Various Information Security Standards followed by Software Outsourcing Companies in India - Part 1

Information security plays an important part in securing the data and assets of an organization but still security incidents takes place such as hacking of servers, information and data leakage, etc. Software outsourcing companies in India need to be aware of the existing loopholes and devote more resources to protect themselves from such breaches. To address such grieve situation, number of outsourcing companies have set up different security standards to ensure an adequate level of security is achieved and any organization complying with these standards shows how well equipped are they to counter the latest threats.

The various security standards existing for information security are:

1. ISO Standards:

International Organization for Standardization (ISO), established in 1947, is a nongovernmental international body that collaborates with the International Electro technical Commission (IEC) and the International Telecommunication Union (ITU) on information and communications technology (ICT) standards. The following are commonly referenced ISO security standards:

i) ISO/IEC 27002:2005 (Code of Practice for Information Security Management):

ISO/IEC 27002:2005 (replaced ISO/IEC 17799:2005 in April 2007) is an international standard that originated from the BS 7799-1.  BS 7799-1 was originally laid down by the British Standards Institute (BSI). ISO/IEC 27002:2005 refers to practice adopted for management of information security, and it is meant as a practical guideline for developing organizational security standards and effective management practice that a software outsourcing company must incorporate in its strategy. The standard contains guidelines and best practices recommendations for the following security domains: security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management and compliance.

These 10 security domains contain 39 control objectives and has hundreds of best-practice information security control measures which are recommended for organizations to satisfy the control objectives and protect information assets against threats to the CIA triad: confidentiality, integrity and availability.

ii) ISO/IEC 27001:2005 (Information Security Management System -Requirements):

The international standard ISO/IEC 27001:2005 has its roots in the technical content derived from BSI standard BS7799 Part 2:2002. ISO 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within a software outsourcing company. It is designed to ensure the selection of adequate and proportionate security controls to protect information assets. This standard has been upgraded to a new version that was released in October 2013 and is now known as ISO 27001:2013. The companies which have adopted ISO 27001:2005 need to transition them to ISO 27001:2013 as the deadline for that ends in October 2015. 

This standard is usually applicable to all types of organizations, including business enterprises, government agencies, and so on. The standard introduces a cyclic model known as the “Plan-Do-Check-Act” (PDCA) model that aims to establish, implement, monitor and improve the effectiveness of an organization’s ISMS. The PDCA cycle has these four phases: a) “Plan” phase – establishing the ISMS

b) “Do” phase – implementing and operating the ISMS

c) “Check” phase – monitoring and reviewing the ISMS

d) “Act” phase – maintaining and improving the ISMS

Often, ISO/IEC 27001:2005 is implemented together with ISO/IEC 27002:2005. ISO/IEC 27001 defines the requirements for ISMS, and uses ISO/IEC 27002 to outline the most suitable information security controls within the ISMS. There is therefore no certification for ISO/IEC 27002, but a software outsourcing company in India can be certified compliant with ISO/IEC 27001 if the management process follows the ISMS standard. There is a list of accredited certification bodies that can certify an organization against the ISMS standard.

iii) ISO/IEC 15408 (Evaluation Criteria for IT Security):

The international standard ISO/IEC 15408 is commonly known as the “Common Criteria” (CC). It consists of three parts: 

a) ISO/IEC 15408-1:2005 (introduction and general model)

b) ISO/IEC 15408-2:2005 (security functional requirements) and 

c) ISO/IEC 15408-3:2005 (security assurance requirements).

The above standard helps in evaluating, validating, and certifying the security assurance of a technology product for a software outsourcing company, against a number of factors such as the security functional requirements specified in the standard.