ISO27001 and ISO27002 Newsletter - Issue 4

Welcome this edition of the ISO27000 newsletter, designed to keep you abreast of news and developments with respect to ISO 27001, ISO 27002 and information security.

The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.

Guidance and information included in this issue:

  • The ISO27000 Toolkit Uncovered
  • Social Engineering - Are you Susceptible?
  • ISO27000: A World Wide Phenomena
  • Stranger Danger
  • ISO 27001 and 27002: More Frequently Asked Questions
  • Credit Card Transactions - Minimize the Risks
  • BSI Certifications - Congratulations
  • ISO27002 Section 14 - BCP Review
  • It Couldn't Happen Here.... Could It?
  • Subscription Information

The ISO27001 and ISO27002 standards can be acquired either stand alone or as part of an introductory pack appropriately called 'The ISO27000 Toolkit'. But why was it packaged thus, and what is included in the pack?

The purpose of the toolkit is to help organizations get off to a flying start with respect to the standards (27001 and 27002)... not only to understand the standards themselves but to begin to address many of their requirements more quickly.

The contents can be broken down into two groups: those that help the organization to understand where ISO 27002 fits and what is involved in embracing it, and those that help an organization to take the first critical steps to compliance, and optionally certification against ISO 27002.

In the former group are the 'RoadMap to Certification' (which broadly describes the process of gaining certification), the 'PPT Management Presentation' (which explains the history, background and current status of the standard) and of course a copy of the ISO 27002 and 27002 standards themselves.

In the latter group are some key items to aid compliance. These include a comprehensive set of ISO27002 compliant security policies to address section 3 (Security Policy) and business continuity audit checklists to help address section 14 (Business Continuity Management).

It doesn't end there, however. For the audit section there is a detailed set of audit questionnaires to address various issues and platforms. For newcomers to information security there is even a substantial glossary of terms.

Clearly, creating such a toolkit was a significant undertaking. However, in terms of helping organizations exploring the initial stages of the ISO27000 standards, it can be invaluable.

More information on the ISO27000 Toolkit and how to purchase can be found at:

The standard itself can alternatively be procured from:

The term 'social engineering' can conjure up a variety of ideas, usually based around the concept of genetic tampering. However, when applied to IT security, it has its own implications and its own vocabulary.

Following interviews with known computer criminals, a list of approaches has been produced. These are designed to gather information without the target even realizing that they have parted with it.

The attempts are often made on an opportune bases, with common locations for this sort of activity being planes, trains and pubs. The telephone is probably the major source of pre-meditated acts.

The following are some of the major techniques employed:

This essentially involves asking a variety of questions, including some leading questions designed to 'catch' the right answers. Often, items of conversation are introduced based upon replies received. The fiction is legitimized with small amounts of fact in the right places.

This amounts ot the perpetrator assuming a more senior position in the company than the victim and is usually enacted on the telephone. It does not necessitate direct impersonation... only the POSITION needs to be assumed.

This involves asking a constant stream of similar questions to wear down the target.

Basically this is looking over someone's shoulder at something confidential. This could be directly, through a window, through a doorway, etc.

The information given freely in surveys can often be extremely useful to a criminal. The surveys can initially be for entirely legitimate purposes, or can be completely bogus from the start. In either case sensitive information can often be obtained and unwittingly disclosed.

There are of course many other techniques. However, disclosure can be prevented via the use of a series of common sense rules and policies.

Before releasing any information it is essential to at least establish:

a) the sensitivity of the information
b) your authority to exchange or release the information
c) the real identity of the third party (proper authentication)
d) the purpose of the exchange

The act of exchange should also be recorded for audit purposes.

Disney would have said "it's a small world after all", but the global take on of ISO27002 proves that organizations the planet over are embracing it with enthusiasm.

To illustrate the global nature of the standard, we recently created a table from the last 500 purchases of the standard from the ISO27000 Electronic Shop ( The figures below do come with a serious health warning though - the Electronic Shop is a credit card purchase system. Some cultures are not as comfortable or familiar as others with credit card purchase and will therefore have their purchase position significantly understated. An example is India, which acquires substantial numbers of the standard, only two of which show in the last 500 from the download location.

That aside, the table makes interesting reading:

Argentina 1
Australia 6
Austria 5
Barbados 2
Belgium 5
Bermuda 1
Bosnia and Herzegovina 1
Brasil 2
Brazil 4
Canada 52
Cayman Islands 1
Chile 3
China 3
Colombia 5
Costa Rica 1
Croatia 1
Cyprus 1
Denmark 5
Deutschland 5
Egypt 4
England 26
France 3
Germany 20
Greece 3
Guatemala 1
Hong Kong 7
Hungary 1
India 2
Indonesia 2
Ireland 11
Isle of Man 1
Israel 1
Italia 1
Italy 20
Japan 3
Malaysia 5
Mexico 9
Netherlands 3
New Zealand 2
Northern Ireland 1
Norway 10
NZ 1
Panama 1
Portugal 1
Russia 3
Sacramento 1
Scotland 3
Singapore 9
Slovak Republic 1
Slovenia 1
South Africa 4
Spain 9
Sultanate of Oman 1
Sweden 3
Switzerland 14
Taiwan 3
Thailand 2
The Netherlands 8
Tunisia 1
Turkey 1
U.A.E 1
UK 51
United Arab Emirates 2
United Kingdom 24
United States 13
United States of America 25
USA 176
Venezuela 2

As you read this article, look around at your working environment. The items/information you have to hand may not seem very sensitive because you deal with them every day... but now look again.

