, management structure and plans for the

Part two
future.
4 Risk management and The way in which the Board ensures strong internal
compliance controls with robust risk management and compliance
processes.
Organisation 5 Transparency and disclosure Transparent reporting and disclosures of financial and
Perspective non-financial information.
6 Stakeholders and the triple Good corporate citizenship including social, ethical
bottom line and environmental conduct, the relationship and
communication with external stakeholders.

Figure 2: The six key areas of corporate governance

It can be seen from Figure 2 that the six key areas of corporate governance can be split into two sets of three. In the table,
numbers one to three deal with the operation of the Board, its set up and its duties, while numbers four to six are more directed
towards what the organisation needs to do, to support the Board in good corporate governance.

An overview of global corporate governance codes is provided in the Directory of information security principles,
standards and corporate governance, which is available for download from the Security Assurance: ISO 27000 and
beyond project area on MX.

What is information security governance?

Information security governance is an emerging topic and an agreed definition is still being formulated across the information
security community. Industry definitions suggest that information security governance includes aligning information security with
business objectives, requiring compliance with laws, regulations and information security policy.

Information security governance

A subset of corporate / enterprise governance that provides strategic direction, ensures that objectives are achieved,
manages risks appropriately, uses organisational resources responsibly, and monitors the success or failure of the enterprise
security programme.

The IT Governance Institute (ITGI)

www.securityforum.org Information Security Forum • Information security assurance 5

 Part 2: Defining information security assurance

Existing guidance produced by both The National Institute of Standards and Technology (NIST) and The IT Governance Institute
(ITGI), outline five main information security governance components, which are:

• Strategic alignment – aligning information security strategy with organisational objectives.

• Value delivery – optimising information security investments.
• Risk management – reducing the potential business impact of information security incidents to an acceptable level.
• Resource management – managing information security resources efficiently and effectively.
• Performance management – providing agreed levels and quality of service for information security.

NIST and ITGI advocate that these components should be the focus for information security professionals when reporting back
to senior management on the status of information security.

“An effective information security assurance programme needs to help achieve the strategic objectives of an
Part two

overall corporate governance structure.”

The working draft ISO/IEC 27014 – Governance of Information Security framework illustrates at a high-level the relationship
between the more detailed tasks performed as part of information security assurance and the high-level direction from information
security governance. An excerpt of this early draft framework is shown in Figure 3.

Security governance

Security assurance

Source: ISO / IEC 27014 Information Security Governance framework

Figure 3: Relationship between information security assurance and information security governance

The model above shows one way in which security assurance can relate to security governance. However, in most cases security
assurance does not just equate to an ISMS. In reality, a security assurance programme will cover more than one security assurance
process (similar to the Plan-Do-Check-Act (PDCA) process within an ISMS) enterprise-wide. Furthermore, attendees highlighted
that other specialised security-related activities are carried out (eg metrics, testing and assessment) to cover enterprise-wide or
local activities, particularly where no specific security assurance process had been applied.

6 Information security assurance • Information Security Forum www.securityforum.org

 Part 2: Defining information security assurance

The ISF have been heavily involved in the development of an early draft of ISO/IEC 27014 from the outset as part
of the ISO Liaison activities and there will also be an ISF briefing paper delivered on information security governance.

Establishing links between information security assurance and information security governance, as outlined in Figure 3, can be
challenging to demonstrate in practice.

ISF Members who attended the Security Assurance: ISO 27000 and beyond project workshops suggested that this challenge
can be overcome by:

• implementing a coherent, integrated structure that includes key activities relating to corporate governance, information
security governance and information security assurance
• appointing owners of individual security assurance processes for particular environments, who will then act as a steering

Part two
committee supporting decision-making
• identifying improvements to the overall security assurance programme to increase the visibility of information security
assurance and better align it with governance objectives.

The Plan-Do-Check-Act (PDCA) problem solving process in ISO/IEC 27001 was identified as one of many methods of
structuring the activities associated with an individual information security assurance process, as part of a wider security assurance
programme. More details of this approach are provided below – and other approaches are discussed later in the report.

The Plan-Do-Check-Act (PDCA) cycle is a four-step model for carrying out change, which emphasises continuous
improvement as part of a management system standard.

Plan – establish objectives and make plans (analyse your organisation’s situation, establish your overall objectives and set your
interim targets, and develop plans to achieve them).
Do – implement your plans (do what you planned to).
Check – measure your results (measure / monitor how far your actual achievements meet your planned objectives).
Act – correct and improve your plans and how you put them into practice (correct and learn from your mistakes to improve
your plans in order to achieve better results next time).

www.securityforum.org Information Security Forum • Information security assurance 7

 Part 2: Defining information security assurance

What is security assurance?

Security assurance is a relatively new term, with little common understanding by ISF Members who attended the Security
Assurance: ISO 27000 and beyond project workshops.

There was considerable confusion about security assurance and the title of the project. Rather than considering the title of the
project as a whole (which was the intention of the project), different ISF Members focused on the individual terms in the title, as
shown by the coloured text in Figure 4 below.

Information security
Assurance:
Part two

ISO 27000 and beyond

Figure 4: The focus for information security assurance

Some attendees, particularly those with experience of external audit, initially focused on more general aspects of assurance (red
text) without emphasising the importance of information security (blue text).

A number of attendees considered ISO/IEC 27001 (green text) in isolation as the only method of conducting information
security assurance in their organisation, whilst others used different security assurance tools to help run the security assurance
programme (eg ISF’s The Standard of Good Practice for Information Security, COBIT and ISACA’s IT Assurance Framework). It was
generally agreed that the project should cover all three aspects in combination.

In general, workshop attendees agreed that the meaning of assurance is often about providing evidence to ‘someone’ that
‘something’ is working as required. In its simplest form, assurance is often referred to as ‘a high level of confidence that activities
are working as they should’. Related types of assurance from other disciplines include information assurance, quality assurance
and risk assurance.

Information security assurance is not usually a regulatory obligation and therefore does not require external
verification. ISF Members identified the following areas to be out of scope for this project: assurance of financial
records; annual reporting; attestation; and external audit. External audit may be involved with verifying activities
specific to corporate governance or information security governance, furthermore they may perform independent
reviews as part of ISO/IEC 27001 certification.

The majority of attendees agreed that the purpose of security assurance is more closely related to information security governance
or corporate governance than other types of assurance.

ISF Members agreed that information security assurance relates specifically to ensuring that practical implementation
activities (eg performing information risk analysis and implementing a control framework) are implemented
effectively, which are driven by the more strategic elements of information security governance (eg determining the
risk appetite).

8 Information security assurance • Information Security Forum www.securityforum.org

 Part 2: Defining information security assurance

After careful consideration of the collective set of activities specifically associated with security assurance, a major outcome from
the project workshops was that most attendees (but not all) agreed on the following definition for security assurance:

“Information security assurance is providing evidence:

to your own senior management

that information risks are being managed effectively enterprise-wide.”

In some organisations, security assurance may simply be responding to the Chief Executive of the Organisation (CEO) by
providing evidence that the organisation is sufficiently ‘secure’. For other organisations, particularly where the information security
function is outsourced, other stakeholders may require evidence of information security assurance.

Part two
Some ISF Members refer to information security assurance within their organisations as enterprise-wide security
management.

A major finding was that a number of different approaches to security assurance were adopted by Members. Indeed, a number
of attendees had no official security assurance programme in place.

A small proportion of ISF Members had their own specialised information security assurance department; however
the duties of their department often varied greatly and tended to be compliance focused.

The relationship between information security assurance and audit

Attendees believed that there were a number of similarities and differences between information security assurance and
information security audit (examined during a concurrent ISF project entitled: Security Audit of Business Applications).

Information security assurance and information security audit can cover some similar activities, such as: performing an assessment
of security; monitoring the state of security; and establishing clear actions (audits typically result in recommendations) to help
mitigate the risks associated with a business application, system or network.

During a security assurance process, multiple sources of validation are typically considered and amalgamated to formulate an
overall opinion, both on a subjective and qualitative basis (eg information security audit results, incidents, security awareness,
system monitoring logs, threat and vulnerability management and fraud testing). This information is captured, tracked and
reported upon to provide a level of ‘assurance’ to senior management that security is working effectively.

