5 Perspectives of ISO/IEC 27001 Certification from a Relying Party

INFORMED RISK DECISIONS
Helping enterprises make reasoned cyber risk decisions

 To give 5 perspectives that will show:
 What and who a relying party is and why their perspective
is important to consider in your ISO27001 journey
 How the relying party can state security requirements to
allow service providers to demonstrate how their
ISO27001 conformance will allow them to protect the
relying party’s data
 How ISO27001 evidence can be assessed in order to be
assured that service providers meet the relying party’s
needs
 How even small service provider can deliver ISO27001
conformant security assurances
My objectives for this webinar
Informed Risk Decisions Ltd
http://www.informedriskdecisions.co.uk
Copyright © 2017 Informed Risk Decisions Ltd, All rights reserved.

Who am I?
 29 years service in the Royal Corps of Signals
 3 years running UK MOD’s in-house information security
consultancy and its Information Security research programme
 8 years Head of Security at APACS
 Addressing the scourge of e-banking fraud and internet
anonymity
 4 years VP Payment System Risk at Visa Europe
 Responsible for setting the risk strategy on how cards were
accepted and processed in Europe
 1 Year RISO for Carlson Wagonlit Travel
 Implementing the European cyber risk and assurance strategy
 18 Months independent

1. Who and what is a Relying Party
 Why is security assurance, and hence ISO27001, so important for
them?
2. What type of security assurance methods are available
 Is ISO27001 the only game in town?
3. The importance of establishing a baseline between the relying
party and their supplier(s)
 Do we both agree the level of sensitivity of the data we are protecting?
4. How the relying party should assess the evidence
 It is not just about agreeing the scope, there are other issues to
consider
5. Small service providers can and should use ISO27001 to provide
assurance to their relying parties
 How to tailor ISO27001 to smaller enterprises
Agenda – The five perspectives

Who and what is a
Relying Party
Why is security assurance, and hence ISO27001, so important
for them?

 A term most commonly used in PKI
 In other words the party who is relying on the
trust they derive from another users certificate
 I purloined the term when I was at Visa
Europe to describe the complex trust
relationships in the card payment eco-system
The “Relying Party”
Relying Party Provider of Assurances
Card Schemes Acquirers reporting on the compliance of their merchants
Acquirers Merchants reporting on their security
Merchants PCI SSC providing certification of products, security standards and
assessment capabilities

The New Reality
The Cyberspace
the complex environment resulting from the
interaction of people, software and services on
the Internet by means of technology devices
and networks connected to it, which does not
exist in any physical form

 Describe the environment and the actors
 All in the cyberspace have to play an active role, beyond protecting
their assets, in order for the usefulness of the cyberspace to prevail
 New assets and new consequences
 Attacked by all Threat Actors
 Everyone has roles and responsibilities
 Including consumers
 Non technical controls
 Detect, Respond, Recover
 Risk Management rules ok,
 but it is a much bigger issue than we ever thought
 Information sharing and coordination
 What else is happening
Cyber Security – The new need

The consequences of interconnectivity
All threat actors want to exploit connectivity between
relying parties and their suppliers

 General Data Protection Regulations
 The European Data Protection Board shall issue guidelines, recommendations
and best practices ... including the determinations of what constitutes the
state of the art
 Network and Information Security Directive
 Encourage the use of standards and/or specifications relevant to networks and
information security … The Commission shall draw up a list of the standards
 Payment Services Directive 2
 Payment service providers provide to the competent authority … an updated
and comprehensive assessment of the operational and security risks relating
to the payment services they provide and on the adequacy of the mitigation
measures and control mechanisms implemented in response to those risks.
 Regulatory Technical standards
 The implementation of the security measures … shall be documented,
periodically tested, evaluated and audited by internal or external independent
and qualified auditors …
Regulators are Relying Parties

 The descriptions of cyber security and cyber space
provide evidence that we all rely upon each other in
one form or another
 We find a relying party where ever there is
interconnectivity between partners, and where IT
service provision of whatever variety is consumed
 Even the regulators can be considered to be society’s
relying party
 There is compelling evidence of the harm that can
occur when the relying party fails to seek assurance, or
inappropriate assurance from its suppliers
The Relying Party

What type of security
assurance methods are
available
Is ISO27001 the only game in town?

