ISO/IEC 27040

ISO/IEC 27040:2015 – Information technology — Security techniques — Storage security

Introduction

The standard’s proponents assert that information security has not been adequately addressed in storage systems and infrastructures either due to misunderstandings and a lack of familiarity with storage technology or due to a lack of understanding about the inherent risks and security concepts.

According to the New Work Item Proposal:

”Storage has matured in an environment where security has been a secondary concern due to its historical reliance on isolated connectivity, exotic technologies, and physical security of the data centres. Even as storage connectivity evolved to use technologies like the Internet Small Computer Systems Interface (iSCSI) protocol over TCP/IP, few users took advantage of either the inherent security mechanisms or the recommend security measures (e.g., using IPsec to secure the communications). Consequently, the stored information is needlessly placed at risk.”

Scope and objectives

The standard is designed to be of assistance to purchasers and users of computer storage technologies in determining and treating the information risks associated with those technologies (although it does not specifically refer to them as such). Devices and media are covered, as is the security of management activities related to the devices and media, as well as applications and services, and the protection of data transferred over the communication links associated with storage.

The standard identifies information risks that are associated with data storage, and controls that can mitigate those risks. Its goals are:

– Point out the typical risks associated with data storage technologies in terms of confidentiality, integrity, and availability;
– Help organizations enhance the security of stored information by using appropriate information security controls; and
– Increase security assurance, e.g. through better reviews or audits of data protection systems.

Information security issues related to backup/disaster recovery locations and cloud storage as well as primary/local storage on a variety of media and subsystems (e.g. DAS, SAN, NAS, CAS, FC, OSD) are also addressed.

Also included are details on media sanitization (the destruction of data held on a variety of storage media).

It is an unusually detailed standard, with over 120 pages. Several storage technologies are addressed, unlike the ISO27k standards that are mostly generic and perennial.

The standard’s status

2015 was the year it was published.

In 2020, a revision project was launched with the following goals:

– Highlight the information risks in this area;
– Enhance/expand the guidance in ISO/IEC 27002 to help organizations improve the security of data stored;
– Assist those who design, review, and audit [data] storage security.

Currently, the revision project is at the second Working Draft stage. Over 130 pages of detailed information are included in the draft. The second edition will be published in 2022.

Commentary

When the first edition was drafted, classified systems were added as a significant customer group along with general commercial organizations.

The standard mentions resilience – a concept almost not addressed by ISO/IEC 27002 and one that should be tackled throughout ISO27k.