Much of the liaison with external stakeholders, such as auditors (particularly external auditors), is likely to be
performed as part of an overall security governance framework. However, in many organisations, there are a
number of more detailed elements of a security assurance programme (eg a security assurance process, such as an
ISMS, relating to a particularly important business application) that are likely to be of interest to both external and
internal auditors – and Members believed that this trend is likely to increase.

In contrast, an information security audit typically provides an independent opinion on the status of information security for a
target environment (eg computer system, network or business application) for a particular part of the organisation at a given
point in time.

www.securityforum.org Information Security Forum • Information security assurance 9

 Part 2: Defining information security assurance

Comparing security assurance with security audit

In an attempt to provide a high-level comparison between information security assurance and security audit, a table has been
produced showing how they differ in terms of ‘coverage’ and ‘time’.

Typical coverage Typical timeline

Information Security All security arrangements enterprise-wide Monitor on an ongoing basis
Assurance
Information Security Security status of a target environment Snapshot at a point in time
Audit (eg computer system, network or business
application)

Figure 5: Distinguishing security assurance from security audit

Part two

The comparison in Figure 5 is only a high-level example and there would often be other considerations including
standards, independence, stakeholders and reporting. Furthermore, a security audit can cover all security
arrangements enterprise-wide over a period of time (eg using a SAS 70 Type II review).

Consult with both internal and external auditors when developing a security assurance programme to ensure that
their requirements are likely to be met – and to help gain their support during any potential audit of processes (or
other specialised security-related activities) associated with a security assurance programme.

10 Information security assurance • Information Security Forum www.securityforum.org

Part 3: Establishing an information
security assurance programme
Overview

A security assurance programme brings together a set of related security assurance processes and specialised activities to provide
assurance to senior management internally that risks are being managed enterprise-wide.

This part of the report:

• presents some possible drivers for adopting a security assurance programme

• describes the main components of a security assurance programme
• provides clarity on the role of other security-related specialised activities
• introduces a repeatable security assurance process that can be applied to different parts of an organisation.

Drivers for adopting a security assurance programme

ISF Members who attended the project workshops suggested that there are a range of possible drivers for an information
security function to establish an effective security assurance programme enterprise-wide. These drivers are outlined in the table
below, together with examples of the way in which they can help improve organisational approaches to information security.

Drivers for the information Improvements identified in terms of:

security function
Alignment of information security strategy with • helping to meet corporate and information security governance requirements
business objectives • demonstrating that the requirements of information security clearly meet business objectives

Part three
• providing continual – and appropriate – status updates to senior management
Establishment of an effective framework for • creating a flexible framework for information security that is proactive rather than reactive
information security controls • adapting to changes in the organisation’s risk profile
• including a consistent set of security controls that are based on information security-related standards
• conducting ad hoc self assessments to discover the status of security controls
• monitoring the effectiveness of security controls in a systematic manner and on a regular basis
Implementation of a consistent and appropriate • establishing a single point of contact for the entire information security programme enterprise-wide
set of security controls, enterprise-wide • building a sustainable, repeatable security management process that can be applied to help treat
information risk enterprise-wide
• achieving consistent compliance with legal and regulatory requirements
• understanding how the organisational culture influences information security
An approved method of addressing the gaps • providing specialised information security services (eg metrics, testing and assessment) in a targeted
and overlaps in security assurance processes manner
• reducing the amount of (often duplicated) effort spent on conducting specialised activities in isolation
• focusing on specialised activities that are part of ‘enterprise-wide security management’ or ‘business as
usual’

www.securityforum.org Information Security Forum • Information security assurance 11

 Part 3: Establishing an information security assurance programme

Key components of a security assurance programme

At the core of a security assurance programme are one or more security assurance processes (which can be based around the
Plan-Do-Check-Act (PDCA) elements of an ISMS). By following these processes carefully for a particular environment (eg a
customer service department of online banking system), an organisation should be able to identify security requirements, select
an appropriate control framework(s), and validate that it is operating effectively.

Workshop attendees believed that these processes need to be supported by a range of specialised activities (eg security policy,
metrics and testing) to ensure that a consistent approach is taken and that all parts of the enterprise are covered by the security
assurance programme.

Finally, it is important that the overall security assurance programme is well managed. A clear line of communication should be
established with all relevant stakeholders and aligned with the organisation’s corporate and security governance approach. The
way in which these components fit together is shown in Figure 6 below.

Security
assurance Security
programme Security architecture Security
policy strategy

Security assurance process 4

Security Identify
Security assuranceImplement
process 3 Monitor and
Initiate
awareness security control evaluate
improvementsents
requirements framework controls Security
IdentifySecurity assurance
Implement
process 2 Monitor and
Part three

Initiate audit / review

security control evaluate
improvements nts
requirements framework controls
IdentifySecurity assurance process 1
Implement Monitor and
Initiate
security control evaluate
improvements
requirements
Identify framework
Implement Monitorcontrols
and
Initiate
security control evaluate
improvements
requirements framework controls

Security
Security assessment
testing

Security
Security
compliance
access control Security
metrics

Figure 6: Components of a security assurance programme

Assigning clear responsibility and accountability to individuals is often a key part of the success of a security assurance programme.
It may also be beneficial to look at the individual user’s perspective on information security and how information is protected in
end user environments.

When assessing an end user environment, the ISF report on Protecting Information in the End User Environment can
be used. This report is available on the ISF’s Member Exchange System (MX).

12 Information security assurance • Information Security Forum www.securityforum.org

 Part 3: Establishing an information security assurance programme

The security assurance process

A security assurance process is a way of ensuring that an appropriate set of controls are applied to a particular environment within
an organisation. The main phases of a typical security assurance process are outlined in Figure 7 below. This figure also shows
that there may be a number of other security assurance processes that are typically applied to other parts of an organisation.

Security assurance process 4

Identify
Security assuranceImplement
process 3 Monitor and
Initiate
security control evaluate
improvementseents
requirements framework controls
IdentifySecurity assurance
Implement
process 2 Monitor and
Initiate
security control evaluate
improvements ntts
requirements framework controls
IdentifySecurity assurance process 1
Implement Monitor and
Initiate
security control evaluate
improvements
requirements
Identify framework
Implement Monitorcontrols
and
Initiate
security control evaluate
improvements
requirements framework controls

Figure 7: Overview of an information security assurance process

Using a security assurance process, appropriate information security controls can be selected, implemented and monitored
effectively. The results of a security assurance process should then be reported to senior management as evidence that information

Part three
risks are being managed in that particular environment.

ISF Members who attended the project workshops believed that security assurance is about making sure the
process is adhered to, rather than performing detailed activities, such as applying controls. Therefore security
assurance is about managing the process, providing advice and guidance and performing reviews.

Whilst it is possible to apply one security assurance process enterprise-wide (eg using the PDCA aproach in the ISMS element
of ISO/IEC 27001), the vast majority of attendees had not done this. Typically a security assurance process was only used in
particular parts of their organisation, because it:

• was used to certify a particular topic or area (eg a payment system or a data centre) – for example, to achieve ISO/IEC 27001
certification
• applied to a particular region or country (one global Member had a very impressive implementation of ISO/IEC 27001 which
applied only to their Italian region)
• covered only specific business units, which can often be separate legal entities within an ISF Member
• had not yet been rolled out enterprise-wide (and may not ever be applied to some specialised parts of an organisation that
have unique regulatory or operational requirements).

Consequently, the vast majority of attendees agreed that it was necessary to establish a more comprehensive security assurance
programme enterprise-wide.

www.securityforum.org Information Security Forum • Information security assurance 13

 Part 3: Establishing an information security assurance programme

Attendees at the project workshops believed that an information security assurance programme applies
enterprise-wide, whereas an information security process (eg an ISMS based on ISO/IEC 27001) typically focuses
on one part of the organisation (eg a customer services department or online banking system). Many organisations
apply the ISO/IEC 27001 process on protecting the organisation’s most critical data. Furthermore, they may deploy
an ISMS in one particular department as a pilot prior to expanding it across the organisation.

