Unit 4-CS

Cyber forensics
Cyber forensics, also known as digital forensics or computer forensics, is a crucial
component of cybersecurity. It involves the collection, preservation, analysis, and
presentation of electronic evidence in a way that is admissible in a court of law. Cyber
forensics plays a vital role in investigating cybercrimes, understanding security incidents, and
ensuring legal compliance. Here's how cyber forensics is connected to cybersecurity:

1. **Incident Response**: When a cybersecurity incident occurs, such as a data breach or a

cyberattack, cyber forensics is used to identify the nature and extent of the incident. Digital
forensics investigators collect and analyze evidence to determine how the attack occurred,
what data was compromised, and who might be responsible.

2. **Evidence Preservation**: One of the primary goals of cyber forensics is to ensure that
evidence related to a cybercrime or security incident is preserved in a way that maintains its
integrity and can be used in legal proceedings if necessary. This involves creating a chain of
custody for digital evidence to prove it hasn't been tampered with.

3. **Malware Analysis**: Cyber forensics experts analyze malicious software (malware) to

understand its behavior, origins, and impact. This knowledge can be used to develop defenses
against similar threats and to attribute attacks to specific threat actors.

4. **Data Recovery**: In the aftermath of a cyber incident, it may be necessary to recover

lost or deleted data to understand the extent of the damage and to restore systems. Cyber
forensics methods are used to recover and reconstruct data that may have been intentionally
destroyed by attackers.

5. **Attribution**: Cyber forensics can help in identifying the individuals or groups

responsible for cybercrimes. By analyzing digital artifacts and traces left by attackers,
investigators can potentially trace the source of an attack.

6. **Legal Proceedings**: Evidence gathered through cyber forensics is often used in legal
proceedings, such as criminal trials or civil litigation. It can help establish the facts of a case
and support legal actions against cybercriminals.

7. **Policy and Compliance**: Cyber forensics also plays a role in ensuring that
organizations comply with legal and regulatory requirements related to data protection and
cybersecurity. It helps organizations demonstrate due diligence in protecting sensitive
information.

8. **Security Improvements**: Insights gained from cyber forensics can be used to improve
an organization's cybersecurity posture. By understanding how an attack occurred,
organizations can better defend against similar threats in the future.

9. **Training and Awareness**: Cyber forensics expertise is essential for training

cybersecurity professionals. Understanding how cybercrime investigations are conducted can
help security professionals better prepare for and respond to incidents.

In summary, cyber forensics is an integral part of cybersecurity that helps organizations

investigate and respond to cyber incidents, recover from attacks, and gather evidence for
legal actions. It plays a critical role in both incident response and proactive security measures,
helping organizations better protect their digital assets and respond effectively when security
breaches occur.

Role of Forensics Investigator

Digital forensic investigators use a variety of tools and software to conduct investigations that
can help to:
 Discover the source and cause of a cyberattack
 Identify whether a hack was perpetrated and how long the hacker had
access to the system
 Create a timeline of criminal events, such as unauthorized access or
altering of data
 Secure digital evidence

Forensics Investigation Process

A digital forensic investigation can help identify and prove different kinds of wrongdoing,
including data theft or disclosure, internet abuse, network or system breaches, espionage, and
financial fraud.

In civil or criminal cases, it is crucial to carry out a structured and process-driven digital
forensics investigation, to ensure the integrity of the data and its admissibility in a court of
law. The core stages of a digital forensics investigation include:
  Identification of resources and devices involved in the investigation
 Preservation of the necessary data
 Analysis
 Documentation
 Presentation

Data acquired in this way is permissible in court, and can be used as evidence to support
litigation cases. Digital forensics investigators are trained in extracting and handling evidence
in a way that is permissible in court, and their expertise can be invaluable in a litigation case
involving digital data.

The Stages of a Digital Forensics Investigation

Digital Forensics Investigation Stage 1: Identification

The very first step in a digital forensics investigation is to identify the devices and resources
containing the data that will be a part of the investigation. The data involved in an
investigation could be on organizational devices such as computers or laptops, or on users’
personal devices like mobile phones and tablets.

