ISO/IEC TS 27008:2019

TECHNICAL ISO/IEC TS
SPECIFICATION 27008
First edition
2019-01
Information technology — Security
techniques — Guidelines for the
assessment of information security
controls
Technologies de l'information — Techniques de sécurité —
Lignes directrices pour les auditeurs des contrôles de sécurité de
l'information
Reference number
ISO/IEC TS 27008:2019(E)
©
ISO/IEC 2019

---------------------- Page: 1 ----------------------
ISO/IEC TS 27008:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TS 27008:2019(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this document . 1
5 Background . 2
6 Overview of information security control assessments . 3
6.1 Assessment process . 3
6.1.1 General. 3
6.1.2 Preliminary information . 3
6.1.3 Assessment checklists . 3
6.1.4 Review fieldwork . 4
6.1.5 The analysis process . 5
6.2 Resourcing and competence . 5
7 Review methods . 6
7.1 Overview . 6
7.2 Process analysis . 7
7.2.1 General. 7
7.3 Examination techniques . 7
7.3.1 General. 7
7.3.2 Procedural controls . 8
7.3.3 Technical controls . 8
7.4 Testing an validation techniques . 8
7.4.1 General. 8
7.4.2 Blind testing . 9
7.4.3 Double Blind Testing . 9
7.4.4 Grey Box Testing . 9
7.4.5 Double Grey Box Testing .10
7.4.6 Tandem Testing .10
7.4.7 Reversal .10
7.5 Sampling techniques .10
7.5.1 General.10
7.5.2 Representative sampling .10
7.5.3 Exhaustive sampling .10
8 Control assessment process.10
8.1 Preparations .10
8.2 Planning the assessment .12
8.2.1 Overview .12
8.2.2 Scoping the assessment .13
8.2.3 Review procedures .13
8.2.4 Object-related considerations .14
8.2.5 Previous findings .14
8.2.6 Work assignments .15
8.2.7 External systems .15
8.2.8 Information assets and organization .16
8.2.9 Extended review procedure .16
8.2.10 Optimization .16
8.2.11 Finalization .17
8.3 Conduction reviews .17
8.4 Analysis and reporting results.18
© ISO/IEC 2019 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TS 27008:2019(E)

Annex A (Informative) Initial information gathering (other than IT) .20
Annex B (informative) Practice guide for technical security assessments .24
Annex C (informative) Technical assessment guide for cloud services (Infrastructure as a
service) .60
Bibliography .91
iv © ISO/IEC 2019 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TS 27008:2019(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents) or the IEC
list of patent declarations received (see http: //patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
ISO/IEC TS 27008 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This first edition of ISO/IEC TS 27008 cancels and replaces ISO/IEC TR 27008:2011.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
© ISO/IEC 2019 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC TS 27008:2019(E)

Introduction
This document supports the Information Security Risk Management process pointed out in ISO/
IEC 27001, and any relevant control sets identified
Information security controls should be fit-for-purpose (meaning appropriate and suitable to the
task at hand i.e. capable of mitigating information risks), effective (e.g. properly specified, designed,
implemented, used, managed and maintained) and efficient (delivering net value to the organization).
This document explains how to assess an organization’s information security controls against those and
other objectives in order either to confirm that they are indeed fit-for-purpose, effective and efficient
(providing assurance), or to identify the need for changes (improvement opportunities). The ultimate
aim is that the information security controls, as a whole, adequately mitigate information risks that the
organization finds unacceptable and unavoidable, in a reasonably cost-effective and business-aligned
manner. It offers the flexibility needed to customize the necessary reviews based on business missions
and goals, organizational policies and requirements, known emerging threats and vulnerabilities,
operational considerations, information system and platform dependencies, and the risk appetite of the
organization.
Please refer to ISO/IEC 27007 for guidelines for information security management systems auditing and
ISO/IEC 27006 for requirements for bodies providing audit and certification of information security
management systems.
vi © ISO/IEC 2019 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL SPECIFICATION ISO/IEC TS 27008:2019(E)
Information technology — Security techniques —
Guidelines for the assessment of information security
controls
1 Scope
This document provides guidance on reviewing and assessing the implementation and operation of
information security controls, including the technical assessment of information system controls, in
compliance with an organization's established information security requirements including technical
compliance against assessment criteria based on the information security requirements established by
the organization.
This document offers guidance on how to review and assess information security controls being
managed through an Information Security Management System specified by ISO/IEC 27001.
It is applicable to all types and sizes of organizations, including public and private companies,
government entities, and not-for-profit organizations conducting information security reviews and
technical compliance checks.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information
security controls based on ISO/IEC 27002 for cloud services
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
4 Structure of this document
This document contains a description of the information security control assessment process including
technical assessment.
Clause 5 provides background information.
Clause 6 provides an overview of information security control assessments.
Clause 7 presents review methods.
Clause 8 presents the control assessment process.
© ISO/IEC 2019 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC TS 27008:2019(E)

