Post on 10-Mar-2016
description
e Portfolio
Certified ISO 27005 Risk Manager release 1.0.0 PARTICIPANT HANDBOOK
Sample
Mate
rial -
Not for
Rep
rint
Copyright Certified ISO 27005 Risk Manager, Classroom course, release 1.0.0
Copyright and Trademark Information for Partners/Stakeholders.
ITpreneurs Nederland B.V. is affiliated to Veridion.
Copyright © 2013 ITpreneurs. All rights reserved.
Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.
The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1
Follow Us
Before you start the course, please take a moment to:
“Like us” on Facebook
http://www.facebook.com/ITpreneurs
“Follow us” on Twitter
http://twitter.com/ITpreneurs
"Add us in your circle" on Google Plus
http://gplus.to/ITpreneurs
"Link with us" on Linkedin
http://www.linkedin.com/company/ITpreneurs
"Watch us" on YouTube
http://www.youtube.com/user/ITpreneurs
Sam
ple M
ateria
l - Not
for R
eprin
t
This
page
has b
een l
eft bl
ank i
ntenti
onall
y
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 3
Contents
Certified ISO 27005 Risk Manager Day 1 ------------------------------------------------------------ 5
Day 2 ------------------------------------------------------------ 59 Exam Preparation Guide -------------------------------------- 133 Appendix A: Case Study ------------------------------------- 143 Appendix B: Exercises List ---------------------------------- 151 Appendix C: Correction Key for Exercises --------------- 167 Appendix D: Release Notes --------------------------------- 179 Participant Feedback Form ---------------------------------- 181
Sample
Mate
rial -
Not for
Rep
rint
This
page
has b
een l
eft bl
ank i
ntenti
onall
y
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 5
Day 1
Certified ISO 27005 Risk Manager
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 6
DAY 1
Certified ISO 27005Risk Manager
2
Certified ISO 27005 Risk Manager
Section 1
a. Meet and greet
b. General information
c. Training objectives
d. Educational approach
e. Examination and certification
f. PECB
g. Schedule of the training
Course objectives and structure
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 7
3
Activity
Meet and greet
4
General Information
Smoking area
MealsTimetable and breaks
Use of mobile phones and recording devices
Absences
Use of a computer and access to the Internet
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 8
5
Understand the basic concepts of risk management related to information security
Explain the goal, content and correlation between ISO 27005, ISO 31000 and ISO 27001 as well as with other standards and regulatory frameworks
Explain the functioning of a risk management system according to ISO 27005 and ISO 31000 to its key processes
1
2
3
Training Objectives
Acquiring Knowledge
6
Training Objectives
Development of competencies
Acquire the knowledge necessary for the implementation, management and maintenance of an ongoing risk management programme
Interpret the requirements of ISO 27001 on risk management
Acquire the skills necessary to effectively advise organizations on the best practices in Risk Management
Strengthen the personal qualities necessary to act with due professional care when implementing a risk management programmeprpr
1
2
3
4
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 9
7
Course Structure
Student oriented
8
Examination
Competency domains
1 Fundamental principles and concepts in information security risk management
2 Information security risk management program
3 Information security risk assessment
4 Information security risk treatment
5 Information security risk communication, monitoring and improvement
3
2
4
5
1
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 10
9
Certified ISO 27005 Risk Manager
Prerequisites for Certification
Pass the exam
Adhere to the PECB Code of Ethics
2 years professional experience
1 years risk management experience
200 hours risk management activity
123456
Professional references
Certified ISO 27005 Risk Manager
10
Certificate
Candidates who met all the prerequisites forcertification will receive a certificate:ication willlllllllllllllllll rrrrrrrrrrrrrrrrrrrrrrrrrrreeeeeeeeeeeeeeeeeeeeeeeeceive a certificate:
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 11
11
What is PECB?
Main services: 1. Certification of personnel
(Auditor and Implementer)2. Certification of training organizations 3. Certification of trainers
Professional Evaluation and Certification Board
12
Customer Service
Comments, questions and complaints
TrainingProviderTrainingParticipant
2. Answer in writing
Answer
1. Submit a complaint
Submit a
3. Appeal 4. Finalarbitration
PECB
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 59
Day 2
Certified ISO 27005 Risk Manager
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 60
DAY 2
Certified ISO 27005Risk Manager
2
Certified ISO 27005 Risk Manager
Section 6
a. Techniques for gathering information
b. Identification of assets
c. Identification of threats
d. Identification of existing controls
e. Identification of vulnerabilities
f. Identification of consequences
Risk identification
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 61
3
3.1 Identification of assets
3.2 Identification of threats
3.3. Identification of existing controls
3.4. Identification of vulnerabilities
3.5. Identification of consequences
4.1. Assessmentof
consequences
4.2 Assessment of incident likelihood
4.3 Level of risk determination
6.1 Risk treatment options
6.2 Risk treatment plan
6.3 Evaluation ofresidual risk
3. Risk Identification
6. Risk Treatment
7. Risk Acceptance
2. C
onte
xt E
stab
lishm
ent 3. Risk
Identification4. Risk
Analysis5. Risk
Evaluation
7.1 Risk treatment plan acceptance
7.2 Residual risk acceptance
1. Risk Management ProgrammeRisk Assessment
9. Risk Monitoring and Review9 Risk Monitoring and Re ie
8. Risk Communication and Consultation
5.1 Evaluation of levels of riskbased on risk
evaluation criteria
4
Information Gathering Techniques
Sending questionnaires to a sample of people who represent the stakeholders
Interviews
Documentation review
Scanning tools
Interviews with key persons at different hierarchical levels within the organization
Reading and analysis of relevant documentation: internal policies, procedures, previous audit reports, legal opinions, contracts, etc.