Specialised activities

Security assurance processes typically cover particular environments and are seldom applied to the entire organisation.
Consequently, there may be many areas of the organisation not covered, so a range of security-related specialised activities
(eg security policy, metrics and testing) are required to complement these processes. These specialised activities, often performed
at a corporate level, will help ensure that:

• all topics associated with information security are covered across the organisation
• information security is addressed in a consistent manner
• gaps and overlaps are identified and managed effectively enterprise-wide.

Many specialised activities, such as the information security policy, will be applied to all parts of the organisation and not just to
the particular environment covered by the security assurance process.
Part three

14 Information security assurance • Information Security Forum www.securityforum.org

Part 4: Implementing an information
security assurance process
Overview

A security assurance process is a way of ensuring that an appropriate set of controls are applied to a particular environment
within an organisation (eg a customer services department or online banking system) – or sometimes to the whole organisation.

This part of the report:

• outlines the different approaches that can be used to implement an information security assurance process
• introduces a list of challenges (and associated difficulties) when implementing a security assurance programme
• presents the four main phases of a security assurance process and a number of actions to consider when creating an effective
and repeatable security assurance process
• highlights different sources of material to support an information security assurance process.

Implementing an information security assurance process

There are many different approaches for implementing an information security assurance process. ISF Members identified four
main approaches they used – often in combination – which were to:

• use the ISMS in ISO/IEC 27001 as a framework when designing the security assurance process
• implement controls from other information security-related standards (eg SoGP, COBIT, PCI/DSS and ITIL)
• deploy the ISF’s Standards and Benchmarking tools (eg the Healthcheck and Benchmark), supported by the Information Risk
Analysis Methodology (IRAM)
• develop a tailored approach to achieve specific organisational objectives.

“Our organisation uses the ISF Standard of Good Practice: it is measured by using the Benchmark, monitored by
our internal audit and communicated to key business employees.”

ISF Members agreed that an ISMS is the most popular approach for implementing an information security assurance process.
However some organisations have developed their own information security assurance approach, which may include elements
from all four of the approaches listed above.

Certification to ISO 27001, with independent verification from an external auditor, is seen by ISF Members as a
Part four

possible approach (but often time consuming and expensive) to demonstrate that an effective security assurance
process has been applied.

www.securityforum.org Information Security Forum • Information security assurance 15

 Part 4: Implementing an information security assurance process

Challenges faced when implementing a security assurance process

ISF Members highlighted a number of challenges facing organisations when setting up a security assurance process. An overview
of these challenges is provided in the table below.

Phase 1: Identify security requirements

Challenge Difficulties
Defining scope • Unclear, inappropriate or unachievable scope
• Little consideration of business objectives
• Poor links to corporate and security governance
• Inability to define business drivers
• Lack of senior management support
Setting policies, standards and procedures • Fragmented policies, standards and procedures
• Different levels of focus on policy across the organisation
• Unbalanced level of detail covered in policies, standards and procedures
Taking a risk-based approach • No decision on whether the primary focus of the organisation is on risk or compliance
• Risks not assessed in all parts of the organisation
• Risks addressed (ie treated) in an inconsistent or informal manner
• Risks signed off by different managers in different ways across the organisation
Phase 2: Implement control framework
Challenge Difficulties
Selecting an appropriate control • No consistent framework of controls applied enterprise-wide
framework • Controls not easily mapped to major information security-related standards
• Controls not aligned to international (or sector specific) good practice
Identifying the right controls • Controls unrelated to risk
• Additional controls identified and applied in an ad hoc manner
• Legal and regulatory requirements not fully considered
Applying controls effectively • Many controls not assigned to owners
• End users (eg within IT and other parts of the business) do not have the right skills, awareness or tools
• Individuals not made accountable for implementing security controls
Handling incidents effectively • Actual or suspected incidents not consistently reported
• Underlying causes of incidents not investigated
• Trends of incidents not reviewed enterprise-wide (eg to identify generic solutions)
Phase 3: Monitor and evaluate controls
Challenge Difficulties
Identifying control breaches • Weak or non-existent vulnerability assessments
• Poor monitoring of controls
• Inconsistent intrusion detection capabilities
Measuring control effectiveness • Controls not regularly tested or reviewed in a consistent manner
Part four

• Security audit and reviews not sufficiently linked to risk

• Poor alignment with changes to business processes and objectives
Reporting security status • No real holistic approach adopted
• Key stakeholders not involved
• Findings reported in an ad hoc manner, typically using detailed, technical language
• Inappropriate security metrics
Phase 4: Initiate improvements
Challenge Difficulties
Creating action plans • No action plans produced
• Unrealistic plans created without clear responsibilities, timelines and costs
• Plans not communicated to relevant parties
Improving the security process • Improvements completed only at the local level of the organisation
• Inadequate review of policies and processes
• Process not re-evaluated following changes to business processes, computer systems, risk profiles or legal
and regulatory requirements
• Improvements not sustainable or measurable over time

16 Information security assurance • Information Security Forum www.securityforum.org

 Part 4: Implementing an information security assurance process

Feedback from third parties, including experts in security assurance and audit, resulted in a number of other challenges being
identified, which included:

• capturing the risk appetite (or changes therein) of the organisation

• incorporating security assurance into the information security and classification policy
• translating information classification into effective and realistic security requirements
• balancing ownership and accountability between information security functions and other business functions
• linking system, data and information ownership
• detailing all relevant compliance requirements
• enforcing policy in a broad sense across the organisation
• creating an information asset inventory.

Meeting the challenge

Members at the project workshops suggested a number of actions to consider to support a security assurance process – and to
help address the challenges identified. These actions to consider – and how they relate to the four phases of a security assurance
process – are described in more detail in this part of the report.

The actions to consider are based on hints and tips provided by attendees at the workshops, and are not intended
to provide a ‘how to’ guide. Members will need to use these actions as a basis for implementing their own
comprehensive security assurance process. More detailed actions are likely to be required to make sure all key
activities are being performed, that the process has been implemented properly, and that reviews are in place.

An overview of each phase is provided in the table below, together with high-level actions to consider. The four phases are
broadly aligned to the Plan-Do-Check-Act elements of an ISMS, but can go beyond ISMS requirements – and should apply to
any approach taken.

Phase Actions to consider

Phase 1: Identify security 1.1 Define the scope of the security assurance process
requirements 1.2 Review policies related to information security
1.3 Perform a risk assessment
‘Plan’ 1.4 Determine how risks should be treated
Phase 2: Implement control 2.1 Identify sources of information security controls
framework
Part four

2.2 Select appropriate information security controls

2.3 Deploy and run approved information security controls
‘Do’ 2.4 Manage information security incidents
Phase 3: Monitor and evaluate 3.1 Monitor important systems and networks
controls 3.2 Conduct regular reviews on the effectiveness of information security controls
3.3 Measure the effectiveness of controls
‘Check’ 3.4 Report findings to key stakeholders
Phase 4: Initiate improvements 4.1 Identify changes to improve the security assurance process
4.2 Maintain improvements to the security assurance process on an ongoing basis
‘Act’

Workshop attendees agreed that it is important to assign individuals involved in administering the security assurance
process with:
• clear roles and responsibilities
• knowledge, skills and experience to administer security assurance correctly
• awareness of the security assurance process and overall security assurance programme, linked to business
objectives.

www.securityforum.org Information Security Forum • Information security assurance 17

 Part 4: Implementing an information security assurance process

Using ISF tools to implement security assurance

Much of the time spent at the workshops was devoted to demonstrating how ISF tools can be used to support each phase of
the security assurance process and, in particular, to provide a mapping to an ISMS.

This activity culminated in a spreadsheet-based tool being produced to map ISF tools to the ISMS in ISO/IEC 27001. More details
of this mapping are outlined below.

Mapping ISF tools to the ISO/IEC 27001Information Security Management System (ISMS)

The ISF have produced a spreadsheet-based tool that maps ISF tools to the ISMS. This mapping tool will assist Members
to understand which ISF tools can be used to support the implementation of the Information Security Management System
(ISMS), which is the main part of the ISO/IEC 27001 framework.

