ISO 27701 – Integrity in Security

Author: Gary Hibberd

Date: 5th May 2020

If you’ve been involved in cybersecurity for any length of time, you’ll have come across something called the ‘CIA Triad’. Now, if you’re new to this topic, that may sound a little sinister! But I can assure you that it’s not some secret agency operating out of china!

What is “CIA Triad”?

The CIA Triad wasn’t a concept that was created by one individual, instead, it was developed over a period of time to establish core principles to a very broad topic. It has certainly been around for more than two decades (in its current form) and refers to; Confidentiality, Integrity and Availability.

Confidentiality

Meaning only authorised users and processes should be able to access or modify data, and it is therefore held in confidence.

Integrity

Meaning that Data should be maintained in a manner to ensure that nobody should be able to improperly modify it, either accidentally or maliciously and that it can be trusted.

Availability

Meaning that Data will be available to authorised users when and wherever they need to access it.

Having Standards

For more than two decades Security professionals have spoken about the CIA Triad, and have used international standards to help evidence that CIA is being addressed.  One such standard is ISO27001, with its 114 security controls that evidence (at great length) that only authorised users and processes can access or modify data. 

But in truth, that only really addressed the ‘Confidentiality’ of the triad. What about Integrity and Availability?

ISO 22301 – Availability

I have discussed ISO 22301 at length in another blog, so by now, you should be aware that ISO 22301 is the international standard for Business Continuity Management.

It requires organisations to put in place rigorous processes for establishing impact and likelihood of disruptive events and requires that there are clear objectives and strategies developed (based on these events). 

In short, it helps us establish clear evidence that data (and more importantly, your organisational resources) will be available when your clients and customers need you. So the ‘Availability’ in CIA is now addressed.

But that leaves us with a problem; How do we demonstrate ‘Integrity’?

Very little information is currently known about this new flaw and the time it takes before a working exploit is created is unknown. If the vulnerability is easy to exploit, we could see real attacks in the wild, possibly, as soon as the end of the week. Microsoft have not yet released a patch for this vulnerability, but we expect one to be released very soon. In the meantime, they have released a workaround (see below).

Welcome “ISO 27701:2019”. We’ve been expecting you.

Even in the ‘real world’, telling people, you have Integrity often doesn’t mean much. If we have just met, and you say “Hey. I have Integrity. You can trust me!” is unlikely to give me much more confidence in you. So how can this be done in the digital and commercial world?

In 2016 the world was introduced to the General Data Protection Regulation (GDPR), and on May 25^th 2018 it became law. This outcome-focused regulation set out six very clear principles to which organisations of all shapes and sizes must adhere to. And in doing so, can show that they could be trusted. I.e. That they are acting with Integrity.

What you need to know

It’s important to know that ISO 27701 is an extension of ISO 27001 (and the guidance that follows it, ISO 27002). This means you cannot be certified to ISO 27701, without having gone through the process of becoming ISO 27001 certified.

ISO 27001 is the Information Security Management System (ISMS) standard, while ISO 27701 is the Personal Information Management System (PIMS). It, therefore, speaks directly to the organisation about personal data, and takes into account the requirements of the GDPR, and allows you to structure a measurable approach to the regulation.

What ISO 27701 covers

There are a number of fundamental requirement ins ISO 27701, and too numerous to list here. But if you’re familiar with ISO 27001, it will be no surprise to see that when determining the “Context of your organisation”, you’re asked to consider your role as a Data controller or Data processor.

You’ll need to then identify the internal and external factors which affect this.

You’re required to train staff, not only on Information Security but Personal Information Security. You’ll be required to update, extend or create policies around Data Protection, and Data Retention and Destruction.

And you’ll need to think about ‘Privacy by Design’ within your product delivery processes.

In summary; ISO 27701 is a set of controls, aligned to the GDPR.

Conclusion

I have said since GDPR came into force that there is no such thing as ‘GDPR Compliant’. However, with ISO 27701, it’s about as close as you’re going to get (for now).

It will be interesting to see the development and adoption of ISO 27701, because under the GDPR (Article 40 ‘Codes of Conduct’) it states that “associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation.”

I firmly believe that is what ISO 27701 does. 

So if your organisation believes that the GDPR is important (which I’m sure it does), and wants to be truly aligned to the idea of the ‘CIA Triad’, then perhaps you should consider implementing;

• ISO 27001:2017 – To demonstrate Confidentiality of Information
• ISO 27701:2019 – To demonstrate Integrity of Personal Information; and

ISO22301:2019 – To demonstrate Availability of all Information. 

It will be interesting to see who is the first to take on this challenge.