A critical comparison between ISO 27001 & NESA

Over the years many standards and frameworks have been developed and adopted to address information security concerns. Information security which was once a niche domain and often an afterthought for business executives has come to occupy the centerstage.

It is the result of wholesale migration of enterprise data to computer systems which are networked with each other and with different parts of an organizations network and/or to third party networks through VPN and leased lines and to an always on internet which is accessed by a variety of endpoints from different locations.

The situation is made more challenging by the plethora of technologies and software which increase the attack surface and the ever-evolving threat landscape which has become more and more sophisticated over time. The other reason is the overwhelming dependence of present-day business on information which is not just an asset but the most important asset. So much so that the focus of all BCP and DR programs is on securing and restoring information.

Given the above scenario it is understandable why there are so many information security standards and why they are so important. It is to give organizations and nations a direction and guidance as to how to approach and best secure information and information assets and how to evaluate effectiveness. Otherwise, every organization will have to reinvent the wheel and most will not be able to do it to any degree of efficiency and whatever they do will be disputed as to its effectiveness and intent.

As mentioned above, there are many information security standards – some global, some national and some industry specific. In this article we will discuss 2 such standards, namely, ISO 27001 and NESA. Both are hugely different but have a lot of common ground. Let us discuss the 2 standards briefly before we go into a comparison and into how they should be approached at by an organization for the purpose of implementation and compliance.

ISO 27001: Information Security Management System

ISO 27001 is the global de facto information security standard which comes from ISO or the International Organization for Standardization. The latest iteration of the standard is ISO/IEC 27001:2013 (IEC means International Electrotechnical Commission, a body which works with ISO to produce standards on electrical, electronic, and derived technologies). In fact, it is one among many standards from the family of ISO 27000 standards all of which are devoted to information security.

ISO 27001 is the main standard against which an organization can be audited and certified while the other standards in the family support ISO 27001. The chief among the other standards in the family are ISO 27000 (introductory standard which defines information security terms and terminologies), ISO 27002 (provides guidance about implementing the controls listed in Annexure A of ISO 27001), ISO 27005 (provides guidance on performing information security risk management), ISO27011 (provides guidance about ISO 27001 implementation for the telecom sector) etc.

ISO 27001 follows the same uniform format as that of other ISO standards which will be easily recognizable to anybody who is acquainted with ISO standards. ISO standards are very neat and easy to read even by laypeople. ISO 27001:2013 is particularly very well-crafted, elegant, and easy to navigate. Being an international standard, it is very broad based and does not go into specifics but provides enough wherewithal to design an ISMS which best suits one’s purpose. A copy of the standard can be purchased from the ISO website at https://www.iso.org/standard/54534.html.

The standard follows a risk-based approach to information security and consists of 7 mandatory clauses which is the core of the standard. The clauses guide an organization about how to design, implement and operate an Information Security Management System, commonly referred to as an ISMS. The different clauses are shown mapped to the stages of a PDCA cycle below to give context and for better understanding.

The clauses are followed by an annexure which lists control areas, control objectives and controls to achieve the control objectives for each area. There are 14 control areas (also called control sets) and 114 controls to achieve the control objectives identified for each area. It is not mandatory to implement all of them but it is mandatory to consider all of them and implement those which are relevant. Any exclusion is to be thoroughly justified. Most organizations end up implementing all the controls. The result of the process of evaluating (i.e., selecting and implementing a control or rejecting and excluding it from implementation) the 114 controls is a document (called documented information in ISO parlance) called the ‘Statement of Applicability’. The below list reproduces the control sets and the number of controls against each control set.

ISO 27001:2013 Control Sets

A.5 Information security policies (2 controls)

A.6 Organization of information security (7 controls)

A.7 Human resource security (6 controls)

A.8 Asset management (10 controls)

A.9 Access control (14 controls)

A.10 Cryptography (2 controls)

A.11 – Physical and environmental security (15 controls)

A.12 Operations security (14 controls)

A.13 Communications security (7 controls)

A.14 System acquisition, development, and maintenance (13 controls)

A.15 Supplier relationships (5 controls)

A.16 Information security incident management (7 controls)

A.17 Information security aspects of business continuity management (4 controls)

A.18 Compliance (8 controls)

National Electronic Security Authority (NESA)

The full form of NESA is National Electronic Security Authority. It is an UAE government body constituted in September, 2012 under the aegis of the Supreme Council of National Security and responsible for UAE’s information security strategy. It also aims to foster a culture of information security awareness and best practices among all concerned and strengthen the security of UAE’s information assets and digital infrastructure. The current name of NESA is SIA or Signals Intelligence Agency though it still goes by its old name. The body has formulated standards and documentation which is collectively called the NESA Information Pack. The chief formulations in the NESA Information Pack include the IAS (Information Assurance Standards), Critical Information Infrastructure Protection Policy (CIIP) and Cyber Risk Management Framework (CRMF).

