Automating ISO 27001 with PTA

Copyright 2007 Control Policy Group
This work is licensed under the Creative Commons Attribution License

Redux (what we learned since Jan '06)

We released the ISO 27001 library for PTA (Practical Threat Analysis) Professional almost 9 months ago and we've learned a lot from watching people use the library in their risk assessment practice.   The main issue is that ISO 27001 is a set of guidelines for security controls and we needed to be more careful when mapping vulnerabilties to those controls in our threat model. Thanks to Zeev S. for helping us through that.

Abstract

ISO 27001 is a great tool for risk assessments because provides structured security guidelines as opposed to ridgid security standards that are "all or nothing" checklists.

We've taken ISO 27001 a step further and used it with the Free Open Practical Threat Analysis methdology,  by  using  ISO 27001 with  PTA - you can now understand the source and reasons for risk, prioritize controls and save money on your security implementation.

The PTA threat model library for the ISO 27001 risk assessment standard has been used in several projects and was found to be very productive in shortening timetables of risk assessment and threat analysis projects.

The PTA software is freeware that can be downloaded from the PTA Technologies Web site. The PTA ISO 27001:27005 library is available for free download and distribution, licensed from the Control Policy Group under the Creative Commons Attribution License.

Feel free to download and introduce the PTA ISO 27001 library to your colleagues and promote it via postings to security forums and adding links to our web site . We wish to freely distribute the ISO 27001:27005 library to the security community and hope that its popularity and availability will contribute to your productivity and let you benefit from the experience of security colleagues world wide. Contact us at any time with questions or suggestions for improvement.

Motivation

ISO Standards

The ISO standard for information security risk assessments-ISO 27001, continues to gain a reputation for helping organizations improve their business practices and protect information assets. ISO 27001 is both important and increasingly popular for two reasons:

  1. Compliance
  2. The need to achieve the most effective risk mitigation controls

Perhaps one of the more significant comments that underscores the relevance of ISO 27001 for the industry was made last year by ISO Secretary-General Alan Bryden :
"SMEs may mistakenly perceive of International Standards as being only for big business and government. In fact, SMEs too can benefit from the state-of-the-art technology and management practices disseminated by International Standards which also open the door to export markets and participation in global supply chains".

Compliance

Standards and privacy compliance regulation like ISO, SOX and PCI are fueling demand to improve information security practices. It has becomes a trend trickling up and down the value chain of regulators, customers and suppliers. Customer data breach incidents have steeply increased over the past 3 years, pouring additional fuel on the value chain of compliance. Once the exclusive domain of large institutions; many SMEs are now performing risk assessments as their customers call on them to manage their data better and prove it by certifying to ISO 27001.

Attaining effective risk reduction

The output of an ISO 27001 risk assessment is two fold:

  1. Certification
  2. Identify appropriate risk reduction controls for the organization

The certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats and then, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire check list of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy ( i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

It is worth noting at this point that additional security controls do not necessarily reduce risk.

Modifying your existing infrastructure (like firewalls and proxies) and installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements. Many firms see the information security issue as mainly an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further threat analysis reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats, is that your cost of attacks and ownership go up, instead of your risk going down.

The PTA ISO 27001 library enables a risk analyst to provide a quantitative risk model to her client and construct an economically-justified, cost-effective set of countermeasures that reduces risk in the customers business environment. More importantly, a company can execute a "gentle" implementation plan of controls concomitant with its budget instead of an all-or-nothing checklist implementation that massively erodes the competitiveness of the business

ISO 17799 compared to ISO 27001

ISO 17799 is Part 1 of BS 7799 (the ISO standard for information security). ISO 17799 is a code of best practice for information security management and provides practical guidance on implementation of the security controls that should be implemented on the basis of the ISO 27001 risk assessment. ISO 17799 will be renumbered to ISO/IEC 27002 in the course of 2007.

ISO 27001 is Part 2 of BS 7799 is the risk assessment standard for certification and sets the requirements that an organization must fulfill in order to establish an information security management system. The PTA ISO 27001:27005 is a full implementation of the ISO 27001 compliance check list. If you find that ISO 17799 is more relevant to your practice, please contact us and we may consider development of a PTA library for this standard as well.

