[Owasp-iso17799] Project Update
Andrew van der Stock
vanderaj at greebo.net
Thu Mar 4 04:25:00 EST 2004
In my travels as an ISO 17799 reviewer (audit is a somewhat protected term),
I look for the underlying risk basis for the controls, rather than a
"copy-n-paste" approach. I rarely find them.
The newest edition of AS/NZS 7799.2 has a nice flowchart on how an ISMS is
supposed to be constructed. It all stems from risk management. Therefore,
any templates we produce must be aligned with a particular risk profile and
we should state our basis for the risk stance we take.
In Information Security Policies Made Easy, Cresson-Wood took the approach
of "most restrictive", allowing you to relax the controls found within.
However, this doesn't really help - most people just copy-n-paste, and quite
frankly Cresson-Wood's controls scare me. I know I'd go work somewhere else
if they were forced upon me.
Therefore, what I recommend is that we produce a guide aimed at development
houses and information security managers who have more than just a few
developers. They are producing various products, have significant IP and
trade secrets to be protected, and say an annual turnover of $50m a year.
This about the smallest organization I've come across who feels the need to
have policy, and gives others something to work up from.
Using 7799.2 clause 3.5 as my template for the guide's TOC, I suggest the
guide might look something like this:
|+ Chapter One: Introduction to preparing an Information Security Management
|+ Chapter Two: Defining your scope
|+ Chapter Three: Risk Management 101 (
- at the end of the chapter, defines the organization's taste for risk
subsequently gives them idea of which controls out of the
examples might suit them best)
|+ Chapter Four: Security Policy
- Best practices (bullet points)
- Information Security Policy example template
|+ Chapter 13: Compliance
- Best practices (bullet points)
- Compliance example template
|+ Chapter 14: Constructing your Statement of Applicability
- Maintaining records of ISMS operation
|+ Chapter 15: Maintaining your policy
- Periods for reviews
- Reviewing the risks and controls
- Best practices for reviewing policy
For long chapters, like Communications & Ops Mgmt and Access Control, I
suggest each major .1 heading in 7799.2 gets the bullet points. I treat many
chapters like a dictionary, and there's nothing worse than endnotes or
references right down the end of a book for me. I like everything on the one
There are controls in .2 which we HAVE to meet in the example templates, and
we are more than able to introduce controls from OWASP and our own
experience which are "best practice". I think we may need a way to indicate
the difference, but realistically, ISO 17799 is so weak in many ways, I'm
not fussed if we don't.
I think I'm reading from our discussion so far that 1.0 should have at least
one example template? I think it's an option at a later stage to build up
the example templates once 1.0 is out the door.
< tastes >
As an editorial note, I like REALLY short and sweet policy, and written in
English, not legalese. They are harder to get around and are read more
often. I'm also an anti-fascist. I find that staff find tight policy
offensive, and do not even make a passable impression of obeying the
policies. There needs to be a balance between the interests of the employer
and everyone who is supposed to living under the policy. A key outcome of
policy should be compliance, not open revolution with auditors first against
the wall. Therefore, I believe controls in the example guides should be
sensible and easy for people to comply with, even if they haven't read the
I wrote the latest iteration of policy for one of the four banks in
Australia. The telecommuting chapter had just on 100 words (most to do with
document control), and about twenty odd photos, laid out very nicely by a
graphic design shop. Very nice indeed. Most of the other chapters were
similarly short and user-focused, although they had fewer photos and a few
more words. We don't have to concentrate on being ISMS and auditors first,
users second. Users First in my opinion.
I take it everyone here has a copy of ISO 17799 and a recent version of
More information about the Owasp-iso17799