TECHNICAL ISO/IEC TS SPECIFICATION 27008 First edition 2019-01 Information technology Security techniques Guidelines for the assessment of information security controls Technologies de I'information-Techniques de sécurite- Lignes directrices pour lesauditeurs des controles de sécurite de I'information Reference number IEC IS0/IEC TS 27008:2019(E) @IS0/IEC2019 IS0/IECTS27008:2019(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC2019 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting below or Iso's member body in the country of the requester. ISO copyright office CP 401 : Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22749 0111 Fax: +41 22 749 09 47 Email: copyright@iso.org Website: www.iso.org Published in Switzerland ii ISO/IEC 2019 - All rights reserved IS0/IECTS27008:2019(E) Contents Page Foreword ..V Introduction. ..vi 1 Scope. 2 Normative references 3 Terms and definitions 4 Structure of this document ..1. 5 Background. .2 6 Overviewofinformationsecuritycontrolassessments .3 6.1 Assessment proces.. .3 .3 6.1.1 General. 6.1.2 Preliminary information 3 .3 6.1.3 Assessment checklists 6.1.4 Review fieldwork 4 6.1.5 The analysis process .5 6.2 Resourcing and competence .5 7 Review methods .6 7.1 Overview .6 7.2 Process analysis 7 .7 7.2.1 General 7.3 Examination techniques 7 7.3.1 General. .7 7.3.2 Procedural controls 8 .8 7.3.3 Technical controls 7.4 Testing an validation techniques .8 7.4.1 General. .8 7.4.2 Blind testing .9 7.4.3 Double Blind Testing 9 7.4.4 Grey Box Testing. 7.4.5 Double Grey Box Testing .10 7.4.6 Tandem Testing. .10 7.4.7 Reversal ..10 7.5 Sampling techniques. .10 7.5.1 General. .10 7.5.2 Representative sampling .10 7.5.3 Exhaustive sampling .10 8 Controlassessmentprocess. .10 8.1 Preparations .10 8.2 Planning the assessment .12 8.2.1 Overview .12 8.2.2 Scoping the assessment ..13 8.2.3 Review procedures .13 8.2.4 Object-related considerations ..14 8.2.5 Previous findings. .14 8.2.6 Work assignments .15 8.2.7 External systems. .15 8.2.8 Informationassetsandorganization .16 8.2.9 .16 Extended review procedure. 8.2.10 Optimization .16 8.2.11 .17 Finalization 8.3 Conduction reviews. .17 8.4 Analysis and reporting results. .18 @ IS0/IEC 2019 - All rights reserved iii