ISO IEC TR 27008

Book a demo

diverse,international,executive,business,people,working,on,project,at,boardroom

ISO/IEC TR 27008 – Guidelines for the assessment of information security controls

The world is ever-changing; as are the risks to a business reputation and bottom line. Organisations must be proactive, and a strong defence should be developed around auditing the controls that support information security. This is what ISO 27008 was designed to help with.

What kind of help do you need from us?

New to information security?

We have everything you need to design, build and implement your first ISMS.

Find out more

Ready to transform your ISMS?

We’ll help you get more out of the infosec work you’ve already done.

Find out more

Want to unleash your infosec expertise?

With our platform you can build the ISMS your organisation really needs.

Find out more

What is ISO 27008?

ISO 27008 is a Technical Document that outlines procedures for conducting an audit of an organisation’s information security controls. ISO 27008 plays a major role in the management activities associated with the implementation and operation of an Information Security Management System (ISMS). 

Even though it is meant to be used in conjunction with ISO 27001 and ISO 27002, it is not exclusive to those standards and is applicable to any scenario requiring an assessment of information security controls. ISO 27008 is essential to organisations of all forms and sizes, including public and private businesses, federal agencies, and not-for-profit organisations that perform information management reviews and operational compliance tests.

ISO 27008 proposes a comprehensive organisational security assessment and review framework for information security controls in order to give organisations confidence that their controls have been implemented and managed correctly and that their information security is “fit for purpose.”

It helps to instil trust in an organisation’s information security management system’s controls.

What is Information Security?

Information security is a subject that’s more important than ever before. News reports of data breaches and cyberattacks now come thick and fast, but what is the bigger picture?

Information security, sometimes shortened to InfoSec, is the practice of protecting information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security concerns the protection of information in any form when it is held or processed by an organisation.

Information security covers a broad territory and includes the concepts of confidentiality, integrity, and availability.

Techniques may include encryption to prevent unauthorised parties from viewing information; authorisation at the level of individual users or programs; operations security (OPSEC) to protect the confidentiality and integrity of operations within an organisation; authentication frameworks to prevent fraudulent transactions, and intrusion detection to detect intruders into computer systems.

ISMS.online makes setting up and managing your ISMS as easy as it can get.

Peter Risdon
CISO, Viital

Book your demo

We started off using spreadsheets and it was a nightmare. With the ISMS.online solution, all the hard work was made easy.
Perry Bowles
Technical Director ZIPTECH
100% of our users pass certification first time
Book your demo

What are Information Security Controls?

Information security controls are steps taken to mitigate information security vulnerabilities such as device failures, data theft, system breaches and unintended modifications to digital information or processes.

These security controls are usually applied in response to an information security risk evaluation in order to better secure the availability, confidentiality, and privacy of data and networks.

These controls safeguard the confidentiality, integrity, and availability of information in the field of information security.

Types of Information Security Controls

Security protocols, procedures, schedules, devices, and applications all fall into the category of information security controls.

  1. Preventive security controls, security protocols that are intended to avert cybersecurity accidents
  2. Detective security controls aimed at identifying and alerting cybersecurity staff to a cybersecurity intrusion attempt or potential security breach.
  3. Corrective security controls are used after a cybersecurity event to help mitigate data loss and device or network disruption and to easily recover sensitive business systems and operations.

Additionally, security measures can be categorised according to their purpose, as follows:

Access controls:

These include physical entry monitors such as armed guards at building exits, locks, and perimeter fences.

Procedural controls:

Threat awareness instruction, security framework enforcement training, and incident response processes and procedures.

Technical controls:

These include multi-factor account authentication at the point of entry (login) and logical access controls, antivirus applications, and firewalls.

Compliance controls:

These include privacy rules, frameworks, and requirements, as well as cybersecurity approaches and standards.

ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.

Daniel Clements

Information Security Manager, Honeysuckle Health

Book a demo

See who we’ve already helped

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

What is the Purpose of ISO 27008?

ISO 27008 was created to:

  • Assists in the preparation and implementation of ISMS audits and the method of information risk management;
  • Provide guidelines for auditing information security controls in accordance with ISO/IEC 27002’s controls guidance;
  • Enhances ISMS audits by optimising the relationships between ISMS processes and necessary controls;
  • Assures the audit resources are used effectively and efficiently.
  • Add value and improves the consistency and benefit of the ISO 27k specifications by bridging the difference between updating the ISMS in principle and, where necessary, checking proof of applied ISMS controls (e.g., evaluating security elements of business operations, IT structures, and IT operating environments in ISO27k user organisations);

What is the Scope of ISO 27008?