Security Assurance Methods
External Schemes
 ISAE 3402 and SSAE 16
 Auditing standard for service organizations
 ISO 27001 et al
 A specification for an information security
management system (ISMS)
 T Scheme
 PKI and trust service providers
 Common Criteria
 Product and system level assurance
 FIPS140
 Crypto products
 PCI SSC
 Product and system level assessments
 Systems Security Engineering Capability
Maturity Model
 Standard metric for security engineering
practices
Internal Schemes
 Internal Audit
 Community based schemes
 Contractual schemes

 The process must be open and transparent and
independent of any industry
 They must have credibility as a “good” method
 They must be fit for the purpose we want
 They must be repeatable and give consistent,
transferable results
 They must be achievable by the organisation or
product under test
 The relying party must be able to review the
results to gain confidence
Properties to look for in a
security assurance method

 Is it important that the supplier is externally assessed as doing what they say they are doing?
 ISAE 3402 and SSAE 16
 Is it important the supplier is assessed against an independent security framework?
 PCI SSC standards, ISO27001, Tscheme, Common Criteria
 Is it important to allow greater freedom in implementation design choices?
 ISO27001, Tscheme, ISAE 3402 and SSAE 16, Common Criteria
 Is there a common architectural model where there is an expectation of specific controls
necessary to mitigate threats?
 PCI SSC Standards
 Is it important to understand the overall leadership, culture and attitude to security in an
enterprise?
 ISO27001, ISAE 3402 and SSAE 16
 Is it important to be able to compare and judge the security of a lot of different entities?
 PCI SSC standards
 Do you require a specific level of assurance that security has been implemented?
 Common Criteria
 Is there a commonly expected benchmark that all such suppliers should use to demonstrate
that they are secure?
 ISO27001, PCI SSC
Assurance method selection questions

Example of Applying
Assurance Selection
Questions
Service Provision to the UK Payments
Industry the Card Protection
Agencies Accreditation Scheme

The Card Protection Business Model
Card Protection Agencies
Cardholders
Card Issuers
Issue cards
1
Registers a Card2
Loses the Card 3
Reports Loss
4
Reports Loss
5
Reissues card
6
What Information are we sharing and why is
it valuable, and what could threaten it and
how?

Reasons for choosing ISO27001
 Previous assurance processes were entirely in-house
 A major commitment and becoming increasingly expensive to
resource and maintain currency
 A data warehousing problem, rich with IT and IT security
issues
 Need to be able to assess a small number of entities against
a common framework
 Recognised that there was a wide variety of implementation
strategies
 Need for a good industry accepted best practice assurance
method
 Need to change the culture and mindset of a number of the
existing participants

 Best of breed assurance methods that provide
some external evidence of an entities leadership
and commitment to security are increasingly
favoured
 The choice may be dictated by the rules of the
community one is playing in or providing services
to
 It doesn’t stop the provider of services using
additional assurance methods for different
reasons and for other relying parties
Choosing the appropriate security
assurance method

The importance of
establishing a baseline
between the relying party
and their supplier(s)
Do we both agree the level of sensitivity of the
data we are protecting?

The Independent Components of Risk
Identify Risks
Analyse Risks
Identify Controls
Implement Controls
Analyse Controls
Set Risk Appetite

When relying upon an
entity’s ISO27001
assessment, how do you
know they have assessed
their risks the same way as
you would?Informed Risk Decisions Ltd

 Conduct a supplier assurance review?
 Review their security framework and policy?
 How do they classify the assets they have under
trust?
 What threats have they assessed?
 Are these consistent with your own perspective?
 How does this change when one engages
multiple suppliers?
Establishing the baseline

ISO27001 and Card Protection Agencies
 A community assurance programme
 Many providers of services
 Very different implementation strategies
 Many relying parties
 A data warehousing problem, rich with IT and IT security issues
 How could we use ISO27001 across a community to compare
like with like?
 Complete ISO27001 or named equivalent annually
 Submit evaluator’s report to the community for accreditation
 Meet availability requirements
 Confirm acceptance of the community Threat Assessment and
use it in their risk assessment

The Community Threat Assessment
TheAssets Consequencesof
Compromise
AssetValue
Sources Attack
Methods
Threats
ThreatAssessment
 Fraud
 Identity Theft
 Crimes against the
individual
 Reputational
damage
 Personal data of
any form,
particularly
payment card data
 The systems used
to process, store
and protect data
 The reputation of
card issuers and
processors
 Outsiders and
Insiders
 Those out for
gain and profit
 Those out to
harm the
individual
 Those out to
harm the industry
 Electronic or Information
Security Threat
 Hacking
 Malware
 Keystroke loggers
 Device Insertion
 Deception and Phishing
 Members of staff and the
technology they own

Examples from the Assessment

 For a community establishing a common asset
and threat appreciation is very valuable
 Participants who were expected to meet community
requirements to be ISO27001 compliant welcomed
the assessment
 Supplier assurance reviews can only go so far
 They can become formulaic, predictable and shallow
 An open and transparent engagement and
discussion with the provider is essential
 Insight into the providers thinking and how they make
their own assessments is the objective
Lessons learnt establishing a baseline

How the relying party
should assess the evidence
It is not just about agreeing the scope, there
are other issues to consider

 The Certificate
 The Scope of Applicability
 The assessor’s report
 The entity’s ISO27001 document set
 The entity’s people
What evidence is there?

