ISO/IEC Information & ICT

Security and Governance

Standards in practice
Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT
June 4, 2009

ISO and IEC

ISO (the International Organization for Standardization)
and IEC (the International Electrotechnical Commission)
form the specialized system for worldwide
standardization.
National Bodies that are members of ISO or IEC
participate in the development of International
Standards through technical committees established by
the respective organization to deal with particular fields
of technical activity.
ISO is made up of 159 national body members which
are divided into three categories.
June 4, 2009

Titre

ISO and IEC form JTC1

In the field of information technology, ISO and IEC have
established a Joint Technical Committee 1: ISO/IEC
JTC 1.
Draft International Standards adopted by the joint
technical committees are circulated to the national
bodies for voting.
Publication as an International Standard requires
approval by at least 75% of the national bodies casting
a vote.

June 4, 2009

Titre

JTC1 Areas of Expertise, Mirrored in

Canada
ISO/IEC
CAC/JTC1 - Canadian Advisory Committees for the Joint Technical Committee 1 of ISO/IEC
CAC/JTC1 Privacy Group
CAC/JTC1/SC 2 - Coded Character
CAC/JTC1/SC 6 - Telecommunications and Information Exchange Between Systems
CAC/JTC1/SC17 - Identification Cards and Related Devices (ANSI X3B.10)
CAC/JTC1/SC22 - Programming Languages, Their Environments and System Software Interfaces
CAC/JTC1/SC24 - Computer Graphics and Image Processing
CAC/JTC1/SC25 - Interconnection of Information Technology Equipment
CAC/JTC1/SC27 - IT Security Techniques
CAC/JTC1/SC31 - Automatic Identification and Data Capture Techniques
CAC/JTC1/SC32 - Data Management and Interchange
CAC/JTC1/SC34 - Document Description and Processing Languages (includes the SGML family of
standards)

CAC/JTC1/SC35 - User Interfaces

CAC/JTC1/SC36 - Information Technology for Learning, Education and Training

CAC/JTC1/SC37 - Biometrics
CAC/JTC1/SWG - Accessibility

CAC/JTC1/TCIT - Information Technology

CAC/JTC1/WG6 - Corporate Governance of IT

June 4, 2009

Sance daccueil

ISO/IEC/JTC1/SC27
SC27 Programme of Work
Area of Work:
The development of standards for the protection of information and ICT. This includes generic methods,
techniques and guidelines to address both security and privacy aspects, such as:

* Security requirements capture methodology;

* Management of information and ICT security; in particular information security management systems
(ISMS), security processes, security controls and services;
* Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the
accountability, availability, integrity and confidentiality of information;
* Security management support documentation including terminology, guidelines as well as procedures for the
registration of security components;
* Security aspects of identity management, biometrics and privacy;
* Conformance assessment, accreditation and auditing requirements in the area of information security;
* Security evaluation criteria and methodology.
SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and
application of SC 27 standards and technical reports in relevant areas.
39 National Bodies constitute ISO/IEC/JTC 1/SC27, where at least a 75% approval is required for IS

7 dcembre 2007

Sance daccueil

Specific Domains of Expertise in IT Security

CAC/JTC1/SC27 - IT Security Techniques
Working Group 1: "Information Security Management Systems"
WG 1 covers the development of ISMS (Information Security Management System,
ISO/IEC 27001, ISO/IEC 27002) standards and guidelines family.
Working Group 2: "Cryptography and Security Mechanisms"

WG 2 covers both cryptographic and non-cryptographic techniques and mechanism

Working Group 3: "Evaluation Criteria of Information Security"
WG 3 covers IT Security evaluation and certification of IT systems, components, and
products (such as Common Criteria for Evaluation). This will include consideration of
computer networks, distributed systems, associated application services, etc.
Working Group 4: "Security controls and services"
WG 4 covers the development and maintenance of standards and guidelines
addressing services and applications supporting the implementation of control
objectives and controls as defined in ISO/IEC 27001 (such as Network Security,
CyberSecurity, Business Continuity, etc) .
Working Group 5: "Identity Mgmt. & Privacy Technologies"
WG 5 covers the development and maintenance of standards and guidelines
addressing security aspects of identity management, biometrics and the protection of
personal data.
June 4, 2009

Sance daccueil

Some Published and in-development

Standards
ISO/IEC 27000: Information security management systems - Overview and vocabulary
ISO/IEC 27001: Information security management systems - Requirements

ISO/IEC 27002: Code of practice for information security management

ISO/IEC 27004: Information security management measurements

ISO/IEC 27005: Information security risk management (replaces ISO/IEC 13335)