ISO 27008 provides guidance to all auditors on information security management systems controls. It guides the information risk management process as well as internal, external, and third-party assessments of an ISMS by demonstrating the association between the ISMS and its accompanying controls.

It includes guidelines on how to test the extent to which necessary “information security management system controls” are applied. Additionally, it assists organisations that are implementing ISO/IEC 27001 or ISO/IEC 27002 in meeting compliance criteria and serving as a technical platform for information technology governance.

How does ISO 27008 Work?

ISO 27008 defines general procedures, not techniques for any particular control or forms of controls.

It defines systematic reviews and then outlines the various approaches and forms of reviews that are applicable to information security controls. Finally, it discusses the practices required for a successful review process.

Relationship with ISO 27001 and ISO 27002

ISO 27008 is closely similar to the ISO 27007 audit specification for information security management systems.

However, unlike ISO 27007, which focuses on reviewing the management system components of an ISMS as defined in ISO 27001, ISO 27008 focuses on auditing specific information security controls, such as those listed in ISO 27002 and detailed in ISO 27001’s Annex A.

ISO 27008 “focuses on evaluations of information security controls, including regulatory compliance, against an organisation-established information security implementation standard.

It is, however, not intended to provide detailed guidelines on compliance testing with respect to the calculation, risk evaluation, or audit of an ISMS, as specified in ISO 27004, ISO 27005, or 27007, respectively.

Who Should Implement ISO 27008?

ISO 27008 is intended for internal and external auditors charged with the responsibility of reviewing information management controls that are part of an ISMS. It would, however, be beneficial to anyone doing an analysis or assessment of an ISMS’s controls, whether as part of a structured audit procedure or otherwise. The document is primarily intended for information security auditors who are responsible for verifying that an organisation’s information security controls are technically compliant with ISO/IEC 27002 and all other control requirements used by the organisation.

ISO 27008 will assist them in the following ways:

  • Recognise and comprehend the scope of possible issues and weaknesses in information security controls.
  • Identify and comprehend the possible consequences of inadequately mitigated computer technology risks and weaknesses for the company.
  • Prioritise risk control practices related to information management.
  • Ascertain that previously found or newly discovered vulnerabilities or defects have been resolved sufficiently.

ISO 27008 is applicable to a broad range of organisations, including public and private businesses, government agencies, and not-for-profit organisations.

See our platform features in action

A tailored hands-on session based on your needs and goals

Book your demo

Don’t see what you’re looking for?
We can build it easily.

The proven path to ISO 27001 success

Built with everything you need to succeed with ease, and ready to use straight out of the box – no training required!
Policies

Perfect Policies & Controls

Easily collaborate, create and show you are on top of your documentation at all times

Find out more
Risk-Management

Simple Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Find out more
Reporting

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Find out more
Audits

Audits, Actions & Reviews

Make light work of corrective actions, improvements, audits and management reviews

Find out more
Linking

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Find out more
Assets

Easy Asset Management

Select assets from the Asset Bank and create your Asset Inventory with ease

Find out more
Seamless-Integration

Fast, Seamless Integration

Out of the box integrations with your other key business systems to simplify your compliance

Find out more
Standards-Regulations

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more

Find out more
Compliance

Staff Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Find out more
Supply-Chain

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

Find out more
Interested-Parties

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Find out more
Privacy

Strong Privacy & Security

Strong privacy by design and security controls to match your needs & expectations

Find out more
 

Explore other standards within the ISO 27k family

  • 1The ISO 27000 family
  • 2ISO 27002
  • 3ISO 27003
  • 4ISO 27004
  • 5ISO 27005
  • 6ISO 27008
  • 7ISO 27009
  • 8ISO 27010
  • 9ISO 27014
  • 11ISO 27013
  • 12ISO 27016
  • 13ISO 27017
  • 14ISO 27018
  • 15ISO 27019
  • 16ISO 27038
  • 17ISO 27039
  • 18ISO 27040
  • 19ISO 27050
  • 20ISO 27102
See our simple, powerful platform in action

Streamline your workflow with our new Jira integration! Learn more here.