These devices are then seized and isolated, to eliminate any possibility of tampering. If the
data is on a server or network, or housed on the cloud, the investigator or organization needs
to ensure that no one other than the investigating team has access to it.

Digital Forensics Investigation Stage 2: Extraction and Preservation

After the devices involved in an investigation have been seized and stored in a secure
location, the digital forensics investigator or forensics analyst uses forensic techniques to
extract any data that may be relevant to the investigation, and stores it securely.

This phase can involve the creation of a digital copy of the relevant data, which is known as a
“forensic image.” This copy is then used for analysis and evaluation, while the original data
and devices are put in a secure location, such as a safe. This prevents any tampering with the
original data even if the investigation is compromised.

Digital Forensics Investigation Stage 3: Analysis

Once the devices involved have been identified and isolated, and the data has been duplicated
and stored securely, digital forensic investigators use a variety of techniques to extract
relevant data and examine it, searching for clues or evidence that points to wrongdoing. This
often involves recovering and examining deleted, damaged or encrypted files, using
techniques such as:

Reverse Steganography: a technique used to extract hidden data by examining the underlying
hash or string of characters representing an image or other data item

File or Data Carving: identifying and recovering deleted files by searching for the fragments
that deleted files may leave

Keyword Searches: using keywords to identify and analyze information relevant to the
investigation, including deleted data

These are just some of the many techniques digital forensic investigators to unearth evidence.

Digital Forensics Investigation Stage 4: Documentation

Post analysis, the findings of the investigation are properly documented in a way that makes
it easy to visualize the entire investigative process and its conclusions. Proper documentation
helps to formulate a timeline of the activities involved in wrongdoing, such as embezzlement,
data leakage, or network breaches.

Digital Forensics Investigation Stage 5: Presentation

Once the investigation is complete, the findings are presented to a court or the committee or
group that will determine the outcome of a lawsuit or an internal complaint. Digital forensics
investigators can act as expert witnesses, summarizing and presenting the evidence they
discovered, and disclosing their findings.

Process involved in Digital Evidence Collection:

The main processes involved in digital evidence collection are given below:

 Data collection: In this process data is identified and collected for investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the collected
evidence is analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so that
they can be submitted in court.
Types of Collectible Data:
The computer investigator and experts who investigate the seized devices have to understand
what kind of potential shreds of evidence could there be and what type of shreds of evidence
they are looking for. So, that they could structure their search pattern. Crimes and criminal
activities that involve computers can range across a wide spectrum; they could go from
trading illegal things such as rare and endangered animals, damaging intellectual property, to
personal data theft, etc.

The investigator must pick the suitable tools to use during the analysis. Investigators can
encounter several problems while investigating the case such as files may have been deleted
from the computer, they could be damaged or may even be encrypted, So the investigator
should be familiar with a variety of tools, methods, and also the software to prevent the data
from damaging during the data recovery process.

There are two types of data, that can be collected in a computer forensics investigation:

 Persistent data: It is the data that is stored on a non-volatile memory type storage
device such as a local hard drive, external storage devices like SSDs, HDDs, pen
drives, CDs, etc. the data on these devices is preserved even when the computer is
turned off.
  Volatile data: It is the data that is stored on a volatile memory type storage such
as memory, registers, cache, RAM, or it exists in transit, that will be lost once the
computer is turned off or it loses power. Since volatile data is evanescent, it is
crucial that an investigator knows how to reliably capture it.
Types of Evidence:
Collecting the shreds of evidence is really important in any investigation to support the
claims in court. Below are some major types of evidence.

