“ISO27k” (the ISO/IEC 27000-series) is the most influential and popular suite of information security standard in the world. The ISO27k standards provide generally-accepted good practice guidance on Information
Security Management Systems to protect the confidentiality, integrity and availability of the information assets on which we all depend.
This page explains how NoticeBored supports the information security awareness activities that are essential for compliance with ISO27k and particularly for certification against ISO/IEC 27001.
About the ISO27k standards
Information security is important for all organizations that handle and depend on information. The specific security arrangements that suit each organization may differ but ISO27k describes a systematic way of managing
information security, for example assessing information security risks, selecting suitable controls to address those risks and maintaining them as the risks change.
Information security is a wider issue than IT security with ramifications across all parts of the enterprise and all departments. The aim is to protect information in whatever form it takes, including:
Computer data - files, databases etc.;
Paperwork - printed or hand-written documents;
Intangible forms such as concepts, thoughts and ideas, brands etc.;
Other forms (e.g. the physical body shape of a new motor vehicle on the test track!).
Eight ISO27k standards have already been published:
provides an overview of ISO27k and includes a fomal vocabulary/glossary of key terms used in all the ISO27k standards;
is the specification for a management system to manage information security (more on this below);
offers guidance on commonplace information security controls (more below);
covers the selection of metrics to drive continuous security improvements;
explains information security risk management processes in broad terms;
is a process guide for formal certification against ISO/IEC 27001;
offers ISO27k implementation advice specifically for telecomms companies;
likewise offers implementation advice for the healthcare sector.
Several more ISO27k standards are in preparation. Read our overview of all the ISO27k standards with more detailed pages about each one, or browse our ISO27k FAQ for general advice.
ISO/IEC 27001 is the formal specification standard for a management system to manage information security, against which organizations may seek certification. A number of certification bodies are accredited by national
standards bodies to review compliance with the standard and issue recognized certificates. Certification is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that
are concerned about information security.
Certification against ISO/IEC 27001 brings a number of benefits above and beyond simple compliance, in much the same way that an ISO 9000-series certificate says more than “We are a quality organization”.
Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires
management approval (which is an advantage in security awareness terms, at least!). The certificate has marketing potential and should help assure most business partners of the organization’s status with respect to
information security without the necessity of conducting their own security reviews.
ISO/IEC 27001 superseded British Standard BS 7799 Part 2.
ISO/IEC 27002 is a code of practice - a generic, advisory document, not a formal specification standard as such. It lays out a well structured and comprehensive set of controls to address information security risks,
covering confidentiality, integrity and availability aspects. Organizations that adopt ISO/IEC 27002 must assess their own information security risks (for example following the guidance in ISO/IEC 27005) and apply
suitable controls, using ‘27001 for guidance.
ISO/IEC 27002 was previously known as ISO/IEC 17799 and superseded BS 7799 Part 1.
Security awareness is an integral and essential part of an ISO27k information security management system. A recurring theme throughout the standards is that people in an organization must be made aware of the security
policies, procedures and control requirements that they are expected to uphold.
ISO/IEC 27002 section 8.2.2 (Information security awareness, education and training) is directly relevant, recommending that “All employees of the organization and, where relevant, contractors and third parties should
receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function”. It goes on to recommend “a formal induction process” and
“ongoing training”. It suggests the need to educate employees on known threats and who to contact in the event of a security incident.
As with many other important topics, ISO/IEC 27002’s coverage of security awareness is not limited to this one section but is distributed throughout the text:
Information security awareness, training and education is one of seven common practice controls listed in section 0.6 (Information security starting point);
In section 0.7 (Critical success factors), “Effective marketing of information security to all managers, employees, and other parties to achieve awareness” and “providing appropriate
awareness, training, and education” are two of the ten critical success factors;
Section 5.1.1 (Information security policy document) acknowledges that raising security awareness and informing employees about management requirements is an important function of policies;
Section 6.1.1 (Management commitment to information security) tells management to “initiate plans and programs to maintain information security awareness”;
Section 6.1.2 (Information security co-ordination) says one of the duties of the information security management/co-ordination function is to “effectively promote information security education,
training and awareness throughout the organization”;
Section 6.2.1 (Identification of risks related to external parties) notes “It should be ensured that the external party is aware of their obligations, and accepts the responsibilities and
liabilities involved in accessing, processing, communicating, or managing the organization’s information and information processing facilities”;
Section 6.2.3 (Addressing security in third party agreements) recommends “ensuring user awareness for information security responsibilities and issues”. It further recommends
“user and administrator training in methods, procedures, and security”;
The control objective stated in section 8.2 ([Human resources security] during employment) is “To ensure that employees, contractors and third party users are aware of information security threats
and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error”. It continues
“An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to
minimize possible security risks.”
