ISO/IEC TS 27008

ISO/IEC TS 27008:2019 – Information technology – Security techniques – Information security control assessment guidelines (2nd edition)

Introduction

This standard, which addresses technical auditing, is a complement to ISO/IEC 27007. It focuses on auditing information security controls – more specifically the “technical controls” (such as information security or cyber-security controls), while ‘27007 is focused on auditing the management system elements of ISMS.

The scope

All auditors should use this standard to guide them in selecting information security management controls using a risk-based methodology (such as that presented in a statement of applicability) for information security management. This document supports the information risk management process as well as internal, external, and third-party audits of an ISMS by describing the relationship between the ISMS and the supporting controls. It explains how to verify whether required “ISMS controls” have been implemented. In addition, it fulfils assurance requirements, as well as providing a collaborative platform for information security governance, for organizations that use ISO/IEC 27001 and ISO/IEC 27002.

Scope and objectives

The standard:

– Applies to all organizations, public and private, public and private entities and not-for-profit organizations; regardless of how much information they use;
– Support the planning and implementation of ISMS audits, including the information risk management process;
– This allows the ISO27k Standards to be refined into an even more accurate and comprehensive set of specifications by bridging the gap between the review of the ISMS in theory and, if necessary, performing an audit of the ISMS implementation (for instance in ISO27k user organizations, analyzing security issues related to business processes, IT systems and other IT operations);
– Guides audits of information security controls in compliance with ISO/IEC 27002;
– The ISMS audit process will be optimized by integrating the ISMS processes with the required controls (including mechanisms to limit the damage caused by information security breaches – such as inaccurate financial statements, incorrect documents issued by an organization, and intangible assets such as the organization’s image, reputation, and employee skills);
– Supports the use of ISMSs for assurance and risk management and an information security management audit that veers into the aspect of management systems auditing instead of the information security controls or technical auditing;
– Ensures that audit resources are used effectively and efficiently.

ISO/IEC 27007 focuses on auditing the management system elements of an ISMS, following ISO/IEC 27001, while ISO/IEC TR 27008 ensures that information security controls are enforced, such as those defined in ISO/IEC 27002 and listed in Annex A.

The 27008 standard is concerned with reviewing information security controls, as well as verifying technical compliance, following an implementation standard for information security, set by the organization. “The standard does not contain specific requirements for compliance with metrics, risk assessments, or ISMS audits based on ISO/IEC 27004, 27005, or 27007.”

In technical compliance checking/auditing, control components are examined, the people associated with each (managers, technicians, end-users, etc.) are interviewed, and then the controls are scrutinized. Experienced IT auditors should be familiar with these methods.

The ‘technical’ controls, although they aren’t specifically defined in the standard, appear to be a subset of controls for information security described in ISO/IEC 27001, especially 2702, and 27003.

The standard’s status

27008 is a type 2 technical report published in 2011 as ISO/IEC TR 27008:2011. Its limited scope and numerous grammatical and technical errors may have made it difficult for the standard to be adopted.

In 2019, the second edition was published as ISO/IEC TS 27008:2019, which reflects the 2013 versions of ISO/IEC 27001 and 27002.

Commentary

Due to some strange reason, the title mentions ‘assessments’ rather than ‘audits’.

In the 2019 version, the phrase ‘technical compliance checking of information system controls’ is used without explanation: from the context, it seems to imply that the standard remains myopic and primarily concerned with technical controls. Unless an organization is aware and accepts the need for protecting its valuable information against the vast array of information risks, the ISMS and the safety controls associated with it will not have any functional value, and the standard does not address such broader issues either.

Even though these standards are not intended to be used by ISMS certification bodies, some SC 27 members are concerned about the implications for ISO/IEC 27001 certification audits. When auditors certify against ISO/IEC 27001, they monitor a company’s entire Information Security Management System for compliance with the standard without necessarily looking into the specific information security controls themselves. Similarly, they review the management system the same way ISO 9000 auditors review the quality assurance system of a company. Some argue that this leaves an assurance gap: a company may implement an ISMS in theory but disregard important policies the company may have, such as claiming an ISMS with a narrow scope and a minimal Statement of Applicability, and so on. Making an unreasonably high-risk tolerance decision simply to avoid a change any sane person would consider necessary.
The other camp claims that certification auditors verify the existence of management system controls and information security controls frequently, if not always (how much is a moot point).