The tool contains two worksheets to outline the mapping between the ISMS and ISF tools:

• Mapping – complete: detailed mapping of the ISF Standards and Benchmarking and Information Risk Analysis Methodology
(IRAM) tools mapped to the ISMS.
• Mapping – list view: shows only the high-level parts of the ISMS mapped to specific ISF tools.

The mapping between the ISMS and ISF tools include ratings to indicate the degree to which the ISF tool can be used to
support the implementation of the corresponding ISMS activity.

The spreadsheet showing the Mapping ISF tools to the ISO/IEC 27001Information Security Management System
(ISMS) contains the actual full text from the ISMS in ISO/IEC 27001, which corresponds exactly to the references
outlined in this part of the report. The spreadsheet is available for download from the Security Assurance: ISO 27000
and beyond project area on MX.

Mappings to the appropriate references in the ISO/IEC 27001 ISMS are also provided for each of the four phases of for an
information security assurance process (for example ISO/IEC 27001 reference 4.2.1f relates to ‘Identify and evaluate options for
Part four

the treatment of risks’). The actions to consider may relate to the same reference point in an ISMS. Conversely a number of ISMS
references may be covered by one particular action to consider.

18 Information security assurance • Information Security Forum www.securityforum.org

Phase 1: Identify security requirements

What is it?

The first phase establishes the scope and policies required for the security assurance process to be performed in a structured
manner. It sets the foundation for risk-based information security controls to be deployed to meet the objectives of information
security and the business.

Why do I need it?

Sets the objectives for security assurance and defines the approach for selecting controls that are: aligned to business strategy;
based on a structured risk assessment methodology; and comply with legal and regulatory obligations.

How do I do it?

Ref Actions to consider ISO/IEC 27001

ISMS reference
1.1 Define the scope of the security assurance process
1.1a Identify what constitutes the target environment (eg a business application, business unit, computer system or network) 4.2.1a
and any related assets to be considered.
“Define the scope specifically for the environment where the security assurance process will be implemented.
Scope may be slightly different across multiple environments.”
1.1b Establish an overall picture (or profile) of the environment (sometimes referred to as the ‘landscape’) to help 4.2.1a
understand what it includes, and to determine the scope of the security assurance process.
This profile can be used to:
• make informed decisions about the information security assurance process (eg information security managers,
information security professionals, internal auditors, risk managers and managers of other business departments)
• convey important information about the environment to other individuals
• support corporate functions (eg Information Security, Risk Management and Compliance teams) in activities that
involve the environment.
1.1c Identify key stakeholders, such as senior business managers (eg Board members or equivalent), business owners, risk 4.2.1b
managers, Head of IT, corporate specialists (eg legal, HR or finance) and auditors (both internal and external). For each
stakeholder:
• consider their individual expectations (which may change over time)
• outline how their requirements will be met.
1.1d Set objectives for overall security assurance processes, which are SMART – ie: 4.2.1a
• Specific: the objective should be clear and define the problem that it will address 4.2.1b
• Measurable: the objective should be quantifiable, eg ‘a 20% reduction in the cost of incidents…’
• Action-oriented: the action should be clearly defined such that all activities can clearly relate to the objective
Part four

• Realistic: if success is to be measured against the objective, then it should be realistic

• Time-delimited: the objective should clearly state when it will be met.
Ensure these objectives are mapped to business objectives.
“Integrate security assurance clearly with business processes, otherwise it will fail.”

1.2 Review policies related to information security

1.2a Consider including aspects of security assurance within high-level information security policies, standards and procedures 4.2.1b
(eg an enterprise-wide security policy).
1.2b Produce a policy or set of procedures for a security assurance process that takes into account: 4.2.1b
• information security requirements and objectives
• legal and regulatory requirements
• risk appetite of the business

www.securityforum.org Information Security Forum • Information security assurance 19

 Phase 1: Identify security requirements

Ref Actions to consider ISO/IEC 27001

ISMS reference
1.3 Perform a risk assessment
1.3a Adopt a practical approach to information risk management that successfully drives down risk and minimises the 4.2.1c
likelihood of damaging incidents. The main characteristics of an effective risk analysis capability are that it should be:
• business-driven
• placed at the centre of an overall information risk management approach
• widely deployed.
1.3b Identify business information that is considered to be critical (ie the information needs to be available and have integrity) 4.2.1d
and information that is considered to be confidential (ie the information can only be disclosed to authorised individuals).
1.3c Perform a detailed business impact assessment to understand the potential business impact as a result of: 4.2.1d
• critical information becoming corrupted (eg so that key data was no longer valid, accurate or timely) – or unavailable 4.2.1e
• confidential information being disclosed to unauthorised individuals.
The ISF have developed a Business Impact Assessment (BIA) tool, which includes a Business Impact Reference Table
(BIRT) as part of its Information Risk Analysis Methodology (IRAM). The BIA and BIRT can be found on the Member
Exchange System (MX).
1.3d Carry out an assessment to examine the wide variety of threats and vulnerabilities relating to confidential or critical 4.2.1d
information associated with the target environment. 4.2.1e
The ISF have developed a Threat and Vulnerability Assessment (T&VA) tool as part of its Information Risk Analysis
Methodology (IRAM). The T&VA can be found on the Member Exchange System (MX).
1.3e Combine the results of the business impact assessment and threat and vulnerability assessment so that the organisation 4.2.1e
can get a better understanding of the risks in terms of impact and likelihood.
1.3f Define the level of information security requirements for the confidentiality, integrity and availability of information 4.2.1e
associated with the security assurance process (eg rated from very low to very high).

1.4 Determine how risks should be treated

1.4a Review the options for addressing information risk in the target environment, sometimes referred to as risk treatment. 4.2.1c
Risk treatment typically involves choosing one or more options, which typically include: 4.2.1e
• accepting risks (ie by a member of management ‘signing-off’ that they have accepted the risks, and that no further 4.2.1f
action is required) 4.2.2a
• avoiding risks (eg by deciding not to pursue a particular initiative) 4.2.2b
• transferring risks (eg by outsourcing or taking out insurance)
• applying appropriate security measures (eg access controls, network monitoring and incident management).
1.4b Decide how the risks should be treated (ie to accept, avoid, transfer the risk or apply appropriate controls) and include 4.2.1g
these decisions in a formal plan for sign-off by top-level management. Provide a framework for top-level management 4.2.1h
to understand residual risk (that proportion of risk that still remains after selected controls have been implemented). 4.2.2a
1.4c Comply with corporate policy for accepting information risks, such as documenting the risks and obtaining ‘sign-off’ for 4.2.1i
accepting the risks from a representative of top-level management. Consider using an inventory to record details about 4.2.1j
the risk that has been accepted and the reason for its acceptance.
Part four

Risk treatment
Risk treatment tables (a technique for capturing the responses chosen by the business to a particular information risk type)
should be used to record responses and monitor the progress of actions taken to address a particular risk. The example
below is described in the ISF’s Reporting information risk report and shows a populated risk treatment table.

Risk treatment options

Risk type Risk rating Risk mitigation Risk transfer Risk avoidance Risk acceptance Sign-off by owner
R17 Changing systems Sign off process to be
privileges without Very high put in place before – – – T. Jones
authorization Q2 2010
R18 Changing or adding H. Frost willing to
software without Very high – – – completely accept this H. Frost
authorization risk type (12-02-10)

The information risk treatment table above is an example, but it can be edited and modified by Members.

20 Information security assurance • Information Security Forum www.securityforum.org

Phase 2: Implement control
framework
What is it?

Having identified security requirements, this phase focuses on identifying sources of controls, selecting appropriate controls
and implementing them effectively. This phase also provides an outline of the way in which roles and responsibilities should be
assigned for activities that contribute towards a successful information security process.

Why do I need it?

Mitigates the risks identified during the identifying security requirements phase by implementing information security controls as
part of the security assurance framework.

How do I do it?

Ref Actions to consider ISO/IEC 27001

ISMS reference
2.1 Identify sources of information security controls
2.1a Analyse a range of information security-related standards (eg ISF’s The Standard of Good Practice for Information Security, 4.2.1g
ISO/IEC 27002 and COBIT).
2.1b Assess the need for additional information security controls from more specific frameworks (eg NIST or detailed ISF 4.2.1g
checklists), which provide controls at a more granular level.