Section 8.2.1 (Management responsibilities) advises management to ensure that employees, contractors and third party users “achieve a level of awareness on security relevant to their roles and
responsibilities within the organization” [because] “If employees, contractors and third party users are not made aware of their security responsibilities, they can cause considerable damage to an
organization. Motivated personnel are likely to be more reliable and cause less information security incidents”;
Section 9.2.7 (Removal of property) says “Individuals should be made aware if spot checks are carried out”;
Section 10.4 (Protection against malicious and mobile code) says very directly that “Users should be made aware of the dangers of malicious code. Detection, prevention, and recovery controls
to protect against malicious code and appropriate user awareness procedures should be implemented”;
Section 10.8.1 (Information exchange policies and procedures) warns “Information could be compromised due to lack of awareness, policy or procedures on the use of information exchange
Section 11.3 (User responsibilities) states that “The co-operation of authorized users is essential for effective security. Users should be made aware of their responsibilities for
maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment”;
Section 11.3.2 (Unattended user equipment) recommends “All users should be made aware of the security requirements and procedures for protecting unattended equipment, as well as their
responsibilities for implementing such protection”;
Section 11.7.1 (Mobile computing and communications) says “Training should be arranged for personnel using mobile computing to raise their awareness on the additional risks resulting from this way
of working and the controls that should be implemented”;
Section 12.6.1 (Control of technical vulnerabilities) states “if no patch is available, other controls should be considered, such as ... raising awareness of the vulnerability”
The control objective in section 13.1 (Reporting information security events and weaknesses) mentions that “All employees, contractors and third party users should be made aware of the procedures
for reporting the different types of event and weakness that might have an impact on the security of organizational assets”.
Section 13.1.1 (Reporting information security events) continues “All employees, contractors and third party users should be made aware of their responsibility to report any information security
events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact”. It also notes that “information security incidents can be
used in user awareness training”;
“Appropriate education of staff in the agreed procedures and processes, including crisis management” is one of the purposes of continuity plans listed in section 14.1.3 (Developing and
implementing continuity plans including information security);
Section 14.1.4 (Business continuity planning framework) advises that a BCP framework should include, amongst other things, “awareness, education, and training activities which are designed to
create understanding of the business continuity processes and ensure that the processes continue to be effective”;
Section 15.1.2 (Intellectual property rights) includes the guideline “maintaining awareness of policies to protect intellectual property rights”;
Section 15.1.4 (Data protection and privacy of personal information) notes “Responsibility for handling personal information and ensuring awareness of the data protection principles should be
dealt with in accordance with relevant legislation and regulations”;
Section 15.1.5 (Prevention of misuse of information processing facilities) advises that “All users should be aware of the precise scope of their permitted access and of the monitoring in place to
detect unauthorized use”.
However you look at it, information security awareness is an essential component of an information security management system.
Please visit our informational website www.ISO27001security.com for further details on
the ISO27k standards including a popular free ISO27k Toolkit, the ISO27k FAQ and ISO27k Forum.
ISO27k and NoticeBored
We have been supporters and users of ISO27k since the early 1990’s when the UK Department of Trade and Industry first published a code of practice based on a donor document from Shell, the Anglo-Dutch
petrochemicals giant. We contribute to the development of the standards though SC27, the ISO/IEC committee responsible for them, and have helped numerous clients implement them. We have also used
other standards (such as the Information Security Forum’s Standard of Good Practice) and guidelines over the years and apply our broad, pragmatic experience of information security to the task of writing
awareness materials that are topical, practical and relevant.
Protecting information is not merely a matter of implementing technical security controls: physical, procedural, legal and compliance controls are needed, plus contingency measures in case primary controls
fail. Virus infections, for instance, are still a significant risk even for organizations that have antivirus software in place. Keeping the software up-to-date, configuring the software correctly, and dealing with
infections that the software identifies are procedural aspects involving people. Furthermore, antivirus software is not a total solution to the virus risk - additional controls such as backups and contingency plans
are generally necessary to reduce the residual risks to an acceptable minimum. ISO/IEC 27002 consistently advises the implementation of appropriate policies and procedures in addition to technical security measures.
The NoticeBored information security awareness materials reflect ISO27k in general and, where applicable, specifically reference the standards. Some of the topics we cover align directly with specific sections from,
say, ISO/IEC 27002 (for instance the February 2010 module on cryptography reflects
We take an even broader approach in some areas (such as IT governance and change management) but center on exactly the same core issues arising from risks to, and controls protecting the confidentiality,
integrity and availability of, information assets.
The information security policy manual
Does your organization have a comprehensive set of information security policies, standards, guidelines and procedures?
Is the set well-written, interesting and engaging, widely understood and proactively supported by managers and staff?
Is it up-to-date?
If so, congratulations to you: you have shown an outstanding commitment to information security. Your organization can safely do business that many others would find far too risky. If
not, you are missing an opportunity - specifically, you are well advised to build an information security management system and policy manual around ISO27k, and supplement it with
technical standards, procedures and guidelines.
ISO27k provides a well-engineered structure for information security management. The structure ‘makes sense’ and is comprehensive in coverage. Linking your information security
policies, procedures, standards and guidelines to ISO27k is a straightforward way to leverage the enormous amount of work that is being put into developing and maintaining the
standards. It also means that new employees who are already familiar with ISO27k feel instantly at home.