Over the years many standards and frameworks have been developed and adopted to address information security concerns. Information security which was once a niche domain and often an afterthought for business executives has come to occupy the centerstage.
It is the result of wholesale migration of enterprise data to computer systems which are networked with each other and with different parts of an organizations network and/or to third party networks through VPN and leased lines and to an always on internet which is accessed by a variety of endpoints from different locations.
The situation is made more challenging by the plethora of technologies and software which increase the attack surface and the ever-evolving threat landscape which has become more and more sophisticated over time. The other reason is the overwhelming dependence of present-day business on information which is not just an asset but the most important asset. So much so that the focus of all BCP and DR programs is on securing and restoring information.
Given the above scenario it is understandable why there are so many information security standards and why they are so important. It is to give organizations and nations a direction and guidance as to how to approach and best secure information and information assets and how to evaluate effectiveness. Otherwise, every organization will have to reinvent the wheel and most will not be able to do it to any degree of efficiency and whatever they do will be disputed as to its effectiveness and intent.
As mentioned above, there are many information security standards – some global, some national and some industry specific. In this article we will discuss 2 such standards, namely, ISO 27001 and NESA. Both are hugely different but have a lot of common ground. Let us discuss the 2 standards briefly before we go into a comparison and into how they should be approached at by an organization for the purpose of implementation and compliance.
ISO 27001
ISO 27001 is the global de facto information security standard which comes from ISO or the International Organization for Standardization. The latest iteration of the standard is ISO/IEC 27001:2013 (IEC means International Electrotechnical Commission, a body which works with ISO to produce standards on electrical, electronic, and derived technologies). In fact, it is one among many standards from the family of ISO 27000 standards all of which are devoted to information security. ISO 27001 is the main standard against which an organization can be audited and certified while the other standards in the family support ISO 27001. The chief among the other standards in the family are ISO 27000 (introductory standard which defines information security terms and terminologies), ISO 27002 (provides guidance about implementing the controls listed in Annexure A of ISO 27001), ISO 27005 (provides guidance on performing information security risk management), ISO27011 (provides guidance about ISO 27001 implementation for the telecom sector) etc.
ISO 27001 follows the same uniform format as that of other ISO standards which will be easily recognizable to anybody who is acquainted with ISO standards. ISO standards are very neat and easy to read even by laypeople. ISO 27001:2013 is particularly very well-crafted, elegant, and easy to navigate. Being an international standard, it is very broad based and does not go into specifics but provides enough wherewithal to design an ISMS which best suits one’s purpose. A copy of the standard can be purchased from the ISO website at https://www.iso.org/standard/54534.html.
The standard follows a risk-based approach to information security and consists of 7 mandatory clauses which is the core of the standard. The clauses guide an organization about how to design, implement and operate an Information Security Management System, commonly referred to as an ISMS. The different clauses are shown mapped to the stages of a PDCA cycle below to give context and for better understanding.
The clauses are followed by an annexure which lists control areas, control objectives and controls to achieve the control objectives for each area. There are 14 control areas (also called control sets) and 114 controls to achieve the control objectives identified for each area. It is not mandatory to implement all of them but it is mandatory to consider all of them and implement those which are relevant. Any exclusion is to be thoroughly justified. Most organizations end up implementing all the controls. The result of the process of evaluating (i.e., selecting and implementing a control or rejecting and excluding it from implementation) the 114 controls is a document (called documented information in ISO parlance) called the ‘Statement of Applicability’. The below list reproduces the control sets and the number of controls against each control set.
ISO 27001:2013 Control Sets
A.5 Information security policies (2 controls)
A.6 Organization of information security (7 controls)
A.7 Human resource security (6 controls)
A.8 Asset management (10 controls)
A.9 Access control (14 controls)
A.10 Cryptography (2 controls)
A.11 – Physical and environmental security (15 controls)
A.12 Operations security (14 controls)
A.13 Communications security (7 controls)
A.14 System acquisition, development, and maintenance (13 controls)
A.15 Supplier relationships (5 controls)
A.16 Information security incident management (7 controls)
A.17 Information security aspects of business continuity management (4 controls)
A.18 Compliance (8 controls)
NESA
The full form of NESA is National Electronic Security Authority. It is an UAE government body constituted in September, 2012 under the aegis of the Supreme Council of National Security and responsible for UAE’s information security strategy. It also aims to foster a culture of information security awareness and best practices among all concerned and strengthen the security of UAE’s information assets and digital infrastructure. The current name of NESA is SIA or Signals Intelligence Agency though it still goes by its old name. The body has formulated standards and documentation which is collectively called the NESA Information Pack. The chief formulations in the NESA Information Pack include the IAS (Information Assurance Standards), Critical Information Infrastructure Protection Policy (CIIP) and Cyber Risk Management Framework (CRMF).
Of the mentioned formulations, IAS is the standard set by the UAE with respect to information security for organizations. A copy of the standard can be purchased from sites like scribd.com, coursehero.com etc. NESA does not clearly define the applicability of the IAS but puts it as applicable to all government and private organizations which processes, deals with or is part of UAE’s critical information infrastructure. What it basically means is that it is applicable to all organizations which deal in and provide utility products and services to customers in the UAE or the government of UAE.
The IAS is heavily influenced by ISO 27001 and NIST standards (National Institute of Standards and Technology, an American body that develops standards). However, its approach is different than that of ISO 27001:2013. We will go through the differences at length in the difference section that follows.
NESA’s IAS is based on a threat-based model. To put it very simply, NESA identified and compiled a list of cyber security threats from industry data and categorized the threats in terms of severity and frequency of occurrence.
Then it devised controls to counter those threats and prioritized the controls corresponding to the threat level it addressed. There are 4 priority levels from P1 to P4. Implementing IAS in an organization begins with implementing the P1 controls. An organization must demonstrate that it has successfully implemented the P1 controls at least to be considered compliant. Apart from the priority levels the controls are also grouped into 2 broad groups called families depending in the type or nature of the control.
The two control families are the Management and Technical Controls families. There are 188 controls in all out of which 60 are management controls and 128 technical controls. They are further broken down into 564 sub controls.
The below tables show the control categorization. Table 1 shows the priority breakup of controls and tables 2.1 and 2.2 shows the breakup of controls into management and technical control families.