 Real Evidence: These pieces of evidence involve physical or tangible evidence

such as flash drives, hard drives, documents, etc. an eyewitness can also be
considered as a shred of tangible evidence.
 Hearsay Evidence: These pieces of evidence are referred to as out-of-court
statements. These are made in courts to prove the truth of the matter.
 Original Evidence: These are the pieces of evidence of a statement that is made
by a person who is not a testifying witness. It is done in order to prove that the
statement was made rather than to prove its truth.
 Testimony: Testimony is when a witness takes oath in a court of law and gives
their statement in court. The shreds of evidence presented should be authentic,
accurate, reliable, and admissible as they can be challenged in court.
Challenges Faced During Digital Evidence Collection:
 Evidence should be handled with utmost care as data is stored in electronic media
and it can get damaged easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.
Recovering information from devices as the digital shreds of evidence in the investigation are
becoming the fundamental ground for law enforcement and courts all around the world. The
methods used to extract information and shreds of evidence should be robust to ensure that all
the related information and data are recovered and is reliable. The methods must also be
legally defensible to ensure that original pieces of evidence and data have not been altered in
any way and that no data was deleted or added from the original evidence.
Computer Forensic Report Format
The main goal of Computer forensics is to perform a structured investigation on a computing
device to find out what happened or who was responsible for what happened, while
maintaining a proper documented chain of evidence in a formal report. Syntax or template of
a Computer Forensic Report is as follows :

1. Executive Summary :
Executive Summary section of computer forensics report template provides
background data of conditions that needs a requirement for investigation.
Executive Summary or the Translation Summary is read by Senior Management
as they do not read detailed report. This section must contain short description,
details and important pointers. This section could be one page long. Executive
Summary Section consists of following :
 Taking account of who authorized the forensic examination.
 List of the significant evidences in a short detail.
 Explaining why a forensic examination of computing device was
necessary.
 Including a signature block for the examiners who performed the
work.
 Full, legitimate and proper name of all people who are related or
involved in case, Job Titles, dates of initial contacts or
communications.
2. Objectives :
Objectives section is used to outline all tasks that an investigation has planned to
complete. In some cases, it might happen that forensics examination may not do a
full fledged investigation when reviewing contents of media. The prepared plan list
must be discussed and approved by legal council, decision makers and client before
 any forensic analysis. This list should consist tasks undertaken and method
undertaken by an examiner for each task and status of each task at the end of report.

3. Computer Evidence Analyzed :

The Computer Evidence Analyzed section is where all gathered evidences and its
interpretations are introduced. It provides detailed information regarding assignment
of evidence’s tag numbers, description of evidence and media serial numbers.

4. Relevant Findings :
This section of Relevant Findings gives summary of evidences found of probative
Value.When a match is found between forensic science material recovered from a
crime scene e.g., a fingerprint, a strand of hair, a shoe print, etc. and a reference
sample provided by a suspect of case, match is widely considered as strong evidence
that suspect is source of recovered material.

5. Supporting Details :
Supporting Details is section where in-depth analysis of relevant findings is done.
‘How we found conclusions outlined in Relevant Findings?’, is outlined by this
section. It contains table of vital files with a full path name, results of string
searches, Emails/URLs reviewed, number of files reviewed and any other relevant
data. All tasks undertaken to meet objectives is outlined by this section. In
Supporting Details we focus more on technical depth. It includes charts, tables and
illustrations as it conveys much more than written texts. To meet outlined
objectives, many subsections are also included. This section is longest section. It
starts with giving background details of media analyzed. It is not easy to report
number of files reviewed and size of hard drive in a human understandable
language. Therefore, your client must know how much data you wanted to review to
arrive at a conclusion.

6. Investigative Leads :
Investigative Leads performs action items that could help to discover additional
information related to the investigation of case. The investigators perform all
outstanding tasks to find extra information if more time is left. Investigative Lead
 section is very critical to law enforcement. This section suggests extra tasks that
discovers information needed to move on case. e.g. finding out if there are any
firewall logs that date any far enough into past to give a correct picture of any
attacks that might have taken place. This section is important for a hired forensic
consultant.

