Additional Security Control Frameworks

Organisations need to assess the vulnerabilities and threats which may produce negative consequences on the confidentiality, integrity or availability of information assets, or the supporting assets upon which they depend for their security.

 One or more security controls should then be implemented to reduce the risk level to below the organisation’s acceptance threshold. Annex A of ISO27001 contains a framework of 114 such controls (more fully described in separate standard ISO27002), and there are supplementary security control frameworks which can optionally be introduced to provide more technology focused or sector-specific guidance on the management of risks. Alongside Annex A of ISO27001, InfoSaaS includes a number of additional control sets aligned with these additional standards, with more being added periodically, details of which are summarised below.

ISO27001 Annex A / ISO27002

ISO27001 is the international standard for information security, and thousands of organisations around the world have used it as the basis for their Information Security Management System. Annex A of the standard provides a framework of 114 controls within fourteen domains, encompassing organisatonal issues, human resources, physical security, technical risks and legislative compliance. If additional guidance is required, a more detailed explanation is provided in ISO27002. InfoSaaS provides a selection of asset-based risk assessment templates, each including a set of applicable threats and vulnerabilities and aligned to recommended security controls.

ISO27017

ISO27017 is a supplementary framework of security controls specifically designed to provide for the protection of cloud services. For specific controls from Annex A of ISO27001, it provides more detailed requirements for both the cloud service provider (responsibilities of the supplier) and the cloud service customer (responsibilities of the consumer). It also provides a small number of new controls, which include definition of responsibilities for cloud services, segregation between customers, effective cloud service monitoring, and several more. Controls aligned to ISO27017 can easily be selected from within the InfoSaaS risk management module, or by using the “cloud service” asset template.

ISO27018

This standard is focused on the protection of personal data (personally identifiable information, or PII) whilst it is being processed in public cloud environments – for example when it has been entrusted to a third-party SaaS provider. It provides specific guidance on existing controls from Annex A of ISO27001, but also introduces many new controls in this important area. Controls aligned to ISO27018 can easily be selected from within the InfoSaaS risk management module, or by using the “personal data in a cloud service” asset template.

ISO27701

Building upon an Information Security Management System aligned to ISO27001, ISO27701 provides an enhanced capability which delivers a Privacy Information Management System or PIMS. It delivers specific approaches for PII Controllers and PII Processors and is focused on delivering privacy controls which reduce the risks to privacy rights for individuals. There is easily identifiable alignment with the EU General Data Protection Regulation (GDPR). Controls aligned to ISO27701 can easily be selected from within the InfoSaaS risk management module, or by using the “personal information (PII)” asset template.

ISO28001

Understanding that an organisation’s supply chain may present risks to operations, the ISO28001 standard looks at how information and its supporting technology needs to be protected within the supply chain and its associated logistics operations. Originally designed for ships and marine technology, its approach has now widened to all supply chains. Controls aligned to ISO28001 can easily be selected from within the InfoSaaS risk management module, or by using the “supply chain security” asset template.

Bespoke Controls

The InfoSaaS Team have experience assisting customers with customising and implementing InfoSaaS risk control sets to meet their own national or sector specific requirements. Whether you are interested in the American NIST 800-53 standard, controls from the Australian ISM or perhaps healthcare or automotive requirements, let’s explore the art of the possible.

Need more advice on security controls?