Annex A supports initial information gathering.
Annex B supports technical assessment.
Annex C supports technical assessment for cloud services.
5 Background
Information security controls are the primary means of treating unacceptable information risks,
bringing them within the organization’s risk tolerance level.
Parts of an organization's information security controls are usually realized by the implementation of
technical information security controls.
An organization's technical security controls can be defined, documented, implemented and
maintained according to technical information security standards. As time passes, internal factors
such as amendments of information systems, configurations of security functions and changes of
surrounding information systems, and external factors such as advance of attack skills can negatively
affect the effectiveness of information security controls and ultimately the quality of the organization's
information security standards. Technical assessment is included in ISO/IEC 27002, as one of the
controls. A technical assessment is generally performed either manually and/or with the assistance
of automated tools. A technical assessment may be performed by a role not involved in executing the
control, e.g. a system owner, or by staff in charge of the specific controls, or by internal or external
information security experts.
The output of technical assessment accounts for the actual extent of technical compliance with
information security implementation standards of the organization. This evidence provides assurance
when the status of technical controls comply with information security standards, or otherwise the
basis for improvements. The assessment reporting chain should be clearly established at the outset of
the assessment and the integrity of the reporting process should be assured. Steps should be taken to
ensure that:
— from the outset determine and ensure the appropriate competence in those performing the test(s) —
see 6.2,
— relevant accountable parties receive, directly from the information security auditors, an unaltered
copy of the technical assessment report;
— inappropriate or unauthorized parties do not receive a copy of the technical assessment report from
the information security auditors; and
— the information security auditors are permitted to carry out their work without hindrance/
interference violating the segregation of duty principle.
Information security control assessments, and technical assessments in particular, can help an
organization to:
— identify and understand the extent of potential problems or shortfalls in the organization's
implementation and operation of information security controls, information security standards
and, consequently, technical information security controls;
— identify and understand the potential organizational impacts of inadequately mitigated information
security threats and vulnerabilities;
— prioritize the identified information security risk mitigation activities;
— confirm that previously identified or emergent information security vulnerabilities and threats
have been adequately addressed; and/or
— support budgetary decisions within the investment process and other management decisions
relating to improvement of organization's information security management.
2 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC TS 27008:2019(E)

6 Overview of information security control assessments
6.1 Assessment process
6.1.1 General
For assessments the assigned information security auditors need to be well prepared, both on the
control side as well as on the testing side (e.g. operation of applicable tools, technical aim of the test).
Elements of the assessment work can be prioritized according to the perceived risks but also planned to
follow a particular business process or system, or simply designed to cover all areas of the assessment
scope in sequence.
When an individual information security control assessment commences, the information security
auditors normally start by gathering preliminary information, reviewing the planned scope of work,
liaising with managers and other contacts in the applicable parts of the organization and expanding the
risk assessment to develop assessment documentation to guide the actual assessment work. Supporting
information can be found in Annexes A to C.
6.1.2 Preliminary information
Preliminary information can come from a variety of sources:
— books, Internet searches, technical manuals, technical security standards and policies of the
organization, and other general background research into common risks and controls in this area,
conferences, workshops, seminars or forums;
— results of prior assessments, tests, and audits, whether partially or fully aligned with the present
assessment scope and whether or not conducted by information security auditors (e.g. pre-release
security tests conducted by information security professionals can provide a wealth of knowledge
on the security of major application systems);
— information on relevant information security incidents, near-misses, support issues and changes,
gathered from IT Help Desk, IT Change Management, IT Incident Management processes and similar
sources; and
— generic assessment checklists and articles by information security auditors or information security
professionals with expertise in the area related to the scope of the assessment.
It is recommended to review the planned assessment scope in light of the preliminary information,
especially if the assessment plan that originally scoped the assessment was prepared many months
beforehand. For example, other assessments can have uncovered concerns that are worth investigating
in more depth, or conversely, have increased assurance in some areas, allowing the present work to
focus elsewhere.
Liaising with managers and assessment contacts at this early stage is an important activity. At the
end of the assessment process, these people need to understand the assessment findings in order to
respond positively to the assessment report. Empathy, mutual respect and making the effort to explain
the assessment process significantly improve the quality and impact of the result.
6.1.3 Assessment checklists
While individuals vary in the way they document their work, many assessment functions utilize
standardized assessment processes supported by document templates for working papers such as
assessment checklists, internal control questionnaires, testing schedules, risk-control matrices, etc.
The assessment checklist (or similar) is a key document for several reasons:
— it lays out the planned areas of assessment work, possibly to the level of detailing individual
assessment tests leading to anticipated/ideal findings;
© ISO/IEC 2019 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC TS 27008:2019(E)