7. Additional Subsections :
Various additional subsections are included in a forensic report. These subsections
are dependent on clients want and their need. The following subsections are useful
in specific cases :
 Attacker Methodology –
Additional briefing to help reader understand general or exact attacks
performed is given in this section of attacker methodology. This section is
useful in computer intrusion cases. Inspection of how attacks are done and
what bits and pieces of attacks look like in standard logs is done here.
 User Applications –
In this section we discuss relevant applications that are installed on media
analyzed because it is observed that in many cases applications present on
system are very relevant. Give a title to this section, if you are investigating
any system that is used by an attacker .e.g Cyber Attack Tools.
 Internet Activity –
Internet Activity or Web Browsing History section gives web surfing history
of user of media analyzed. The browsing history is also useful to suggest
intent, downloading of malicious tools, unallocated space, online researches,
downloading of secure deleted programs or evidence removal type programs
that wipe files slack and temporary files that often harbor evidence very
important to an investigation.
 Recommendations –
This section gives recommendation to posture client to be more prepared and
trained for next computer security incident. We investigate some host-based,
network-based and procedural countermeasures are given to clients to reduce
or eliminate risk of incident security.
Auditing

A cybersecurity audit involves a comprehensive analysis and review of your IT

infrastructure. It detects vulnerabilities and threats, displaying weak links and high-risk
practices.

Significant benefits of IT security audits are:

 Risk assessment and vulnerability identification

 Strengthened security measures
 Compliance with regulations and standards
 Incident response preparedness
 Safeguarding sensitive data and customer trust
 Proactive threat detection and prevention

How Prepared is Your Organization against Cybersecurity Risks?

Recent studies and statistics highlight the growing severity of cyber risks to businesses. For
example, according to a report by Cybersecurity Ventures, it is estimated that cybercrime
will cost the global economy a staggering $10.5 trillion annually by 2025. This projection
showcases the massive financial impact that businesses could face if they fail to address
cyber risks effectively.

It is not enough to simply have security plans; they require consistent auditing. When was
the last revision made to your cyber risk management plans? Are your security documents
regularly reviewed and adjusted to align with the specific requirements of each department?

If you are unsure, then it is high time to do a cybersecurity audit.

Top Indicators that you’re falling behind in your risk management:

 Out-of-date technology– Being dependent on older technologies like old software,

old hardware, outdated policies & practices, and outdated services can leave you
vulnerable to emerging threats.
 Risks flowing widely over opportunities – You should experiment and innovate
with new technologies. If you’re afraid of adopting new technologies with the
 concern that new tech will expose you to new threats, then it’s time to strengthen
your security framework.
 Thinking your Business is “Too small” for cybersecurity Audit – Do you believe
that only large-scale companies require cybersecurity Audits? Think Again!
Regardless of size, most companies are increasingly outsourcing services, enabling
third parties to closely examine your critical systems and practices. Organizations of
all sizes can benefit from a cybersecurity assessment.

Cybersecurity is not just about technical resilience or IT security but about Information
and Data Security. Misguided assurances from the internal team or a cybersecurity
company and a false sense of security are the primary reasons hackers succeed in their
attempts. They target your processes, people, procedures, and weakest links.

The Scope of a Cybersecurity Audit

Cybersecurity audits ensure a 360-degree in-depth audit of your organization’s security

posture. They aim to identify vulnerabilities, risks, and threats that may affect the
organization. These audits cover various areas, including:

 Data Security – involves reviewing network access control, encryption use, data
security at rest, and transmissions.
 Operational Security – involves a review of security policies, procedures, and
controls.
 Network Security – a review of network & security controls, anti-virus
configurations, security monitoring capabilities, etc.
 System Security – This review covers hardening processes, patching processes,
privileged account management, role-based access, etc.
 Physical Security – a review that covers disk encryption, role-based access
controls, biometric data, multifactor authentication, etc.

Beyond these, a cybersecurity audit can also cover cybersecurity risk management, cyber
risk governance, training & awareness, legal, regulatory & contractual requirements,
technical security controls, business continuity & incident management, and third-party
management.

Internal vs. External Cybersecurity Audit

Cybersecurity audits can be conducted by either external cybersecurity services companies
or internal teams.

External cybersecurity audits are performed by experienced professionals from specialized

companies. These professionals possess in-depth knowledge of security protocols and
utilize advanced software and tools to conduct a comprehensive audit. Their expertise
allows them to identify vulnerabilities and flaws in an organization’s cybersecurity risk
management effectively.