Directory of Principles, Standards and Corporate Governance

This directory provides Members with a source of reference to assist in the identification of information security-related
standards, applicable corporate governance codes and common bodies of knowledge for information security. Publications
outlined in the directory provide a source of controls in information security-related standards; an overview of compliance
requirements in governance codes; and sources of information about certification and accreditation.
Principles Security Standards Matrix Corporate Governance Matrix

Part four

This directory is available for download from the Security Assurance: ISO 27000 and beyond project area on MX and can be
used as an initial source of data by Members to help them:

• investigate whether internal standards, policies and procedures should be changed to accommodate new or upcoming
changes to industry standards and legislation
• design an effective compliance programme by understanding the latest developments in standards, laws and regulations
• establish an integrated strategy and architecture for information security that reflects global developments in information
security
• align education and training for information security professionals with recognised industry certification.

In addition to information security controls found in information security-related standards, ISF Members often use
a more detailed set of controls when implementing a comprehensive control framework to meet requirements and
mitigate risks.

www.securityforum.org Information Security Forum • Information security assurance 21

 Phase 2: Implement control framework

Ref Actions to consider ISO/IEC 27001

ISMS reference
2.2 Select appropriate information security controls
2.2a Create a suitable control framework based on analysis of sources reviewed in 2.1 Identify sources of information security 4.2.1g
controls. This control framework can be the entirety of a third party offering (eg ISF’s The Standard of Good Practice for
Information Security) or an internal set of controls, which may often be based on external frameworks, such as ISO/IEC
27002.
2.2b Consult more widely (for example, with internal and external auditors and other stakeholders) when defining and 4.2.1g
documenting the security controls to be deployed. This will help to identify issues or topics that need to be considered,
and ensure that controls deployed are consistent with the thinking of auditors and meet all relevant requirements.
2.2c Evaluate the cost of controls (taking account of the value of assets to be protected and other resources required to 4.2.1g
apply information security controls).
2.2d Agree the most appropriate set of security controls that: 4.2.1g
• meet requirements identified during risk assessment
• reflect decisions made about risk treatment
• comply with legal and regulatory obligations.
Ensure that the security controls selected have been approved by senior management, including documentation and
sign-off.
“The need to satisfy legal and regulatory obligations should be considered when selecting information security
controls and this should be independently verified.”

2.3 Deploy and run approved information security controls

2.3a Implement the approved set of security controls within the agreed framework. Specify how the effectiveness of selected 4.2.2d
controls is going to be measured so that meaningful results are produced.
When measuring the effectiveness of information security controls, the ISF’s Fundamental Information Risk
Methodology (FIRM) can be used. Members may also want to take part in the ISF’s Benchmark service, both of
which are available on the ISF’s Member Exchange System (MX).
2.3b Apply controls in a diligent, consistent manner, for example by: 4.2.2d
• adhering to a defined policy and set of criteria for deploying controls
• establishing a ‘security-positive’ environment where controls are maintained over a sustained period of time
• reducing reliance on key individuals (eg improving system processes, providing clear documentation and appointing
alternative personnel)
• supervising the application of controls where required
• providing dual control over particularly important activities, such as payments.
2.3c Reduce the likelihood of control failure by: 4.2.2d
• testing controls from a security perspective 4.2.2h
• using automated controls where possible.
2.3d Ensure ownership and accountability by: 4.2.2f
• obtaining senior management buy-in for the security assurance process 4.2.2g
• appointing owners to be responsible for implementing key controls, or groups of controls.
• assigning roles and responsibilities to those responsible for the implementation of particular information security
Part four

controls
• making individuals aware of their responsibilities and accountable for their actions.
When assessing the individual responsibilities within an environment, the ISF report on Protecting Information in
the End User Environment can be used. This report is available on the ISF’s Member Exchange System (MX).
2.3e Provide information security training and awareness to highlight the importance of information security controls 4.2.2e
The ISF report on The Evolution of Security Awareness can be used to help determine what should go into an
information security awareness programme. This report is available on the ISF’s Member Exchange System (MX).

22 Information security assurance • Information Security Forum www.securityforum.org

 Phase 2: Implement control framework

Ref Actions to consider ISO/IEC 27001

ISMS reference
2.4 Manage information security incidents
2.4a Implement a process for managing information security incidents, which includes: 4.2.2h
• identifying security incidents (eg receiving information security incident reports, assessment of business impact and 4.2.3a
recording of information about the information security incident)
• responding to security incidents (eg escalation to the information security incident management team and eradication
of the cause of the information security incident)
• recovering from security incidents (eg rebuilding systems and restoring data, and closure of the information security
incident)
• following up security incidents (eg post-incident activities such as root cause analysis, forensic investigation and
reporting to the business).
2.4b Ensure that information relevant to managing information security incidents (eg network diagrams, event logs, business 4.2.2h
processes, and security audit reports) is made available to help staff follow, and make important decisions, during the 4.2.3a
information security incident management process.
2.4c Support individuals responsible for managing information security incidents by providing additional tools (eg software for 4.2.2h
security information management, evidence handling, back-up and recovery, and forensic investigation). 4.2.3a
The ISF report on Information Security Incident Management provides clear guidance on the steps and actions
that should be undertaken to ensure information security incident management is addressed in an effective and
thorough manner. This report is available on the ISF’s Member Exchange System (MX).

Part four

www.securityforum.org Information Security Forum • Information security assurance 23

 Phase 3: Monitor and evaluate
controls
What is it?

Following the implementation of information security controls, this phase checks the effectiveness of those controls and assesses
whether they are working as intended. During the assessment, organisations may need to identify controls that are not functioning
as required and suggest areas where additional controls may be needed.

Why do I need it?

Assesses whether the information security controls that have been implemented, are working as intended, while establishing the
need to remove unnecessary controls or to include additional controls as required.

“Once you have understood what security assurance is, it is then necessary to define how to quantify and measure
it.”

How do I do it?

Ref Actions to consider ISO/IEC 27001

ISMS reference
3.1 Monitor important systems and networks
3.1a Assess the security performance of systems associated with the environment (eg by monitoring against agreed targets, 4.2.3a
reviewing event logs frequently and using automated monitoring software).
3.1b Conduct system and network monitoring activities on a regular basis, which typically involve: 4.2.3a
• scanning host systems for known vulnerabilities 4.2.3b
• confirming that powerful utilities / commands have been disabled on attached hosts
• checking for the existence and configuration of unauthorised wireless networks
• identifying unauthorised systems (eg by using network discovery and mapping tools)
• detecting unauthorised changes to electronic documents and configuration files.
“It is a big challenge to ensure effective monitoring of controls (eg to ensure the integrity of controls).
Organisations need to also establish a good balance between providing security and enabling operations.”
3.1c Employ intrusion detection mechanisms, such as Host Intrusion Detection Software (HIDS) and Network Intrusion 4.2.3b
Detection Systems (NIDS), to ensure:
• detection of known attack characteristics and unusual system behaviour
• new or updated attack characteristics are addressed
• provision of alerts when suspicious activity is detected, supported by documented processes for responding to
suspected intrusions.
3.1d Perform regular reviews of systems and networks used in the target environment (eg current levels and type of 4.2.3b
equipment) to identify new and emerging risks (eg due to the introduction of new technology or a significant increase in
Part four

a particular type of equipment).

3.2 Conduct regular reviews on the effectiveness of information security controls

3.2a Establish arrangements for monitoring information security controls, which are documented, approved by senior 4.2.3a
management and performed regularly.
3.2b Perform regular security reviews that are: 4.2.3b
• agreed with the owner of the environment under review
• performed by individuals who are equipped with sufficient technical skills and knowledge of information security
• conducted thoroughly (in terms of scope and extent) to provide assurance that security controls function as required
• focused on ensuring that controls are effective enough to reduce risk to an acceptable level
• supplemented by the use of automated software tools (where relevant)
• validated by competent individuals
• complemented by assessments carried out by independent third parties.
An external audit firm may request to see the ISMS or part of the overall security assurance process during their
review of the information security status of the organisation.
3.2c Review self assessments performed by individuals responsible for running systems and networks used in the target 4.2.3b
environment (including any third parties).

