For IT compliance, which standards should businesses and certified professionals follow – ISO 27000 or OSSTMM? The latter of these two is a guide for ethical hacking created by non-profit ISECOM and is helpful for professionals conducting network assessment for a business. ISO 27000, however, is a series of national standards all professionals and businesses need to follow when implementing and assessing network security.
OSSTMM, which stands for Open Source Security Testing Methodology Manual, was created by ISECOM co-founder Pete Herzog. The 12-chapter guide, now in its third revision, describes the peer-reviewed methodology for performing security tests and metrics. Divided into five sections for testing, the guide covers information and data controls, personal security awareness levels, fraud and social engineering control levels, computer and telecommunication networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations.
Considered the formal guide for ethical hacking, OSSTMM touches on the technical details of exactly which devices or aspects of a network need to be tested; what a professional needs to do before, during, and after a security test; and how to measure results. Included are new tests for international best practices, laws, regulations, and ethical concerns. OSSTMM forms the foundation of various security certifications and is a reference guide for many ethical hacking professionals.
ISO/IEC 27000 is a series of standards for information security management systems (ISMS) required on an international level for businesses and professionals setting up, implementing, and maintaining network security. ISO 27000 contains a list of published and unpublished standards covering various aspects of setting up and implementing network security, and ISO 27000 itself is an overview of all regulations, defining the basic principles, concepts, and vocabulary for the entire series.
ISO 27001 specifies the requirement standards for ISMS. This includes the establishment, implementation, monitoring, review, maintenance, and improvement of an ISMS. These standards apply to all sizes and types of organizations and include several plan-do-check-act cycles for adjusting and changing an ISMS. Specific security controls, however, are not mentioned in ISO 27001.
ISO 27001, on the other hand, covers using these requirement standards within an organization. This includes:
- Use in organizations to create security requirements and objectives.
- Ensuring that security risks are managed cost effectively.
- Ensuring an organization's compliance with laws and regulations.
- Describing the framework for implementing and managing security controls.
- Defining new information security management (ISM) processes.
- Identifying and clarifying existing ISM processes.
- Determining the status of ISM activities.
- Use by internal and external auditors to demonstrate policies and standards.
- Providing relevant information about security policies to other interacting organizations.
- Implementing information security.
- Providing relevant information about security to customers.
ISO 27002 is an IT compliance code of practice for ISM. Although not an implementation standard, ISO 27002 outlines suitable information security controls that allow a company to implement its own policy. Nevertheless, ISO 27002 suggests that when a company creates its own network security policy, it should consider the following aspects: risk management, asset management, HR security, physical and environmental factors, communications and operations management, access control of software development, incident management, and business continuity and compliance.
ISO 27003 details implementation guidelines for organizations, including the process of ISMS specification and design. From inception to the production of project plans for business network security, ISO 27002 covers the management and approval of plans within an organization, defining boundaries, assessing security risks and developing appropriate treatments, and designing and planning an ISMS.
The following sections of ISO 27000 cover use and implementation of an ISMS. ISO 27004 covers measuring an ISMS, including security metrics for measuring, reporting, and improving a system. ISO 27005 addresses risk management and provides information about considering risk management when implementing information security. ISO 27006 serves as a guide for the certification or registration process for accredited ISMS and lists requirements for entities auditing and certifying an ISMS.
ISO 27033 provides more details about security techniques. This section provides guidance for security aspects of management, operation, and use of information system networks and their interconnections and offers information about implementing network security controls.
Certain industries, because of the nature and security of data and records, have separate and specific guidelines for an ISMS. ISO 27011 and ISO 27799 list standards for information security for telecommunications and health care organizations, respectively.