— it provides structure for the work, helping to ensure that the planned scope is adequately covered;
— the analysis necessary to generate the checklist in the first place prepares the information security
auditors for the assessment fieldwork that follows. Completing the checklist as the assessment
progresses, starts the analytical process from which the assessment report will be derived;
— it provides the framework to record the results of assessment pre-work and fieldwork and, for
example, a place to reference and comment on assessment evidence gathered;
— it can be reviewed by audit management or other information security auditors as part of the
assessment quality assurance process; and
— once fully completed, it (along with the review evidence) constitutes a reasonably detailed historical
record of the review work as conducted and the findings arising that can be required to substantiate
or support the review report, inform management and/or help with planning future reviews.
Information security auditors should be cautious of simply using generic review checklists written by
others as, aside from perhaps saving time, this would probably negate several of the benefits noted above.
6.1.4 Review fieldwork
The bulk of review fieldwork consists of a series of tests conducted by the information security
auditors, or at their requests, to gather review evidence and to review it. It is often done by comparison
to anticipated or expected results derived from relevant compliance obligations, standards or a more
general appreciation of good practices. For instance, one test within an information security review
examining malware controls can check whether all applicable computing platforms have suitable
antivirus software. Such review tests often use sampling techniques since there are rarely sufficient
review resources to test exhaustively. Sampling practices vary between information security auditors
and situations. They can include random selection, stratified selection and other more sophisticated
statistical sampling techniques (e.g. taking additional samples if the initial results are unsatisfactory,
in order to substantiate the extent of a control weakness). As a general rule, more exhaustive testing
is possible where evidence can be gathered and tested electronically, for example using SQL queries
against a database of review evidence collated from systems or asset management databases. The
assessment sampling approach should be guided, at least in part, by the risks attached to the area of
operations being assessed.
Evidence collected in the course of the review should normally be noted, referenced or inventoried
in the review working papers. Along with review analysis, findings, recommendations and reports,
review evidence need to be adequately protected by the information security auditors, particularly
as some is likely to be highly sensitive and/or valuable. Data extracted from production databases for
review purposes, for example, should be secured to the same extent as those databases through the
use of access controls, encryption, etc. Automated review tools, queries, utility/data extract programs,
etc. should be tightly controlled. Similarly, printouts made by or provided to the information security
auditors should generally be physically secured under lock and key to prevent unauthorized disclosure
or modification. In the case of particularly sensitive reviews, the risks and, hence, necessary information
security controls should be identified and prepared at an early stage of the review.
Having completed the review checklist, conducted a series of review tests and interviews with
relevant parties and gathered sufficient review evidence, the information security auditors should be
in a position to examine the evidence, determine the extent to which information security risks have
been treated, and review the potential impact of any residual risks. At this stage, a review report of
some form is normally drafted, quality reviewed within the review function and discussed with
management, particularly management of the business units, departments, functions or teams most
directly reviewed and possibly also other implicated parts of the organization.
The evidence should be dispassionately reviewed to check that:
— there is sufficient review evidence to
...