On the other hand, internal security audits are conducted by an organization’s in-house
team. These audits can be performed more frequently and provide the advantage of having
direct access to internal systems and processes. Internal auditors are familiar with the
organization’s specific security requirements and can tailor the audit to address its unique
challenges.

Both external and internal security audits offer distinct advantages and serve different
purposes. Key points to consider include:

External Security Audit:

 Independence: External auditors offer an unbiased assessment as they are not

directly involved in the company’s day-to-day operations.
 Expertise and Experience: External auditors often have specialized knowledge and
experience in conducting security audits across various industries.
 Compliance and Regulations: External audits help ensure compliance with
industry regulations, standards, and legal requirements.
 Objectivity: External auditors objectively evaluate the company’s security controls
without any internal bias or conflicts of interest.

To get better value from the external security audit, you must find the right and affordable
auditing company, set expectations for auditors, submit relevant and accurate information,
and implement suggested changes.

Despite the benefits of external audits, many organizations opt for internal cybersecurity
audits due to their cost, efficiency, speed, and consistency.

Internal Security Audit:

  In-depth Knowledge: Internal auditors have a better understanding of the
company’s internal systems, processes, and culture, which allows for a more
comprehensive assessment.
 Cost-effectiveness: Conducting internal audits can be more cost-effective since
there is no need to engage external resources.
 Continuous Monitoring: Internal audits can be performed regularly, providing
ongoing monitoring and evaluation of the organization’s security measures.
 Company-specific Focus: Internal audits can specifically address the company’s
unique security challenges and requirements.

Information Security Management System

An information security management system (ISMS) is a set of policies and procedures for
systematically managing an organization's sensitive data. The goal of an ISMS is to minimize
risk and ensure business continuity by proactively limiting the impact of a security breach.

An ISMS typically addresses employee behavior and processes as well as data and
technology. It can be targeted toward a particular type of data, such as customer data, or it
can be implemented in a comprehensive way that becomes part of the company's culture.

How does ISMS work?

An ISMS provides a systematic approach for managing the information security of an

organization. Information security encompasses certain broad policies that control and
manage security risk levels across an organization.

ISO/IEC 27001 is the international standard for information security and for creating an
ISMS. Jointly published by the International Organization for Standardization and the
International Electrotechnical Commission, the standard doesn't mandate specific actions but
includes suggestions for documentation, internal audits, continual improvement, and
corrective and preventive action. To become ISO 27001 certified, an organization requires an
ISMS that identifies the organizational assets and provides the following assessment:

 the risks the information assets face;

 the steps taken to protect the information assets;

  a plan of action in case a security breach happens; and

 identification of individuals responsible for each step of the information security

process.

The goal of an ISMS isn't necessarily to maximize information security, but rather to reach an
organization's desired level of information security. Depending on the specific needs of the
industry, these levels of control may vary. For example, since healthcare is a highly regulated
field, a healthcare organization may develop a system to ensure sensitive patient data is fully
protected.

An ISMS provides a systematic approach to managing an organization's information security

and includes policies and procedures for managing its data.
Benefits of ISMS

ISMS provides a holistic approach to managing the information systems within an

organization. This offers numerous benefits, some of which are highlighted below.

 Protects sensitive data. An ISMS protects all types of proprietary information

assets whether they're paper-based, preserved digitally or reside in the cloud.
These assets can include personal data, intellectual property, financial data,
customer data and data entrusted to companies through third parties.

 Meets regulatory compliance. ISMS helps organizations meet all regulatory

compliance and contractual requirements and provides a better grasp on legalities
surrounding information systems. Since violation of legal regulations comes with
hefty fines, having an ISMS can be especially beneficial for highly regulated
industries with critical infrastructures, such as finance or healthcare.
  Provides business continuity. When organizations invest in an ISMS, they
automatically increase their level of defense against threats. This reduces the
number of security incidents, such as cyber attacks, resulting in fewer disruptions
and less downtime, which are important factors for maintaining business
continuity.

