Standards background
The ISO/IEC 27000 family of standards is based on the BS 7799 standard released by the British Standards Institute (BSI) in 1999, which has grown, through several rounds of modifications, into a collection series of internationally recognized and acclaimed ISO standards, released by the International Organization for Standardization (ISO) and applied in the field of information security.
The family has the following elements:
ISO/IEC 27001 – a standard that enables the certification of the information security management system (ISMS) (released in 2005)
ISO/IEC 27002 – the renamed and updated version of the ISO 17799:2005 practical guide (released in May 2007)
ISO/IEC 27003 – the new ISMS implementation guideline
ISO/IEC 27004 – a standard for measuring and checking information security
ISO/IEC 27005 – a proposed standard for risk management procedures (the successor of BS 7799-3:2006)
ISO/IEC 27006 – Guidelines for certification (issued in March 2007)
ISO/IEC 27007 – Guide to the auditing of the Information Security Management System (ISMS)
(the successor of BS 7799-2:2002)
The ISO 27001 international standard was designed to serve as a model for designing, implementing, operating, monitoring, reviewing, maintaining and developing information security management systems (ISMS). The standard also sets out the requirements that allow the organization’s information security management system to be controlled and certified by an external expert.
(the successor of ISO 17799:2005, BS 7799-1:1999)
Basically, the ISO 27002 standard (Code of practice for Information Security Management) is different from earlier IT security offers in that it defines security requirements and measures from the business goals and strategy of the organization and that the former product-oriented approach as well as the definition of evaluation, certification and qualification processes was replaced by an organizational-level IT security management approach. The ISO 27002 standard does not impose requirements, meaning that it does not offer certification, but, similarly to the ISO 9000 standard for quality assurance, it provides an organizational and regulatory framework for comprehensive IT security.
The most difficult aspects in respect of standardization are software development and maintenance. This is due to the fact that the process of software development and maintenance is significantly different from the similar processes of most industrial products. Since this is a rapidly evolving area of technology, it is necessary to provide additional guidance for all quality management systems that contain software products.
Due to the nature of software development, certain activities relate only to individual phases of development while others can be applied throughout the entire process. The structural design of provisions contained in the ISO 90003 standard reflects these differences. Therefore, as this standard does not exactly conform to the structure of ISO 9001, it has been complemented with cross-references to facilitate referencing to ISO 9001.
The ITIL (IT Infrastructure Library) methodology was developed by the employees of CCTA (Central Computing and Telecommunications Agency) with the purpose of supporting high-quality, cost-effective IT services. ITIL contains functionalities for service delivery and service support, covering the entire lifecycle of IT services, i.e. design, deployment, operation and introduction of new services.
ITIL is a consistent and comprehensive set of documentations that include a collection of procedures and best practice methodologies for the management of IT services, widely accepted in the IT industry. Based on guidance in the related literature, a full set of ITIL philosophy has been developed to serve as guidance for providing quality IT services.
In addition to Common Criteria and ISO27001, COBIT (Control Objectives for Information and Related Technology), developed by the ISACA (Information Systems Audit and Control Association), is the third international standard aimed at developing IT systems and making them more secure.
COBIT is a collection of internationally accepted IT control targets that are universally applicable and accepted in the area of IT security control and regulation.
COBIT was designed with three main perspectives put forward by various professional groups in mind:
- Helping the top management in the risk management of a constantly changing IT environment and weighing the investment needed for devising controls.
- Providing users with the control and security of IT services.
Also, COBIT creates a unified framework of reference for the auditors of information systems used for the qualification of internal controls as well as for giving feedback and advice to the top management.
Version 1.2 of ITSEC was issued for the EU for experimental purposes in 1991. At the same time, funded jointly by the EU, the US and Canada, the Common Criteria (CC) draft document attempted to bring the differences in content and technical specifications of previous recommendations into line.
Version 2.0 of Common Criteria was released in 1998. The CC 2.0 document was issued by ISO/IEC as well, with the same content, under ID 15408, entitled “Common Criteria for Information Technology Security Evaluation, version 2.0”.
Work on processing and localizing CC was started in Hungary in 1997. In the following year, it was published as recommendation no. 16 of the Interministerial Committee on Information Technology (ITB).
Common Criteria has the following primary characteristics:
- It defines uniform requirements that are independent of the way of implementation.
- It provides a unified evaluation methodology for the IT security evaluation and certification of IT systems and products.
- Drafts the catalog of multi-level categories of security requirements for IT systems.
- It can be used for testing both software and hardware components.
- Products can be selected flexibly because the requirements are not specific to any hardware or software.
- Security functionality, or the Protection Profile, as referred to by the CC, is sorted independently into one of the seven evaluation assurance levels (EALs).
