What’s new in ISO 27001: 2103 for storage and backup?

This year, ISO 27001: 2013 was published, putting more emphasis on mapping risk to an ever-expanding and mobile IT infrastructure. But what is new in ISO 27001: 2013?

Since 2005, ISO 27001 has provided a framework for the secure retention of data with a six-part process based around generating policies, identifying risks and developing control objectives. 

But this year the standard was updated, with ISO 27001: 2013 recognising changes in security threat vectors and changes to how we interact with devices, such as the onset of bring your own device (BYOD) as a mainstream phenomenon.

Overall, the emphasis for ISO 27001 compliance has shifted to one focused on risk and mapping risk with regard to your IT assets. Also, in practical terms the structure of the standard has been altered.

In this podcast, Computer Weekly storage editor Antony Adshead talks with Vigitrust CEO Mathieu Gorge about the key changes in ISO 27001 and the implications for storage and backup.

Antony Adshead: What is ISO27001: 2013 and how does it differ from previous iterations?

Mathieu Gorge: ISO27001 and the 27000 series altogether is a suite is a suite of standards that allow people to manage information security to ensure that any type of sensitive information is protected from a confidentiality, integrity and availability perspective.

ISO has its origins in terms of security in British Standard 7799, which was then adopted by ISO as ISO 17799. And then in 2005, the latest series of ISO 27000 series of standards was produced.

It is important to note that while a lot of people only talk about 27001, there are a number of standards in the ISO 27000 series. ISO 27001 is really the management structure for managing information security. ISO 27002 is a suite of suggested controls and how to implement controls. ISO 27005 is about risk management. And there are other standards within the suite.

In 2013, ISO 27001: 2013 was enacted, and I think it’s important to understand the changes between the 2005 version and the 2013 version. The key drivers for the change, I suppose, came from the fact the attack vectors have changed, the way we use computing has changed, with the advent of cloud computing and big data and the implications this has for data security and data storage.

The key drivers for the changes in ISO 27001: 2013 came from the fact the attack vectors have changed and the way we use computing has changed

Mathieu Gorge, Vigitrust

In terms of the major changes, there is a lot more focus on leadership and how you manage the information security management system. There’s more focus on commitment, performance evaluation, which really is all about continuous compliance. And you find it in other standards in the industry, such as PCI-DSS version 3.0 which came out this year talking about making security business-as-usual, and this is the same idea.

There are also changes around managing risk and managing assets; for example, in changes in terminology in ISO 27001: 2013, an asset owner in the 2005 version is now the risk owner, so we’re looking at risk.

It’s also important to understand the changes in structure. ISO used to have 15 sections; it now has 18 sections. The first four sections remain sections that deal with the actual infrastructure or structure of the standard and how you manage the documentation set that you produce and the associated controls.

So, in the 2005 version you had all the controls in annexe A – 15 sections with 133 controls and 39 controls objective. In the 2013 version we have moved to 18 sections instead of 15, but with fewer controls – 114 – and only 35 control objectives. The overall size of the document has gone down from 34 pages to 23 pages.

So, there’s going to be the issue of mapping the old version to the new version. There are already some good mappings in the public domain. Some of them have been published by BSI and they clearly map sections 5 to 15 in 2005 to sections 5 to 18 in 2013.

There’s also a transition period and some advice on how to prepare for the transition, bearing in mind that some controls have been updated, some have been deleted, some requirements have been deleted, but all of it is mapped.

If you use those mappings you’ll be able to protect your data, especially with regards to confidential data and data in storage.

Adshead: What implications for data storage and backup result from the changes in ISO 27001: 2013?

Mathieu Gorge: The new version, not unlike the previous version, puts emphasis on mapping risk and mapping assets. The assets, obviously, would be any type of systems or processes that you use, but also any type of data you have to protect.

So, it’s all about performing a risk management process/discovery process that allows you to map where the data is, where it’s going and where it might actually be stored. What’s interesting is that ISO 27001: 2013 continues to use the four-tier structures of ISO, which essentially starts with a policy setting up high-level objectives, procedures setting up guidance about how to achieve the objectives, work instructions that are essentially user manuals for the assets that you use to manage the information and the security of that information, and finally reference documents that allow you to trace the lifecycle of the document and mostly to trace any kind of change management.

So, you find in the new version that it’s especially interesting with regard to data storage because there are a lot of hints about how to comply in a cloud computing environment, whether infrastructure as a service, software as a service or platform as a service, and there are also references to big data with regard to the fact you end up with a mix of structured and unstructured data, some of which you need to keep from a compliance perspective and some of which you need to protect from a security perspective.

ISO 27014 is in draft at the moment and it’s [being framed] around information technology and security techniques for storage security

Mathieu Gorge, Vigitrust

The major change we are looking to see in the industry is really a version of ISO for storage security. The good news is that ISO 27014 is in draft at the moment and it’s [being framed] around information technology and security techniques for storage security.

The purpose of that version of the ISO 27000 standard is to draw attention to common information security risks that might be associated with protecting the integrity, confidentiality and availability of the information on various data storage technologies.

So, it looks at best practice with regards to storage security design principles; data reliability, availability and resilience on storage systems; data retention, data confidentiality and integrity for the systems; and looking into virtualisation and virtualisation security, then applying this to traditional storage networking, storage management, the NAS, the SAN, file-based storage and cloud-based storage.

A draft version is likely to be approved at some stage in 2014. It was expected in 2013, but that version that really deals with storage security will be integrated into the 27000 suite and so therefore the advice is to familiarise yourself now with the structure of ISO 27000 and be ready to be provided with some good controls to implement, to manage your storage security at some stage in 2014, with that latest version of ISO on storage security.

Read more on Data protection regulations and compliance