24 Information security assurance • Information Security Forum www.securityforum.org

 Phase 3: Monitor and evaluate controls

Ref Actions to consider ISO/IEC 27001

ISMS reference
3.2 Conduct regular reviews on the effectiveness of information security controls (continued)
3.2d Perform security monitoring of the environment, using a range of techniques which typically include: 4.2.3a
• reviewing the results of monitoring activities that relate to the environment (eg reviewing access logs, unusual 4.2.3b
transaction activity, software failures and application availability)
• performing ad hoc security assessments within the environment to determine the level of information protection
• carrying out regular audits / reviews to assess compliance with acceptable usage policies (AUPs) for business
applications, equipment and connectivity
• considering random social engineering tests (eg over the phone, via email communications or face-to-face
encounters) to determine if recommendations about protecting information are being observed and followed
• reviewing security incidents (including repeat incidents) to help determine if awareness indicatives are reducing the
frequency and magnitude of incidents
• analysing the root cause of information security incidents.
In some environments, social engineering tests (eg ethical hacking) may be contrary to legal / regulatory
requirements.
3.2e Review the results of monitoring activities in the environment, together with summary reports from automated security 4.2.3b
software (eg intrusion detection, data leakage protection and malware protection), to highlight the threats associated
with systems and networks used in the environment.

3.3 Measure the effectiveness of controls

3.3a Assess the information security status of controls using a consistent method (eg using The ISF Security Healthcheck). 4.2.3c
Test and provide evidence that the controls are working effectively (using the criteria identified in step 2.3 Deploy
approved information security controls).
“If controls are not being effectively monitored or measured, there is no way of knowing if they are working
properly.”
When performing a review on the status of information security controls, the ISF Security Healthcheck can be
used. The Security Healthcheck is available on the ISF’s Member Exchange System (MX).
3.3b Consider commissioning a third party review of the status of security controls (eg using audit standards, such as the 4.2.3c
Statement on Auditing Standards 70 (SAS 70) or ISAE 3402 Assurance Reports on Controls at a Third Party Service 4.2.3e
Organisation). This would also be useful to assess the security assurance of third parties.

SAS 70 audits

SAS 70 stands for Statement on Auditing Standards 70, Service Organisations; it is produced by the American Institute of Certified Public
Accountants. SAS 70 does not provide a list of controls that should be in place. The organisation being audited provides a list of controls to be
audited and the auditor forms an opinion about the controls based on the evidence collected.

ISAE 3402 Assurance Reports on Controls at a Third Party Service Organisation

The International Auditing and Assurance Standards Board have developed and released a ‘global’ version of SAS 70, termed ISAE (International
Part four

Standard on Assurance Engagements) 3402. The standard is not designed to replace country-specific standards but to provide a single assurance
standard with consistent reporting for global organisations.

The ISF’s Security Audit of Business Applications report cover SAS 70 audits and ISAE 3402 in more detail. These reports are available on the ISF’s Member
Exchange System (MX).
3.3c Review risk assessments, residual risks and risk treatment decisions by considering any changes to: 4.2.3d
• business objectives
• systems, networks and applications
• threats and vulnerabilities
• control effectiveness
• legal and regulatory obligations
• the overall environment.
3.3d Review the scope of the security assurance process on a regular basis to ensure that the scope remains appropriate and 4.2.3e
risks are mitigated throughout the process. 4.2.3f

www.securityforum.org Information Security Forum • Information security assurance 25

 Phase 3: Monitor and evaluate controls

Ref Actions to consider ISO/IEC 27001

ISMS reference
3.4 Report findings to key stakeholders
3.4a Present information about security assurance to key decision-makers (including top management, members of a high- 4.2.3f
level security committee, and relevant external bodies), to provide them with an informed view of: 4.2.3g
• the effectiveness and efficiency of information security arrangements 4.2.3h
• areas where improvement is required
• information and systems that are subject to an unacceptable level of risk
• performance against quantitative, objective targets
• actions required to help minimise risk (eg reviewing the organisation’s risk appetite; understanding the information
security threat environment; and encouraging business and system owners to remedy unacceptable risks).
3.4b Communicate messages using terms that senior management will understand. For example, provide a summary of the 4.2.3g
overall status of information security assurance, rather than the detailed analysis. 4.2.3h
3.4c Present the analysis performed as part of monitoring controls: 4.2.3g
• in a standard format (eg security dashboards, cockpits or balanced scorecards)
• adhering to terminology that has been previously defined and agreed by all stakeholders
• using standard terms that go across all risk types, such as business impact (ie in the format that scales to assess risk).
“Organisations are diverse, therefore it is difficult to communicate a collective approach and obtain meaningful
results on the success of information security assurance.”
Part four

26 Information security assurance • Information Security Forum www.securityforum.org

Phase 4: Initiate improvements

What is it?

The final phase of an information security assurance process focuses on identifying areas where each of the other phases can
be improved. The agreed outcomes from this phase should be applied to all security assurance processes that have been
implemented enterprise-wide, so that improvements can be applied consistently to all parts of the organisation.

Why do I need it?

Increases the level of information security assurance provided to senior management by considering aspects that worked well,
highlighting weaknesses and assessing the need for alternative approaches to improve the effectiveness of security controls based
on information risk.

How do I do it?

Ref Actions to consider ISO/IEC 27001

ISMS reference
4.1 Implement changes to improve the security assurance process
4.1a Review the results from Phase 3: Monitor and evaluate controls to determine the best and worst performing controls. 4.2.4b
Conduct a post-implementation review to identify actions to help improve the security assurance process.
4.1b Produce an action plan for addressing improvements, both within the target environment and enterprise-wide. This 4.2.4a
action plan would typically include: 4.2.4c
• assigning ownership for each action
• agreeing deadlines to resolve any outstanding actions
• committing sufficient resources in terms of priority to the business
• following up on how actions have been resolved, including any remediation activity.
Obtain senior management approval for the action plan. Communicate the actions and improvements to all
stakeholders using a level of detail appropriate to the circumstances.
4.1c Redesign the security assurance process to include the identified actions to improve the individual phases of the security 4.2.3g
assurance process and the security assurance programme as a whole (eg by updating relevant security assurance plans,
processes and policies).
“Awareness of information security assurance in the organisation is minimal, which results in insufficient resource
allocation.”

4.2 Maintain improvements to the security assurance process on an ongoing basis

4.2a Assess the outcomes from the security assurance process against whether the objectives for the process have been 4.2.4d
achieved.
Part four

4.2b Monitor the security assurance process on a continuous basis to: 4.2.4d
• discover whether changes to the security assurance process have been implemented effectively
• identify future improvements.

ISF Members suggested during the project workshops that this phase is often the most important as it has an impact
on the ongoing success of information security assurance processes, particularly when trying to replicate successful
processes in other parts of the organisation.

www.securityforum.org Information Security Forum • Information security assurance 27

 Part 5: The way forward

Conclusion

In summary, security assurance can help an organisation to provide evidence to senior management that information risks are
being managed enterprise-wide. This can be achieved by the successful implementation of a security assurance programme,
supported by risk-based security assurance processes and specialised activities.

Drivers for the information security function setting up a security assurance programme, which have been identified in this report,
include:

• Alignment of information security strategy with business objectives.

• Establishment of an effective framework for information security controls.
• Implementation of a consistent and appropriate set of security controls, enterprise-wide.
• An approved method of addressing the gaps and overlaps in security assurance processes.

Creating an effective security assurance programme will help an organisation achieve these drivers in practice when the
programme is implemented enterprise-wide.

The entire security assurance programme needs to be flexible to accommodate changes when identifying security requirements,
implementing controls and monitoring their effectiveness.

Making security assurance work in practice

Members attending the project workshops spent a great deal of time discussing practical ways to help make a security assurance
programme work in an effective manner across the enterprise both now and in the future. In essence they believed that there
are five key steps to focus on, which are:

A. Link security assurance to corporate governance and information security governance

B. Implement a security assurance programme that covers the entire organisation
C. Deploy security assurance processes for particular environments
D. Implement specialised activities to provide consistency and ensure coverage enterprise-wide
E. Prepare for new challenges in the future.