Of the mentioned formulations, IAS is the standard set by the UAE with respect to information security for organizations. A copy of the standard can be purchased from sites like scribd.com, coursehero.com etc. NESA does not clearly define the applicability of the IAS but puts it as applicable to all government and private organizations which processes, deals with or is part of UAE’s critical information infrastructure. What it basically means is that it is applicable to all organizations which deal in and provide utility products and services to customers in the UAE or the government of UAE.

The IAS is heavily influenced by ISO 27001 and NIST standards (National Institute of Standards and Technology, an American body that develops standards). However, its approach is different than that of ISO 27001:2013. We will go through the differences at length in the difference section that follows.

NESA’s IAS is based on a threat-based model. To put it very simply, NESA identified and compiled a list of cyber security threats from industry data and categorized the threats in terms of severity and frequency of occurrence.

Then it devised controls to counter those threats and prioritized the controls corresponding to the threat level it addressed. There are 4 priority levels from P1 to P4. Implementing IAS in an organization begins with implementing the P1 controls. An organization must demonstrate that it has successfully implemented the P1 controls at least to be considered compliant.

There are 4 priority levels from P1 to P4. Implementing IAS in an organization begins with implementing the P1 controls.

An organization must demonstrate that it has successfully implemented the P1 controls at least to be considered compliant. The below tables show the control categorization. Table 1 shows the priority breakup of controls

Apart from the priority levels the controls are also grouped into 2 broad groups called families depending in the type or nature of the control. The two control families are the Management and Technical Controls families. There are 188 controls in all out of which 60 are management controls and 128 technical controls. They are further broken down into 564 sub controls. Below tables show the breakup of controls into management and technical control families.

Generic Similarities Between ISO 27001 & NESA

Both are information security standards.

Both follow a PDCA (Plan Do check Act) model. The clauses of ISO 27001:2013 and the activities of IAS correspond to a PDCA cycle.
Both mandatorily require risk assessment and risk treatment of unacceptable risks.
Both result in the implementation and operation of a robust ISMS.
Both focus on securing information and not IT assets or the IT function and hence require involvement of staff from all quarters.
Both require a high degree of management involvement and commitment for success. At the same time both require a good understanding and commitment towards information security and information security practices by all employees and stakeholders.
Both are a continuous process and need to be treated as a program and not a project with a beginning and end

11 Differences Between ISO 27001 & NESA

1. Approach:

ISO 27001 is based on a business risk approach. It identifies and grades information and information assets based on their criticality to the business and then applies appropriate controls depending upon the level of risk associated with the information or information asset.

NESA IAS follows a threat-based approach and is geared towards mitigating those threats to the information infrastructure. A threat-based approach means that organizations do a risk assessment of the 24 threats identified by NESA to determine which are applicable to it and which it should be most concerned about and then work towards their mitigation by applying appropriate controls.

2. Scope:

ISO 27001 gives organizations the liberty to decide on the scope of implementation. The scope can be defined in terms of location, function, process, department, product etc. Usually, organizations go for a phased implementation and begin with a particular department, location etc. Once it is successfully implemented and certified the success is replicated either across the entire organization or phase wise to different departments, locations etc.

NESA IAS does not give the flexibility of defining scope to the organization. If an organization falls under its ambit, it is the whole of the organization. This makes it more challenging to implement and maintain.

3. Risk Assessment:

ISO 27001 mandates risk assessment and management but does not mandate the basis for it. Asset based, process based, scenario based, threat based etc. all are valid. Usually, most organizations prefer to do an asset-based risk management till today despite the free hand given to them. The standard also does not prescribe the risk management methodology to be adopted though we have ISO 27005 for that purpose. An organization can use any of the numerous methodologies available like the Risk IT Framework, OCTAVE, MEHARI, ISO 27005 etc.

NESA IAS does not accept an asset-based risk assessment and mandates a threat based or process-based risk assessment. Also, the risk assessment should be ideally as per NESA’s Cyber Risk Management Framework (CRMF). Though it is not a stated requirement but it is an unstated requirement of sorts.

4. Specificity:

ISO 27001 is more broad-based and less specific and prescriptive. NESA IAS is more specific and precise in its definition and requirements.