How we created the PTA ISO 27001 library

The ISO 27001 contains 185 items in 11 sections, where each item has a reference number, and describes a security policy and a corresponding security control. For example Item 6.1.5 is a "Confidentiality agreements" security policy with the following control: "Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified and regularly reviewed"

First we needed to map the ISO 27001 data model to the PTA threat model concept which is composed of threats, vulnerabilities, assets and countermeasures . Unlike PTA, the ISO data model does not refer to particular threats or assets. We realized that the top level items in each section (number x.y) mapped nicely to PTA vulnerabilities and that the the sub-items were controls that translate directly to PTA countermeasures. For example:

06.1 "Internal organization; information security is lacking or not well-defined" can be easily defined as a PTA threat model vulnerability mitigated by the following PTA threat model countermeasures:

  • 6.1.1 Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.
  • 6.1.2 Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.
  • 6.1.3 All information security responsibilities shall be clearly defined
  • 6.1.4 A management authorization process for new information processing facilities shall be defined and implemented.
  • 6.1.5 Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified and regularly reviewed.
  • 6.1.6 Appropriate contacts with relevant authorities shall be maintained.
  • 6.1.7 Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
  • 6.1.8 The organization's approach to managing information security and its implementation (i.e. control objectives, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.

After the conceptual mapping of the ISO 27001 data model to the PTA threat model, we then used the import entities from text file functions in the PTA Professional Edition in order to load an Excel worksheet of the ISO 27001 checklist into a baseline PTA threat model of vulnerabilities and countermeasures and packaged as a PTA library.

How analysts use the PTA ISO 27001 library

The standard specifies that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). The PTA ISO 27001 library provides not only a systematic, but also a quantitative approach to risk assessment that adds a great deal of value by enabling you to arrive at a set of controls optimized for your business situation.

You will discover that doing a risk audit process with the PTA ISO 27001 library is faster, easier and a lot more robust than with an Excel spreadsheet.

An ISO 27001 risk assessment typically involves a two-stage process:

Stage 1 is a "table top" review of the existence and completeness of key documentation for Security Policy and Information Security Management System (ISMS). This would be done by cycling through the PTA threat model, tagging top level vulnerabilities with a status and storing appropriate documentation in the model, while linking to the appropriate entity.

Stage 2 is a detailed, in-depth audit that tests existence and effectiveness of control policies as well as their supporting documentation. Controls that already exist would be marked as "Already Implemented" in PTA Professional Edition countermeasures detail screen. Other controls needing work, would be tagged with an action-required status (see the tagging option of the PTA tool).

PTA ISO 27001 step by step.

Here is how you would use the ISO 27001 PTA library for a risk assessment (after installing the PTA Professional Edition freeware on your workstation)

  • Step 0 - Fire up PTA
  • Step 1 - Load the ISO27001.2.thl library into your own threat model or just open the ISO27001.2.thm data model in its entirety
  • Step 2 - Create assets with valuations
  • Step 3 - Enter the costs of countermeasures (the PTA ISO 27001 library that we provide is agnostic that way - we figure everyone has their own estimates of how much a control policy should cost.
  • Step 4 - Run the Optimized Countermeasure report - and you have now just built a cost-justified plan of controls compliant with ISO 27001.
  • Step 5- During and after implementation of controls, don't forget that you can return to PTA at any time and reevaluate the risk profile and your progress in the process of continuous risk mitigation. For a structured methodology for continuous security assessment see Practical software security assessment
In order to illustrate the power of the PTA ISO27001 library, we built a simple model with assets and threats in just a few minutes - you can download the threat model here.

We hope that you have found this article of value and hope that the PTA ISO 27001 library will be productive for you in real-life projects and accelerate / facilitate your ISO certification and risk assessment practice.

Download a free copy of the PTA ISO 27001:27005 library and let us know what you think! The PTA Professional Edition freeware is available for download here.