ISO/IEC 27006: International accreditation guidelines for the accreditation of bodies operating
certification / Registration of information security management systems

ISO/IEC 27010: Information security management for inter-sector communications (for critical
infrastructure)
ISO/IEC 27013: Guidelines for integration implementation of ISO/IEC 20000-1 & ISO/IEC 27001
ISO/IEC 27014: Information security governance framework

ISO/IEC 27033: Network security (replaces ISO/IEC 18028)

ISO/IEC 15408: Evaluation criteria for IT security (AKA, Common Criteria)
ISO/IEC 29147: Responsible vulnerability disclosure

ISO/IEC 27014: A Framework for Corporate Governance of IT

June 4, 2009

Sance daccueil

Some Published and in-development

Standards (more)
ISO/IEC 27031: ICT readiness for business continuity
ISO/IEC 27032: Guidelines for CyberSecurity
ISO/IEC 27033: Network security (replaces ISO/IEC 18028)
ISO/IEC 27034: Application security

ISO/IEC 24760: A framework for identity management

ISO/IEC 29100: A privacy framework
ISO/IEC 29101: A privacy reference architecture
ISO/IEC 29146: A framework for access management

June 4, 2009

Sance daccueil

Base SC27 Standards that Drive

Organizations to Address Security
ISO/IEC 27005: Information security risk management
(RISK ASSESSMENT REQUIREMENTS and MANAGEMENT)

ISO/IEC 27002: Code of practice for information security

management (SECURITY GUIDELINES)
ISO/IEC 27001: Information security management systems
Requirements (CERTIFICATION)

June 4, 2009

Sance daccueil

General Concepts for these Standards

ISO/IEC 27005:
This International Standard provides guidelines for Information Security Risk Management in
an organization, supporting in particular the requirements of an ISMS according to ISO/IEC
27001.
ISO/IEC 27002:
This International Standard establishes guidelines and general principles for initiating,
implementing, maintaining, and improving information security management in an
organization.

The objectives outlined in this International Standard provide general guidance on the
commonly accepted goals of information security management.
ISO/IEC 27001:
This International Standard has been prepared to provide a model for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving an Information
Security Management System (ISMS). The adoption of an ISMS should be a strategic
decision for an organization.
This International Standard can be used in order to assess conformance by interested
internal and external parties.
June 4, 2009

Sance daccueil

10

Risk Management Model

June 4, 2009

Sance daccueil

11

Risk Management Model

June 4, 2009

Sance daccueil

12

What it Means to Your Organization

Adopting and Implementing an Information Security
Management System is a top or board level decision.
It is a top-down process based on Risk Management
It runs through your Enterprise Architecture
It affects everyone in your organization

It needs an audit and verification process

It requires that you PLAN, DO, CHECK and you
IMPROVE

June 4, 2009

Sance daccueil

13

Fundamental Changes to Your Organization

Your organization will go through fundamental work changes
when implementing an ISMS
It requires Change Management within your organization
It involves documenting your processes and procedures
It requires an auditable trail and logging of your activities
It often demands a change from your suppliers and the
organizations you do business with

Ensuring Security is Not Just IT Projects and Processes,

its Organizational Driven Initiatives and Directives

June 4, 2009

Sance daccueil

14

Information Security Governance

Architecture

June 4, 2009

Sance daccueil

15

How it fits

June 4, 2009

Sance daccueil

16

Government Example
Government of Quebec:
Established a secure communications channel
between ministries and awarded the management
contract to the organization that agreed to implement
and certify against ISO/IEC 27001
Asks that the IT arm of its Health and Social Services
require that its critical suppliers certify against
ISO/IEC 27001
Currently undergoing restructuring of its CSIRT to
certify against ISO/IEC 27001
June 4, 2009

Sance daccueil

17

New Domain of Expertise for JTC 1

CAC/JTC1/WG6 - Corporate Governance of IT
Provides guiding principles for directors of organizations
(including owners, board members, directors, partners,
senior executives, or similar) on the effective, efficient, and
acceptable use of Information Technology within their
organizations.

This applies to the governance of management processes

(and decisions) relating to the information and
communication services used by an organization.
These processes could be controlled by IT specialists within
the organization or external service providers, or by
business units within the organization.

June 4, 2009

Sance daccueil

18

QUESTIONS
&
THANK YOU!!!
Charles P. Provencher
Senior Advisor, IT Security & Conformity
Nurun Inc.
charles.provencher@nurun.com
514-392-1292 #25072

June 4, 2009

Sance daccueil

19