 Reduces costs. An ISMS offers a thorough risk assessment of all assets. This
enables organizations to prioritize the highest risk assets to prevent indiscriminate
spending on unneeded defenses and provide a focused approach toward securing
them. This structured approach, along with less downtime due to a reduction in
security incidents, significantly cuts an organization's total spending.

 Enhances company culture. An ISMS provides an all-inclusive approach for

security and asset management throughout the organization that isn't limited to IT
security. This encourages all employees to understand the risks tied to information
assets and adopt security best practices as part of their daily routines.

 Adapts to emerging threats. Security threats are constantly evolving. An ISMS

helps organizations prepare and adapt to newer threats and the continuously
changing demands of the security landscape.

Objectives of information security management

Information security at the organizational level is centered around the triad of confidentiality,
integrity and availability (CIA). Information security controls are put in place to ensure the
CIA of protected information. InfoSec specialists and SecOps teams must understand each
newly implemented control in terms of how it promotes the CIA triad for a protected data
class.

Confidentiality - When it comes to InfoSec, confidentiality and privacy are essentially the
same thing. Preserving the confidentiality of information means ensuring that only authorized
persons can access or modify the data. Information security management teams may classify
or categorize data based on the perceived risk and anticipated impact that would result if the
data were compromised. Additional privacy controls can be implemented for higher-risk data.

Integrity - Information security management deals with data integrity by implementing

controls that ensure the consistency and accuracy of stored data throughout its entire life
cycle. For data to be considered secure, the IT organization must ensure that it is properly
stored and cannot be modified or deleted without the appropriate permissions. Measures such
as version control, user access controls and check-sums can be implemented to help maintain
data integrity.

Availability - Information security management deals with data availability by implementing

processes and procedures that ensure important information is available to authorized users
when needed. Typical activities include hardware maintenance and repairs, installing patches
and upgrades, and implementing incident response and disaster recovery processes to prevent
data loss in the event of a cyber attack.

ISMS best practices

The ISO 27001, along with the ISO 27002 standards, offers best-practice guidelines for
setting up an ISMS. The following is a checklist of best practices to consider before investing
in an ISMS:

Understand business needs. Before executing an ISMS, it's important for organizations to
get a bird's eye view of the business operations, tools and information security management
systems to understand the business and security requirements. It also helps to study how the
ISO 27001 framework can help with data protection and the individuals who will be
responsible for executing the ISMS.

Establish an information security policy. Having an information security policy in place

before setting up an ISMS is beneficial, as it can help an organization discover the weak
points of the policy. The security policy should typically provide a general overview of the
current security controls within an organization.

Monitor data access. Companies must monitor their access control policies to ensure only
authorized individuals are gaining access to sensitive information. This monitoring should
observe who is accessing the data, when and from where. Besides monitoring data access,
companies should also track logins and authentications and keep a record of them for further
investigation.
Conduct security awareness training. All employees should receive regular security
awareness training. The training should introduce users to the evolving threat landscape, the
common data vulnerabilities surrounding information systems, and mitigation and prevention
techniques to protect data from being compromised.

Secure devices. Protect all organizational devices from physical damage and tampering by
taking security measures to ward off hacking attempts. Tools including Google Workspace
and Office 365 should be installed on all devices, as they offer built-in device security.

Encrypt data. Encryption prevents unauthorized access and is the best form of defense
against security threats. All organizational data should be encrypted before setting up an
ISMS, as it will prevent any unauthorized attempts to sabotage critical data.

Back up data. Backups play a key role in preventing data loss and should be a part of a
company's security policy before setting up an ISMS. Besides regular backups, the location
and frequency of the backups should be planned out. Organizations should also design a plan
to keep the backups secure, which should apply to both on-premises and cloud backups.

Conduct an internal security audit. An internal security audit should be conducted before
executing an ISMS. Internal audits are a great way to for organizations to gain visibility over
their security systems, software and devices, as they can identify and fix security loopholes
before executing an ISMS.

ISO 27001:2013

ISO 27001:2013 is an international security standard that lays out best practices for how
organizations should manage their data. It outlines how companies should manage
information security risk by creating an information security management system (ISMS).
This approach demands executive leadership while embedding data security at all
organizational levels. The standard is voluntary, but organizations that follow its
guidelines can seek ISO 27001 certification.

