An ISO/IEC technical report (TR) providing technical controls and compliance guidelines for auditors can improve the effectiveness of an organization’s information security system.
ISO/IEC TR 27008:2011, Information technology – Security techniques – Guidelines for auditors on information security controls, aims to instill confidence in the controls underpinning an organization’s information security management system. The review applies to all parts of the organization, including business processes and its information systems environment.
“The business environment is constantly changing – along with threats to a company’s survival. Organizations need to be ahead of the game, and an excellent defence can be built around audit of the controls used to support the information security,” says Edward Humphreys, leader of the working group that developed the new document.
“ISO/IEC TR 27008:2011 supports a rigorous organizational security audit and review programme for information security controls, to enable the organization to have confidence that their controls have been appropriately implemented and operated and that their information security is ‘fit for purpose’.”
ISO/IEC 27008 provides guidance on reviewing the implementation and operation of controls, including technical compliance checking. The document is principally aimed at information security auditors who need to check the technical compliance of an organization’s information security controls against ISO/IEC 27002 and any other control standards used by the organization. ISO/IEC TR 27008 will help them to:
- Identify and understand the extent of potential problems and shortfalls of information security controls
- Identify and understand the potential organizational impacts of inadequately mitigated information security threats and vulnerabilities
- Prioritize information security risk mitigation activities
- Confirm that previously identified or emergent weaknesses or deficiencies have been adequately addressed
- Support budgetary decisions within the investment process and other management decisions relating to improvement of organization’s information security management.
ISO/IEC 27008 will thus be of benefit to all types of organizations, including public and private companies, government entities, and not-for-profit organizations. It is the eight document available in a series of standards (ISO/IEC 27000) on information security management systems.
Edward Humphreys adds, “In every business model and organizational structure, every business sector and every business relationship, information is a key commodity and the ISO/IEC 27000 series of standards can be utilized to protect this important business commodity.”
ISO/IEC TR 27008:2011, Information technology – Security techniques Guidelines for auditors on information security controls, costs 136 Swiss francs and is available from ISO national member institutes (see the complete list with contact details) and from ISO Central Secretariat through the ISO Store or by contacting the Marketing & Communication department (see right-hand column).