 Is their “scope” your “scope”?
 Does the ISO27001 represent the services you need from them?
 Do they protect your assets as if they were their own?
 Are you comfortable with their security design>
 What did the Assessor Report?
 Non conformities, work in progress, remediation?
 So what are they doing about it?
 Who owns the ISO27001 assessment?
 IT, Audit, Finance, The Board?
 What leadership commitment is there?
 Is there an open and transparent approach to describing their ISO27001
certification?
 Are they proud of their assessment and what it represents?
 Will they provide source documents?
 Will they openly discuss issues and their strategy?
 Is it reported on the Annual Company report?
What is the relying party looking for?

 Background and Context
 Importance of ISO27001 to the relying party
 Management of their ISMS
 Changes in staff, governance, organisation and recent
meetings
 ISMS assessment and security management programme
 Delivery of their service and protection of your assets
 Planned changes, enhancements or improvements
 Recent internal incidents and how they have been
addressed
 Significant external threat and vulnerability issues and
their assessment of them
A Relying Party’s possible agenda with
their ISO27001 conformant supplier

 The relying party is always responsible for their
own data, even when they use a service provider
 If one expects ISO27001 certification the relying
party cannot dictate a security design or
architecture for the solution on the provider
 The level of effort a relying party can expend in
assessing the evidence is inversely proportionate
to their number of suppliers
 Be prepared as a relying party to engage
bilaterally with your most important suppliers
Guidance thoughts for a relying party

Small service providers can
and should use ISO27001 to
provide assurance to their
relying parties
How to tailor ISO27001 to smaller enterprises

 A small enterprise
 Less than 30 staff
 No full-time security professional staff
 Highly skilled developers and
programmers
 Reliance on Open source products
and cloud services
 Reduced network footprint
 Security is as provided
 AWS hosted environment
 Understanding of the AWS
responsibility model
 Rapid product release cycle
 Very sensitive data stored within the
environment
 Clients have significant expectations for
security
 Clients develop their own code for
the environment
 Computationally intensive tasks
 Long duration tasks
Context to a small enterprise

 Getting the basics right
 Establishing the security requirements and security framework
 Documenting the security inherent in the design
 Establishing and accounting for the residual risks
 Simplifying the ISO27001 document set
 Exploiting what is available
 Google Forms for security management processes
 Google Drive for document management
 Using the Trac ticketing system for incident handling and tracking security
issues
 Trac Wiki for security procedures and guidance for staff
 Capturing the staff’s commitment
 Leadership support and action
 Making security simple and part of their day-to-day activity
 Procedures and processes linked to how they currently work
 One-to-one guidance for each member of staff
Making ISO27001 fit the organisation

Simplifying the document set

Google Forms for security management

The ticket management system

 ISO27001 must work the way the enterprise
works
 Size the document set appropriately
 Importance of the technical and security design
 Help the enterprise understand risk
 Focus on all the risks and document all residual and
accepted risks
 Exploit what capabilities you can
 Make security management work the way the
enterprise works
 Build in accountability and recording to all processes
Thoughts about the small enterprise

 To give 5 perspectives that would show:
 What and who a relying party is and why their perspective
is important to consider in your ISO27001 journey
 How the relying party can state security requirements to
allow service providers to demonstrate how their
ISO27001 conformance will allow them to protect the
relying party’s data
 How ISO27001 evidence can be assessed in order to be
assured that service providers meet the relying party’s
needs
 How even small service provider can deliver ISO27001
conformant security assurances
My objectives for this webinar

ISO 27001 Training Courses
 ISO/IEC 27001 Introduction
1 Day Course
 ISO/IEC 27001 Foundation
2 Days Course
 ISO/IEC 27001 Lead Implementer
5 Days Course
 ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://www.pecb.com/iso-iec-27001-training-courses| www.pecb.com/events

THANK YOU
?
cjw@informedriskdecisions.co.uk
linkedin.com/in/colin-whittaker-a08b10
+44(0)7791 808777
Questions?

5 Perspectives of ISO/IEC 27001 Certification from a Relying Party

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 5 Perspectives of ISO/IEC 27001 Certification from a Relying Party

Similar to 5 Perspectives of ISO/IEC 27001 Certification from a Relying Party (20)

More from PECB

More from PECB (20)

Recently uploaded

Recently uploaded (20)

5 Perspectives of ISO/IEC 27001 Certification from a Relying Party