If you were alone and not a member of staff, how would you view them? What would you find if you looked around? Picture yourself as a visitor passing through. What can you hear in terms of conversation? What can you see?

The chances are that you can hear and see quite a lot that you would not want to be openly disclosed to the outside world. If this is the case, the security of your information is at risk potentially from every visitor, stranger, subcontractor, etc.

This article is not written with the intention of discrediting visitors, but nonetheless, it is important to be fully AWARE of what CAN happen if due caution is not exercised.

The following guidelines may help in ensuring that the risks are minimized:
* Your reception/visitor area should issue distinctive badges and ensure that visitors wear them
* Consider using different colored badges for each day of the week.
* Challenge those who are not displaying any identity badges
* If your location issues identity badges - make sure YOU wear yours
* Do not be afraid to ask someone who they are visiting and what they are doing
* Do not be lazy... escort visitors from reception (if applicable)... don't let them make their way to you
* Do not hold doors open for people not displaying their ID
* Do not leave visitors alone

1) How many controls are there in the standard?
Part 1 is organized into 10 sections. There are 127 main controls and over 500 detailed controls in total.

2) What is part 2?
Part 2 basically explains how to apply the standard itself, and how to build and operate an information security management system. This document has now been published as a standard in its own right: ISO 27001

3) How old is it?
The base standard stems from an original publication in 1993, from the DTI in the UK. It became BS7799 in 1995, ISO17799 in 2000, and ISO27002 in 2007.

4) What is accreditation?
An accreditation body can authorize others to "certify" third parties under the standard (p2). A number of accreditation bodies exist in different countries.

5) Is certification for life?
No. It is normally for three year periods.

6) ISO27002 is used throughout the world, but was it internationally created?
Yes indeed. The latest versions included input from representatives from many nations, including Australia, Brazil, Germany, Norway, UK and USA, amongst others.

7) Is it linked to a specific national legal system?
No. It is generic in terms of legislation.

The use of credit and debit cards to purchase goods and services has become an everyday convenience that we take for granted, but there are associated information security risks which we should pause to consider, especially when making payments over the Internet.

Web sites are becoming an increasingly popular means of purchasing goods and services, but they have also become popular targets for cyber criminals, who often use stolen credit card numbers to purchase goods, which can then be easily exchanged for cash. There are also relatively simple technologies now readily available which could be used by hackers to surreptitiously steal vast amounts of money, a few pounds at a time, from millions of people. A survey by the IT research company Gartner ( predicted that Internet crime involving the "mass victimization" of consumers could take place by the end of this year.

We recommend the following best practice guidelines to minimize the risks involved in credit card transactions:
* Ensure that credit cards used to purchase goods or services on the Internet have a low credit limit, or if debit cards are used, that they have limited funds and are only topped up to cover specific Internet purchases.
* All expenses incurred through Internet transactions should be carefully audited on a regular basis for any anomalies.
* Only enter credit card details on a Web site if you are confident as to its authenticity and that the connection is secure - the prefix https (as opposed to the usual http) in the Web Site address indicates a secure connection.
* If the security of a Web site is in doubt, any confidential information posted to it may be exposed to malicious intent. Be extremely cautious when posting confidential details on any site where the Internet Service Provider hosting the site is not verified. Note that we have pre-checked all sites referenced in this newsletter for security!
* If ordering by telephone using a credit card, ensure that you are talking to the correct person. If you are unsure whether the organization you are dealing with will handle your details sensitively, pay by some other means.
* Lost or stolen credit card details may be used for Internet transactions. Inform the card issuer and relevant person within your organization immediately if a company credit card is lost or stolen.

