ISO 27000 definition
It has been a long time. I have been reading one of the articles from Rhand Leal and it is causing me concern. Advisera is a good source but when your recommendations run counter to my advice to my customers I need try and fix that.
I know everyone has a different take on what security incidents and events are. Rhand Leal’s article is very difficult to reconcile with my recommendations.
My definitions:
Security Events are events: Things that are logged by tools like Event Monitor on Windows:
Successful logins are events just like unsuccessful logins are, access to files are events, locking and unlocking a screen is an event. In the analog-world leaving a laptop unattended would also be an event
When Rhand says that, an event has to be related to the possible failure of controls or “compromise of policies” is like saying that an incident is just a lot of events, or that all events are really junior incidents. I think that is really incorrect. Events are the data upon which you can determine if controls are effective or not but events by themselves have no positive or negative connotations. A door being opened with a LEGIC Card is an event, If the person with the card is not authorized then it is an incident.
A security incident I agree can be an event or group of events that indicate a compromise of business operations (Confidentiality, Availability, Integrity). Example would be a door being opened with a valid key by an unauthorized person.
For me, non-compliance is something, which is not in accordance with a standard or policy. Sometimes a non-compliance can actually identify an obsolete standard. Just an example would be the conflict between Password policies and the newest recommendations from NIST, (e.g. changing passwords every 90 days is no longer recommended procedure).
For me, the preferable category is “weakness”. Usually, if not always, a valid non-compliance will identify a weakness. A weakness being the state of affairs that promotes an incident. Examples of weaknesses would be missing patches. Another example would be insufficient Awareness trainings. Basically, a weakness could be the lack of any relevant security control.
So with that could you (or Rhand) try and convince me that I am wrong or get Rhand to change or delete his post.
Thanks in advance.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First of all, thanks for this feedback.
Before answering your points, it is important to note that the definitions presented in the article are based on ISO 27000 standard, which defines vocabulary for Information Security Management based on ISO 27001. You can see this standard at this link: https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en
Now analyzing your text:
When Rhand says that, an event has to be related to the possible failure of controls or “compromise of policies” is like saying that an incident is just a lot of events, or that all events are really junior incidents.
I understand that you are referring to this part of the article:
"Information security event: any occurrence related to assets or the environment indicating a possible compromise of policies or failure of controls, or an unmapped situation that can impact security."
Please note that the text refers explicitly to "information security event", not "event". The ISO 27000 defines them differently:
- event: occurrence of, or change in, a know/expected situation (perceive it does not mention the impact or possible impact on security).
So neither the standard and the text do not say that all events are junior incidents.
For me, non-compliance is something, which is not in accordance with a standard or policy.
Please note that for ISO 27000 a nonconformity means not fulfilling a requirement, which also can be related to contractual or legal requirements (which are mandatory), not only standards and policies (which organization decides to follow). So, controls may be performing in accordance with defined standards and policies but you still may have a nonconformity if a contractual clause or law/regulation is not being followed.
Comment as guest or Sign in
Nov 19, 2019