These steps are outlined in the table on the following page, together with practical hints and tips from workshop attendees.

Careful consideration of the topics covered in this report – used as input into the design of a comprehensive security assurance
programme – will help organisations provide evidence to senior management that information risks are being managed effectively
enterprise-wide, both today and in the future.
Part five

28 Information security assurance • Information Security Forum www.securityforum.org

 Part 5: The way forward

A. Link security assurance to > Position security assurance in conjunction with corporate governance and
information security governance
corporate governance and > Demonstrate how strategic governance decisions directly impact security
information security governance assurance activities

B. Implement a security assurance > Design a security assurance programme that consists of:
- security assurance processes (eg selecting and monitoring controls)
programme that covers the entire - specialised activities (eg compliance and risk management)
organisation - liaison with senior management (eg clear lines of communication and
reporting)
> Assign clear roles and responsibilities of the overall security assurance
programme and for each individual security assurance process

C. Deploy security assurance > Build a repeatable, sustainable security assurance process (such as an ISMS)
around the following phases:
processes for particular - identify security requirements
environments - implement control framework
- monitor and evaluate controls
- initiate improvements
> Select controls from a range of major information security-related standards
(eg ISF’s The Standard of Good Practice for Information Security, ISO/IEC
27002 and COBIT)

Controls can be monitored by performing ad hoc self-assessments (eg the

ISF’s Security Healthcheck) and automated tools (eg scanning host systems
for known vulnerabilities).

D. Implement specialised activities > Understand the importance of specialised activities (eg security metrics, testing
and assessments) in a security assurance programme to make it successful
to provide consistency and ensure > Ensure that there are no gaps or overlaps in security arrangements
coverage enterprise-wide enterprise-wide

A number of these specialised activities are likely to already be performed,

in various forms, by an information security function. Including these
activities as part of security assurance provides a consistent set of
requirements and objectives for each activity across the organisation.

> Review the overall programme to ensure that security assurance is provided in
E. Prepare for new challenges in the an effective manner
future > Implement a flexible, proactive security assurance programme that can continue
to achieve business objectives in a rapidly changing business environment
> Keep abreast of new developments in corporate governance (eg changes to
existing corporate governance codes) and security governance (eg working
draft ISO/IEC 27014 – not yet available in the public domain)

Organisations should create a flexible information security assurance

process that is able to adapt to constantly changing information security
requirements.
Part five

www.securityforum.org Information Security Forum • Information security assurance 29

Acknowledgements

The Information Security Forum acknowledges and thanks the following Member representatives for their participation in the
meetings that have helped form the basis of this project.

The views, opinions and comments in this report are not necessarily those of work group participants or
Member organisations.

Bjarne Lonberg A. P. Møller- Maersk Harwinder Dhillon Dresdner Bank

Andy Hjortenfeldt A. P. Møller- Maersk Eric Savignac EADS
Raimo Villikka ABB Oy Ole Johnny Dahle EDB Business Partner ASA
Frits C van Daalen ABN AMRO Bank Bobby Singh eHealth Ontario
Olaf Streutker ABN AMRO Bank Martin Green eHealth Ontario
Timo Muller ABN AMRO Bank Rory Alsop Ernst & Young
Human Bosman ABSA Bank Martin Wijnmaalen Ernst & Young
Stephen Nel ABSA Bank Jatin Sehgal Ernst & Young
Richard Mayall Acuity Risk Management LLP Nthateng Mokumo Eskom
Kirsty Milne Aegon UK Laura Semenya Eskom
Jean-Louis Delettre Alcatel-Lucent Lukie Mzekandaba Eskom
Bertrand Marquet Alcatel-Lucent Sheila Mbongo Eskom
Walter Lecossois AXA Nombuso Hlela Eskom
Helmut Rother AXA Bulelwa Linganiso Eskom
Rick Zhong Bank of America Mustapha Huneyd Etisalat Corporation
Jadvji Kanji Bank of America Edwin Pol Eureko/Achmea
Michael Hanna Bank of Ireland Group Benoit Ghysens Euroclear
Ambrose Ewins Bank of Ireland Group Olivier Nijland Euroclear
Ciaran Caffrey Bank of Ireland Group Gilles Garnier Euroclear
Kevin Harrington Bank of Tokyo-Mitsubishi Jani Arnell Finnish Communications
Simone Levy Barclays Bank Regulatory Authority
Gianpiero Acerbi Barclays Bank Andrew Eelbeck Foreign & Commonwealth Office
Graham Lopeman Barclays Bank Pauline Watson Foreign & Commonwealth Office
Francis Ho BMO Financial Group Edwin Lai Fortis
Winnie Fu BMO Financial Group Michel Van der Burg Fortis
Tini Schuurmans BT Global Services Kari Halonen Fortum Oyj
Stan Fromhold BT Global Services Ken Bunce Friends Provident Holdings
Chuan Wei Hoo BT Global Services Margaret Thomas Fujitsu
Martin Koyabe BT Global Services Jaap Halfweeg Getronics
Flip Erasmus Business Connexion Sylvia Nikodem Government of Ontario
Julius Francis Business Connexion Tim Dafoe Government of Ontario
Alex Lindl Cable & Wireless Jeff Warren Government of Victoria
Keith Mellish Canada Life Ltd Yalcin Adal Government of Victoria
Aleksandar Nojkov CIBC Carlos Borboa Government of Victoria
Matthew Tim CIBC Paul Martinuzzo Government of Victoria
Murray Rosenthal City of Toronto Malith Nanayakkara Government of Victoria
Georg Hünermann Clariant International Ltd Robert Hoffmann Government of Victoria
Esther Lau Commerzbank AG Joseph Mastrandrea Guardian Life Insurance
Adrian Schneider Commerzbank AG Company of America
Rafael Rodriguez de Cora Computer Aided Logistics Jack Campbell Guardian Life Insurance
Tim Wilson Córas Iompair Éireann Company of America
Mary O’Brien Córas Iompair Éireann Mikael May Yde H. Lundbeck A/S
Steven Ng Credit Suisse Lars Kessum H. Lundbeck A/S
Jai Chandran Credit Suisse Jim Brady HBOS Group Ltd
Steven Garner Credit Suisse Gordon King HBOS Group Ltd
Peter Drabwell Credit Suisse Ramesh Kotian HDFC Bank
Anders Pedersen Danish Tax and Customs Dimple Santwan HDFC Bank
Administration Bharat Soni HDFC Bank
Lennart Nilsson Danish Tax and Customs Ian Jefferies HMRC
Administration Kim Wilson HMRC
Erika Paavola Deloitte LLP Keith Mueller HP Enterprise Services
Damien Moran Deloitte LLP. Ramiah Marappan HP Enterprise Services
David Kelly Department of Social & Family Affairs Vijay Raghavan HSBC
Vincent Hegarty Department of Social & Family Affairs Sarvesh Tiwari HSBC
Chong Yeow Lim DHL Exel Supply Chain & Lynn Yang Pheng Kuek HSBC
DHL Global Forwarding Angelo Tosi IBM
Ken Berry DHL Exel Supply Chain & Jonathan Smith IBM
DHL Global Forwarding Shashikant Sanjeevi IBM
Saugat Dutta DHL Lemuir Logistics Pvt. Ltd. Loretta Donnelly IBM
Tapan Ghosh DHL Lemuir Logistics Pvt. Ltd. Tiziano Airoldi IBM

