A broad range of ISO/IEC (International Electrotechnical Commission) standards are addressing key issues faced by the world’s fast- growing information and communications technology (ICT) industry. These include preventing cyber attacks, ensuring information security and maintaining business continuity.
A common business tool in most organizations, ICT serves many business purposes and is used in a wide range of business applications and processes. Their use requires associated services provided within an organization, for example through an internal ICT services department, or through a third party.
Up and running
Over recent years, cloud computing has become a fashionable term for the delivery of services such as applications as a service, software as a service and infrastructure as service.
An example is data storage in a third- party cloud server. This can reduce an organization’s costs as it does not need to manage and maintain its own server. There is a possible downside too: can the cloud provider manage the ICT and data storage service efficiently, securely and effectively?
This raises issues of how to provide effective ICT service management and information security. For example, if the cloud service provider is in one country and the provider of personal data is in another, how does the cloud provider protect its customers? In addition, how does the cloud provider conform to national laws when its clients are geographically dispersed around the world?
ICT services management also has a key role in the delivery of ICT services. If these are implemented properly it can increase efficiency and cost-effectiveness, increase flexibility in the use of ICT resources and applications, reduce response times and improve quality of service. To achieve these benefits, information security plays a key role in ensuring effective service delivery.
In the case of critical national infrastructure, service provision needs to be carefully considered. Appropriate solutions and controls are necessary for ICT service management, ICT readiness and preparedness for dealing with disasters and continuity issues, incident handling and information security.
To guarantee delivery, critical infrastructure requires many services to be able to work together. Examples include medical, food, energy, utility and emergency services. Most of these rely on ICT-based systems to keep services up and running.
In cyber attacks or other disasters, it is essential to be able to recover ICT systems to restore services quickly. Before an incident occurs, it is also necessary to have effective early warning, detection and monitoring systems in place.
Best practice guidelines
The delivery of effective ICT service management is being addressed by the ISO/IEC 20000 (Information technology – Service management) family of standards; and information security issues are being addressed by the ISO/IEC 27000 (Information technology – Security techniques) family of standards.
There are also sector and application specific information security standards such as ISO/IEC 27011 for telecom services; ISO/IEC 27017 and ISO/IEC 27018 for cloud computing; and a standard for integrating information security with ICT service management, ISO/IEC 27013.
One area covered by ISO/IEC 20000 is service availability and continuity management. This addresses key questions such as:
• What level of customer service does the service level agreement guarantee?
• What does the service provider need to do to deliver this level of service?
• What does the service provider need to do to withstand an online denial-of- service attack?
• What if the service provider experiences a malware attack on its systems?
• Does the service provider have the information security controls in place to deal with these cyber attacks and maintain its services?
ISO/IEC 20000 features several processes to maintain service availability while tackling problems such as cyber attacks and system failures. These processes include service continuity and availability monitoring and testing, incident handling and problem management, capacity management and information security management.
In the case of information security, ISO/IEC 20000 is linked with the information security management system standard ISO/IEC 27001, which provides a full range of solutions to assist service providers with protecting their systems.
One of the important aspects of system protection is to understand the risks the service provider faces. A risk-based process, ISO/IEC 27001 requires the service provider to undertake a risk assessment to help it decide what information security controls should be implemented to ensure service availability and continuity.
ISO/IEC 27005 provides guidance on risk management for service providers that implement ISO/IEC 27001.
Given the importance of information security to the provision of ICT services, ISO/IEC 27013 is being developed to consider the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000.
The “ other ” business options
Additional standards in the ISO/IEC 27000 series provide guidance and service and application specific controls to support service providers. For example, ISO/IEC 27031 applies to any organization developing its ICT readiness to deal with incidents or threats, therefore ensuring business continuity.
ISO/IEC 27035 provides organizations with guidance on information security incident management. This standard describes a basic set of documents, processes and routines. It also gives guidance to external organizations supplying information security incident management services.
ISO/IEC 24762 gives guidelines on the provision of ICT disaster recovery (ICT DR) services as part of business continuity management. This applies to both in-house and outsourced ICT DR service providers of physical facilities and services.
In cloud computing, ISO/IEC JTC 1/SC 27, IT Security techniques, is developing two new standards: ISO/IEC 27017 covers cloud-specific information security controls; and ISO/IEC 27018 considers controls for personal data. Both of these standards are being designed and developed to work alongside ISO/IEC 27001.
This article was originally published in ISO Focus by Edward Humphreys.