5. Controls:

ISO 27001 does not categorize controls on a weighted basis. All controls are equal in weight and significance and are either applicable or inapplicable in a certain context. NESA IAS categorizes controls into management and technical controls and prioritizes them from P1 to P4 levels of priority (weighted) depending upon the level of threat it addresses.

6. Compliance:

In ISO 27001, compliance measurement is graded into major non-conformity, minor non-conformity, observations (qualified and unqualified) and opportunity for improvement. In NESA IAS, compliance is measured in binary i.e., either compliant or non-compliant.

7. Evaluation & Certification:

ISO 27001 certification is achieved through an external audit conducted by an accredited certification body. Internal audits do not provide certification but are a part of continual improvement and a certification requirement. Certification depends on the overall performance of the organization’s ISMS. Usually, a major non-conformity or multiple minor conformities or multiple minor non-conformities pertaining to a single process prevents certification or loss of existing certification. In NESA IAS, a formal audit is not required even though almost all organizations do it to ensure that they are compliant. Organizations can attest their compliance with the standard by performing a self-assessment and sharing the result to NESA. If NESA sees fit it can probe further by seeking additional information or by intervening itself or by authorizing someone or an entity to conduct additional test of controls. The level of involvement in the evaluation process on the part of NESA or relevant government regulatory bodies depends upon the organization and its criticality to UAE’s information infrastructure or the kind and nature of non-conformity or suspected non-conformity.

8. Applicability:

ISO 27001 is a global best practice standard with universal acceptance and is mostly voluntarily adopted. The standard does not make itself applicable to anyone. NESA IAS is a national standard which makes itself a requirement to organizations and is enforced by the UAE government and entities and processes authorized to do so.

9. Age:

ISO 27001 is a much older standard which has undergone several revisions. The initial version was launched in November 2005 and the last revision was in 2017. NESA IAS is a newer standard which came into existence in 2015.

10. Pros & Cons:

ISO 27001 is very good in developing and implementing an all-encompassing robust ISMS but may fall short in taking care of real-life threats posed by sophisticated and new cyberattacks especially zero-day attacks and APT (Advanced Persistent Threat).

It is more customizable and can fit a larger basket. ISO 27001 is almost the precursor and pioneer of information security standards which has bred standards like the NESA IAS. NESA IAS is very good at tackling real life threats posed by cyberattacks but may fail to prevent data leakage, data pilferage especially through social engineering and by insiders. It is intended to be strict and specific to the security context of the UAE. NESA IAS is a hybrid standard and combines the best from many standards.

11. Non-compliance consequences:

Since ISO 27001 is a non-governmental standard from an international body non-compliance leads to not being able to certify or re-certify. ISO does not have any means or authority to enforce compliance. ISO certifications work by virtue of their credibility and moral authority. Since NESA IAS is a national standard with government and legal sanction non-compliance can lead to escalation and punitive measures in the form of increased scrutiny, imposition of additional requirements, having to bear the cost of additional audits, fines, lawsuits and in the worst-case scenario arrest of top executives or a complete ban to do business in or with the UAE.

Comparison of Controls of ISO 27001 & NESA IAS

ISO 27001

ISO 27001 has only 114 controls which is much less compared to IAS.

NESA IAS

NESA has a total of 188 controls which are further divided into 564 sub controls which is a huge volume.

It only considers specific activities and measures to address specific risks or to attain specific security objectives as controls.

It considers high level management activities as controls which is different and unique. It is somewhat controversial as to how high-level management activities can be considered as control. Usually, high level activities are responsible for producing, modifying, and fine-tuning controls. An example is M.1.1.1 (Understanding the entity and its context) which corresponds to clause 4 (Context of the Organization) of ISO 27001

Technically speaking, none of the controls specified in the Annexure A of ISO 27001 is mandatory even though practically speaking most of them are relevant to most organizations and implemented voluntarily.

NESA IAS on the other hand has a set of 35 management controls which are always applicable (unless justified by the risk assessment as not being so) and must be mandatorily implemented.

ISO 27001 does not go into the details of how to implement a control to be compliant or how to measure the success of the control implementation. In fact, it just lists the controls and does not do anything apart from identifying areas which need to be addressed through the suggested controls and control activities. Even ISO 27002 which contains the guidelines about implementing the ISO 27001 controls do not go beyond a point except for handholding and showing the way.

NESA IAS goes into great depth for each security control specifying how exactly to implement it to be compliant (sub controls), how to measure it (performance indicators), how to automate the control if and where possible (automation guideline), the type of cyberattack it protects against (relevant threats and vulnerabilities) and additional implementation help and suggestion (implementation guidance). So, it is very much unlike ISO 27001 in this regard leaving little to the imagination.