30 Information security assurance • Information Security Forum www.securityforum.org

 Acknowledgements

Giuseppe Puleo IBM Martina Kersten - Poláková Nuon

Paolo Artuso IBM Theo van der Vleut Nuon
Mariangela Fagnani IBM Henrik Thomsen Jensen Nykredit A/S
Raffaella D’Alessandro IBM Haroon Mahmood Oracle
Darren Argyle IBM Jamie Cowper PGP Corporation.
Lip Ping Chew Infocomm Development Tom Jakobsen Post Danmark
Authority of Singapore Bo Christoffersen Post Danmark
Ter Kwee Leng Infocomm Development Rusty Shrestha PricewaterhouseCoopers
Authority of Singapore George Lee PricewaterhouseCoopers
Christine Koh Infocomm Development Rich Sands PricewaterhouseCoopers
Authority of Singapore Ganesha Rajanaidu PricewaterhouseCoopers
Kong Wei-Chang Infocomm Development Marcus Sweeney PricewaterhouseCoopers
Authority of Singapore Robert DiPrietro PricewaterhouseCoopers
Calvin Chan Infocomm Development Rob Cumming PricewaterhouseCoopers
Authority of Singapore Jeff Brown PricewaterhouseCoopers
Lup Houh Ng Infocomm Development Aniket A Likhite PricewaterhouseCoopers
Authority of Singapore Tom Remberg PricewaterhouseCoopers
Sissel Thomassen Infosecure UK Henri Weerd PricewaterhouseCoopers
Daniel Herrmann ING Kieran Mongan PricewaterhouseCoopers
Brett Luker ING Lee Chun PricewaterhouseCoopers
Jon Cambria ING Brett Hayes PricewaterhouseCoopers
Arsen Shirokov ING Tonne Mulder PricewaterhouseCoopers
Kulbir Sarl ING Andy Woodfield PricewaterhouseCoopers
Toshiaki Kinugawa (ISC)² Steve Wright PricewaterhouseCoopers
Marc Alramahi JPMorgan Hubert Kirchgaessner Procter & Gamble Services Company
Paul De Luca JPMorgan Andrew Mathewson Prudential plc
Jeffry Jacob KPMG Jay Davidson RBC Financial Group
Matti Jarvinen KPMG Gert Maneschijn RDW
Luca Boselli KPMG Terry Madsen Region of Durham
Luca Lora Lamia KPMG Ryan Parker Region of Halton
Mika Laaksonen KPMG Anjdeep Gumani Research in Motion Limited
Peet Viviers KPMG David Bolger Revenue Commissioners
Dirk de Maeyer KPMG Keith Redmond Revenue Commissioners
Johan Bakker KPN Patrick Dersjant Rijkswaterstaat - DID
Rob Poland KPN Sam Forrest Royal Bank of Scotland
Olga Jesús Sanchez Campoy La Caixa Jill Trebilcock Royal Bank of Scotland Group
Peter Rayner Lloyds TSB Fotini Tsiatoma Royal Bank of Scotland Group
Thierry Jardin Logica David Aubrey-Jones Royal Bank of Scotland Group
Ed Bronner Logica Niki Massey Royal Bank of Scotland Group
Gert Koolwijk Logica Dale Martyn Royal Bank of Scotland Group
Eddy Den Oudsten Logica Michael Venn Royal Bank of Scotland Group
Shaheen Abdul Jabbar Manulife Financial Guy Coulleit S.W.I.F.T.
Colin Campbell Metropolitan Health Group Allen Baranov SABMiller
Tim Harker Metropolitan Health Group Henri Eklund Samlink
Guy Rion Michelin Jari Pirhonen Samlink
Jessica Li Ministry of Community Colin Mcdonagh Scottish Widows
& Social Services Jillian Vigo Sellafield Ltd
Jamie Rossato National Australia Bank Janette Wark Sellafield Ltd
Mark Leadbetter National Australia Bank Wayne Pownall Severn Trent Water
David Shu National Australia Bank Vasanthi Chandrarajah Siemens
Pak-Tjun Chin National Australia Bank Roger Pinero Siemens
Andrew Corrigan National Australia Bank Matthew Denny Siemens
Louis George National Australia Bank Rudragouda Patil SKF
Robert Ross National Australia Bank Ville Maijala SOK Corporation
Alagu Adaikkappan National Australia Bank Gerhard Kruger South African Revenue Service
Adam Engleby National Australia Bank Sizwe Lukhele South African Revenue Service
Helge Holter NAV Drift og utvlkling Laura Kweitel Spot Image
Gert Du Preez Nedbank Riana Crafford Standard Bank of South Africa
Antti Tassberg Nokia Group Abid Adam Standard Bank of South Africa
Erwin Fischer Nokia Group Bindeshwari Nirghen Standard Bank of South Africa
Pauli Wihuri Nokia Group Shane Hill Standard Chartered Bank
Petri Kuivala Nokia Group Simon Mui Standard Chartered Bank
Mikko Saario Nokia Group Sergei Lukasevits Standard Chartered Bank
Jari Ylikoski Nokia Group Sathish Kumar Ranganathan Standard Chartered Bank
Vesa Pyyluoma Nokia Group Christian Gani Standard Chartered Bank
Mohamed Maricar Nokia Group Prabakaran Shanmugam Standard Chartered Bank
Marja Marttinen Nokia Group Benjamin Smith Standard Chartered Bank
Charles Widdis Novo Nordisk Lindsay Campbell Standard Life PLC
Jacob Asbaek Wolf Novo Nordisk Simon Elliot Standard Life PLC
Michael Krumbak Novo Nordisk Andrew Barnard Standard Life PLC
Jim de Haas Nuon

www.securityforum.org Information Security Forum • Information security assurance 31

Acknowledgements

Dan Landess State Farm Mutual Automobile

Insurance Company
Ben Miller State Farm Mutual Automobile
Insurance Company
Doug Lelm State Farm Mutual Automobile
Insurance Company
Moloko Monyepao State Information Technology Agency
Shadrack Ledwaba State Information Technology Agency
Frankie Tvrz State Information Technology Agency
Kalyanasundaram Murugaiyah STMicroelectronics
Michael Ng STMicroelectronics
Maria Garcia Sun Life Financial
Shinhye Bahng Sun Life Financial
Philip Murray TD Bank Financial Group
Sebastian Piecha Telefónica O2
Peggy Lynn Steichler Telefónica O2
Lyverne Prinsloo Telkom SA Ltd.
Emmerentia Du Plooy Telkom SA Ltd.
Steve Jump Telkom SA Ltd.
Rachel Eyre The Department for
Works and Pensions
Derek Brown The Department for
Works and Pensions
Rakesh Burgul The Nuclear Decommissioning
Authority Group
Diane Carter Thomson Reuters
Patricia Yun Siow Thomson Reuters
Ravichandra Cl Thomson Reuters
Rita Chow Thomson Reuters
Christopher Tovey Thomson Reuters
Erkki Helio Tieto
Jyrki Kronqvist Tieto
Imran Rahim TNT Express ICS Ltd
Barbara Venazio Towers Watson
Sarah Warr Towers Watson
Nosipho Mjilana Transnet Freight Rail
Rishaad Shaik Transnet Freight Rail
Christoph Schog T-Systems Enterprise Services
Luc Theallier T-Systems ITS GmbH
Victor Abuya TUI Travel Plc
Ian Williams Unilever Europe IT
Alan Willcox Vanguard
Michael Manieri Vanguard
Gordon Zacrep Vanguard
Marty Bowman Vanguard
Joseph Dalessandro Vanguard
Terry Quain Vanguard
Janet Kulp Vanguard
Per Gobel Jensen VP Securities A/S
Conor Herley XL Capital
Michael Porter Yorkshire Building Society
Robert Lozano Zurich Financial Services

32 Information security assurance • Information Security Forum www.securityforum.org

For a large text version of this document please contact the Information
Security Forum on +44 (0) 207 212 5128

www.securityforum.org Information Security Forum • Information security assurance

The Information Security Forum is an independent, not-for-profit
association of some 300 leading organisations from around the world.
It is dedicated to investigating, clarifying and resolving key issues in
information security and developing best practice methodologies,
processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge

and practical experience drawn from within their organisations and
developed through an extensive research and work program. The
ISF provides a confidential forum and framework, which ensures
that Members adopt leading edge information security strategies
and solutions. And by working together, Members avoid the major
expenditure required to reach the same goals on their own.

For further information contact:

Tel: +44 (0)20 7213 1745

Fax: +44(0)20 7213 4813
E-mail: [email protected]
Web: www.securityforum.org

Reference: ISF 10 07 01 Copyright © 2010 Information Security Forum Limited.

All rights reserved.