Congratulations to all the following who have been certified by BSI at least with respect to BS7799 Part2 (now ISO 27001) for at least one system in at least one location:

7 Global, Accordis Acetate Chemicals Limited, Alenia Marconi Systems Ltd, American Society of Quality, AMOUN Pharmaceutical Co (Egypt), Attenda Limited, Business Coach IT Management, CADWEB Limited, Camelot Group Plc, Capita Business Services, Dai-Ichi Kangyo Bank Limited, DBI Consulting, Digex, DNP Facility Services Co Limited (Japan), Ericsson ESPA A S.A., Glaxo Wellcome Manufacturing (Singapore),GlaxoSmithKline, Hanvit Bank Korea, Hyundai Information Technology, Icfox International, Intergalis, Logic Systems Management, Macquarie Corporate Telecommunications Pty Limited Australia, Netstore Plc, NTT Data Corp, Paramount Computer Systems (UAE), PCCW Business eSolutions Hong Kong, S-Cube Inc, Serious Fraud Office, Siemens Business Services Trust Center (Munich), Stiki EHF (Iceland), Sony Bank Inc (Japan), Co-operative Bank Plc, The University of Texas, Total Network Solutions Limited, Unisys Limited, Vodafone Telecommerce GMBH, Volex Group Plc

We intend to produce a more complete list in a future newsletter. We will also include certificates issued by the growing number of other certification bodies across the world.

Business continuity planning is covered by section 14 of the 27002 standard, a core requirement of which is the creation and maintenance of a business continuity plan.

Creating such a plan from scratch is a difficult undertaking of course. This is one reason why software products were produced. Unfortunately these often become problematic in themselves... difficult to learn, expensive, etc.

Recent times have therefore seen a move to simplification, with organizations keen to avoid adding complexity to an already complex task. At the vanguard of this change was a product developed entirely in MS-Word: The BCP Generator.

This was designed from top down to simplify business continuity planning. It comprises two components: a plan template and an interactive guide (the latter using Word macros to jump to and fro into the correct part of the template). It's impact upon the business continuity scene has been substantial, with organizations from the very largest to the smallest embracing the tool and its concepts. It is in active use in over 40 countries.

With this change of emphasis in the business continuity planning market, there is now NO excuse for not creating a full recovery plan. The old lines of "too expensive" and "too difficult" are now less hollow than they ever were. Although section 11 is very clear with respect to the need of a comprehensive plan, it is surely also a matter of due diligence to have one, and equally, irresponsibility not to have one.

For information on the BCP Generator see:

For information on business continuity generally, see:

Every issue of The ISO27000 Newsletter features at least one TRUE story of an information security breach and its consequences. Again, in this issue, we focus upon 'low tech' but high impact incidents:

1) On 25th October a contract programmer who had once worked for a large US based bank walked into the 'inner sanctum' of the main building (the security guards remembered him as someone permitted to do so). In the dealing room he claimed to be conducting a quality audit and interrogated a junior employee and watched a program run - noting down security codes as they were entered. He then left and hung around outside until just after normal trading time.

He then rang the Bank from a public phone box and initiated an electronic funds transfer using the codes... $10.2m to a Swiss account.

The plan nearly failed when he found that he had noted one of the codes incorrectly, but he rang the Bank department back and incredibly managed to trick a different employee into revealing the correct digit.

He flew to Switzerland and later returned with the money. He was caught simply because he couldn't resist boasting about his great feat. When the police contacted the bank they were still totally unaware of their loss!

2) Remote, or dial-in access can be a real Achilles heel if not properly controlled. In a recent case a young hacker gained access to a major company's system by using the default password of a system engineer (which had never been changed!).

This gave him considerable scope and powers of access. To cover for himself, however, he semi-disabled the machine log, changed a number of user passwords, created several fictitious privileged users and tampered with the dial back system.

Getting more ambitious he established a communication link with another computer and ended up making it crash. All this took place over a couple of evenings.

To recover from the havoc the installation had to close down its prime computer and restore from the previous weeks back-up, at considerable cost.

3) Over a period of nine months, the number of computer malfunctions within a large company had risen from an average of two per year to critical levels. The impact was such that the business fell behind with its invoicing systems and had to buy processing and backup from third parties. As it could not deliver some of its services reliably, it started to lose the confidence of its customers. The situation began to spiral.

Eventually, the company suspected foul play may be involved and called the police. Secret surveillance equipment was installed to monitor staff. One was filmed lightly scratching circuit boards in disk units and also attaching paper clips to them. Both these actions led to a short circuit.

When confronted, he confessed everything. His motive was to earn overtime, which was required to process the overlap work which was delayed by the malfunction. He netted 689 UKP over the 9 months. The company lost at least 500,000 UKP.

We hope that you have found this newsletter to be informative, and hopefully useful in helping to address the ISO27001/2 issue. Future editions will pursue these ends further (and will include interviews, case studies and more).

Subscription to ISO27000 News is free. Please do feel free to pass this copy on to friends and colleagues. If you do not wish to receive further copies, please email us at the address below with a title of Unsubscribe.

If your friends or colleagues wish to receive the newsletter directly, they should simply send a blank email to: news(at)27005(dot)com

Have you got something to say on the topic of ISO27000... a fresh insight or some information which might benefit others? If so, please feel free to contribute your submission to us.

If you would like to receive ongoing news and information on these two information security standards via this free quarterly email newsletter, please submit your email address:

Email Address:


Recommended Security Portals and Misc Links:
Astalavista, Secure Root, FireWalls
Security News:
SCM, ISO 27001 Report, BBC,