ISO 27001 or NESA IAS, Which Should be Implemented First?

With respect to the UAE implementing ISO 27001:2013 is optional but NESA is mandatory. So, the decision to implement either or both will depend upon the organizations coverage or to be more precise upon the organization’s clientele or customer base. If the organization has an international clientele or customer base extending beyond the UAE then it might have to and should ideally implement ISO 27001:2013. Otherwise NESA IAS might suffice. If an organization must and/or decides to implement both the standards my suggestion would be to start with ISO 27001:2013 and then follow it up with NESA IAS. Since NESA IAS is inspired from ISO 27001:2013 and follows a similar approach but to a slightly different end it might be easier to implement IAS followed by ISO 27001:2013 implementation. An IAS implementation followed by an ISO 27001 implementation can be easily achieved through a gap analysis and working to fill the gaps especially in terms of control compliance since the framework of policies, processes and procedures which make up the management system will be already there.

Challenges in Implementation & Maintenance of ISO 27001 &/or NESA

Given the expansive nature of both the standards implementing any one of them is a huge challenge with implementing IAS being a bit more challenging. The challenge with IAS arises because of its applicability to the entire organization, its huge set of 564 sub controls all of which must be implemented for every security control (unless it can be excluded through risk assessment) and the need to monitor control performance as specified by the standard (unless a custom means to measure can be justified by the context of the organization). ISO 27001 on the other hand requires a lot of high-level activities and voluminous documentation. Performing so much in one go is almost impossible even for the most sophisticated IT corporations. For non-IT companies for whom IT is a supporting cost function it is too much of an ask. Therefore, most companies including IT companies need a qualified full time information security consultant to help them in their journey to compliance. There are many such independent consultants and consultancy firms that one can choose from.

Implementation Pitfalls and how to Avoid them

It is no wonder that such complex standards will have pitfalls for anyone trying to navigate them. It is also no wonder that many organizations (especially those without adequate expertise or domain knowledge) fall for them and founder. Some of the most common pitfalls that can be identified with respect to organizations trying to interpret and operate the standards are as below:

Loss of focus – Given the length and breadth of the standards it is quite natural for one to get lost along the way and lose focus as to the real purpose and how it is to be achieved. The result might be that an organization remains complaint with open but undetected security issues. It might also lead to a situation where the organization loses sight of the fact that the standards are not technical standards but management system standards for better management of enterprise information. The technical aspect is a small part as to how to use the most suitable and cost-effective technology and technology configuration to achieve that.
Control Risk – Too much focus on controls and sub controls especially in the case of IAS pose the threat of overdoing and overcompensating paving the way for control risk (risk posed or introduced by a faulty or ill designed control) which is a serious security threat.
Too much management focus – It might also happen that too much high-level deliberation and intervention by the management might lead to unnecessary complication and paralysis on the ground and the entire exercise is reduced to meetings and documentation and maintaining and manufacturing evidences to demonstrate compliance.
Confusion and Fatigue – It is very important that there is someone especially at the top of the ISMS team who really understands the standard and has a clear mind to be able to take accurate decisions and give unambiguous direction. This will avoid loss if time, wasted effort all of which ultimately leads to losing steam and burning out.
Performing without realizing – It might also happen that the ISMS becomes so much a part of the culture that people practice it mechanically without applying their mind unless they are jolted by a disaster. This is a dangerous situation as complacency with respect to information security can be very costly. So, there must be continuous trainings and workshops for the relevant people and a robust and independent internal audit process to keep everybody awake and aware.

To avoid the above it helps to gather as much information as possible from all quarters and do a thorough study of the standards. It helps one to understand what is expected and how it can be done with the least pain and without running into serious trouble. Also, professional help from a qualified and experienced consultant is not just desirable but almost indispensable at least to begin with. Both standards allow a phased implementation and organizations should make use of the facility. ISO 27001 does so in terms of scope and NESA IAS does so in terms of a phased implementation of the security controls as per priority. An organization is expected to demonstrate compliance with the implementation of P1 controls and ‘always applicable’ controls to begin with to be considered compliant and on the right track.

Conclusion

Both the standards are critical in today’s business context for any enterprise. In order to appreciate them better, it is important to know about further details of their controls and where these standards intersect and where they diverge.

It is also critical to appreciate their similar but slightly different contexts of operations and the purposes that they fulfil. If implemented in a contextual way, both the standards can help the enterprises benefit immensely. Consultants Factory provides ISO 27001 & NESA related IT management consulting services.