ISO 27001 was developed in tandem by the International Organization for

Standardization (ISO) and the International Electrotechnical Commission (IEC). It was
originally released in 2005 and revised in 2013, thus its full title: ISO/IEC 27001:2013.
ISO 27001 is divided into two sections: clauses and controls. The clauses largely serve as
an introduction to the key terms and concepts, especially ISO 27001’s emphasis on
information security leadership from the highest levels of an organization.

ISO 27001 Clause 6: Risk Assessment

Clause 6 is especially important because it outlines how organizations should conduct a

risk assessment to identify and analyze potential threats to their data security.

The fundamental questions in a risk assessment are:

 What data does the organization maintain?

 What are the potential consequences if that data was compromised, breached,
tampered with, or lost?
 What are the information security risks, and what is the likelihood of them
materializing?
 Who in the organization is responsible for managing these risks?

Once an organization has answered these questions, they can choose from several “risk
treatment” options:

 Eliminate the risk (either by eliminating the data or the behavior that is putting data
at risk).
 Share the risk by outsourcing to a third-party or through insurance
 Accept the risk after concluding that the threat is highly unlikely, the consequences
would be minimal, or the costs of changes outweigh the potential benefits
 Control the risk to reduce the likelihood of bad outcomes

ISO 27001 Controls

Annex A forms the bulk of ISO 27001, and it deals with the risk controls organizations can
implement, based on the results of their risk assessment. ISO 27001:2013 lists 114
controls, divided into 14 categories.
Annex A.5: Information Security Policies

This annex mandates the creation of a written set of information security policies,
published with the approval of management. These policies will collect the controls
established through the rest of the annex. They must be reviewed at regular intervals or in
the event of an internal or external change that would impact information security.

Annex A.6 Organization of Information Security

The first part of Annex A.6 concerns assigning responsibility for information security to
all relevant stakeholders. Part two specifically concerns maintaining data security on
mobile devices and with remote workers.

Annex A.7: Human Resource Security

This section concerns ensuring that employees and contractors understand and are capable
of fulfilling their obligations to data security, starting from before they are hired and
ending with the off-boarding procedure.

Annex A.8: Asset Management

As the name indicates, this annex identifies information assets and classifies them
according to the level of protection they require.

Annex A.9: Access Control

Annex 9 concerns a crucial element of any ISMS: controlling access to information. It’s
divided into four sections, which outline the responsibilities of organizations to provision
and deprovision users and implement secure login procedures, as well as the responsibility
of individuals to respect IT security policies for authentication.

Annex A.10: Cryptography

This section concerns the proper use of encryption and how to protect cryptographic keys.
Annex A.11: Physical and Environmental Security

This is the longest section, with 15 individual controls, all of which deal with policies that
protect an organization’s physical premises and the equipment in which it stores
information.

Annex A.12: Operations Security

Annex A.12 includes best practices for ensuring data protection and integrity, from
conducting data backups to malware prevention to maintaining internal logs.

Annex A.13: Communications Security

There are two sections to this annex. The first deals with maintaining internal network
security, while the second addresses the security of information that leaves the
organization.

Annex A.14: System Acquisition, Development, and Maintenance

This section mandates that information systems be analyzed with regard to their impact on
security throughout their existence. It deals with the development, testing, implementation,
and updates of information systems.

Annex A.15: Supplier Relationships

Unsurprisingly, this section concerns maintaining data security with third-party suppliers
and maintaining an agreed-upon level of security.

Annex A.16: Information Security Incident Management

In this annex, organizations determine how they will deal with security incidents. This
includes designating employees to take responsibilities for different types of events,
including reporting them to authorities.

Annex A.17: Information Security Aspects of Business Management

Annex A.17 illustrates a bedrock principle of ISO 27001: that information security be
directly tied to business outcomes at all levels. This section is devoted to minimizing
business disruption by including information security in a business continuity management
system.

Annex A.18: Compliance

Here, organizations must identify their legal and regulatory obligations to incorporate
them into their ISMS.