Use technical tools to detect technical vulnerabilities, establish a list of assets present on a network, perform a code review, etc.
Questionnaire surveys
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 62
5
Individual and Group Interview
Interview
Individual interviews usually providemore accurate information and allowto have a more correct riskassessment
Group interviews are more effectiveto establish basic criteria to reach aconsensus on risk assessment,discuss treatment options, etc
Individual Group
6
Use open-ended questions and avoid close-ended or guided questions
Conducting an Interview
Ensure you cover all the subjects while controlingthe time
Take notes during the interview
Ask questions to clarify a response or situationSample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 63
7
3.1. Identification of Assets
ISO 27005, clause 8.2.2
Input
Scope and boundariesList of assets with their ownersbusiness processes Premises, etc.
Activities
Identification of assets included in the scope
Output
List of assets to be risk-managedList of business processes related to assets and their relevance
8
Asset
ISO 27000, clause 2.3 and ISO 27005, annex B
Asset category
Supporting Asset
PrimaryAsset
Business Process
Information Asset
Hardware
Software
Network
Personnel
Site
Organization'sstructure
DefinitionAnything that has value to the
organization
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 64
9
Creating an Inventory of Assets
ISO 27002, clause 7.1.1
Asset type
Its format
Its location
Its owner
Its user license
Backup Information
Its value
Inventory of assets
Continuousupdating
and verification
10
Identification of Business Processes
Business processes to be considered
Supporting the organization's mission and are vital to its achievement
Involves the handling of confidential information
Related to a legal and/or contractual obligations
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 65
11
Main Business Processes
Example based upon the value chain of Porter
Finance & accounting
Management of infrastructureHuman Resources management
Research &Development
DesignMarketing
Sales
DistributionProduction Customer service
DesignMarketingR&D
Supply
Transformation
Manu-facturing
Quality control
Packaging
Export After sale services
12
Identification of Information Assets
Information assets to be considered
Vital to the organization so that it can achieve its mission
Containing information that has economic, administrative or legal value for the organization
Subject to costs for collection, acquisition or storage
Customer data
Patents
Financial Statements
R&D
Sample
Mate
rial -
Not for
Rep
rint
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 66
13
Identification of Supporting Assets
Categories
Category Definition Examples
Hardware All the physical elements supporting processes. Server, laptop, printer, disk drive, CD-ROM, etc.
Software All the programmes contributing to the data processing.
Operating system, word processing software, accounting software, etc.
Networks All telecommunications devices used to interconnect several physically remote computers or elements of an information system.
Router, firewall, network cable, switch, bridge, etc.
Personnel All people involved in the information system. Owner, user, developer, trustee, client, decision maker, etc.
Sites Physical places where the operation take place. Desktop, server room, staff residence, secure area, air conditioning system, etc.
Organization's structure
Organizational framework, assigned to realisation of the activities
Headquarters, division, department, project teams, subcontractors, suppliers, etc.
14
Primary and Supporting Assets
Examples of links
R&D
Process
Sales
Design
Production
Accounting
Patents
Information
Customer data
Marketing Research
Report
Financial Statements
Source Code
Server
Hardware
Laptop
External Drive
Network
Printer
CRM
Software
Word processing
Excel
Production Simulation
Accounting
Marketing Specialist
Personnel
Network Administrator
Database Manager
Finance Director
Sales RepresentativeSam
ple M
ateria
l - Not
for R
eprin
t
Certified ISO 27005 | Risk Manager | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 67
15
Identification of the Asset Owners
ISO 27001, clause A.7.1.2
An owner must be identified for each asset, to takeresponsibility and traceability of assets
The asset owner does not necessarily has propertyrights over the asset but he has the responsibility for itsproduction, development, maintenance, operation and itssecurity
The owner is often the person best suited to determinethe value of the asset for the organization
Sample
Mate
rial -
Not for
Rep
rint