20071121_Nalin_IS27001 & BS25999
-
Upload
alifaisal984775 -
Category
Documents
-
view
213 -
download
0
Transcript of 20071121_Nalin_IS27001 & BS25999
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
1/26
A Glance into ISO 27001 and BS 25999
Nalin Wijetilleke MBA,CISA,PMP,CBCP,BS7799LA
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
2/26
Agenda
Information & Standards an introduction ISO 27001 an overview BS25999 a quick walkthrough
Wrap-up
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
3/26
What is the life blood ofany organization?
Can be in various forms
Information
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
4/26
Some information is valuable
as well as sensitive!Must maintain its
Confidentiality
Integrity
Availability
http://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpghttp://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpghttp://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpghttp://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpghttp://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpghttp://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpg -
8/8/2019 20071121_Nalin_IS27001 & BS25999
5/26
Information is an
AssetRe
mote
Access
Contr
ol
Systems
Failure
Data
Theft
Viru
ses/
Cybe
r
attack
Threa
tThreat
Thre
at
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
6/26
Information Securityprotects assets from wide range of threatsin order to ensure business continuity,minimize business damage and maximizeROI and business opportunities
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
7/26
Why do you need a management code of
practice and a standard?
To achieve effectiveness and efficiency in
handling & protecting Information
Security that is achieved by technical means should
be supported by appropriate management practice
To benchmark against international organizations
Agreed Repeatable way of doing things
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
8/26
ISO 27001
Published in October 2005 replacing BS7799part 2
Objective is to establish, implement, operate,monitor an Information Security ManagementSystem
Design and implementation is according to theneeds and objectives of the organization
Belong to the family of IS security standards ISO 27000
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
9/26
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
10/26
Implementing ISO 27001
PDCA cycle
Dr Edwards Deming
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
11/26
ISO 27001 is NOT
about IT Controls
on how to implement the stated controls on total enterprise Risk management about reacting to information security incidences or failures about aimlessly introducing security controls even though
best practices
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
12/26
Challenges in implementing ISO 27001
Lack of understanding of Information Security Risks at
Corporate level Assumption of current practices as Best practices Fail to justify the investment on establishing Information
Security Governance framework
Non availability of a champion/evangelist Inability to sustain the practice/certification
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
13/26
International ISMS Register - UAE
Dubal Dubai Holding GPO Electronic Document Processing Center
Department of Health & Medical Services Govt of Dubai Mashreqbank NBD
Network International (member of Emirates-NBD Holding Co) Paramount Computers RAKBANK
Reference : http://www.iso27001certificates.com/
http://www.iso27001certificates.com/http://www.iso27001certificates.com/ -
8/8/2019 20071121_Nalin_IS27001 & BS25999
14/26
BS 25999
BusinessContinuity
Management
is on
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
15/26
BS 25999
BS25999 part 1 code of practice (releasedin Dec last year) Part 2 BCM Specificationsreleased on November 20th 2007
Objective is to establish, Best Practice framework to
guide business
Design and implementation is according to the needs andobjectives of the organization
Specify Best Practice and not the general practice
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
16/26
PDCA Model applied to BCM Implementation process
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
17/26
1. Setup the Program
BCM Life Cycle
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
18/26
1. Setup the Program
2. What have you got structure, functions, risks
BCM Life Cycle
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
19/26
1. Setup the Program
2. What have you got structure, functions, risks3. How do you recover who,
what & when
BCM Life Cycle
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
20/26
1. Setup the Program
2. What have you got structure, functions, risks3. How do you recover who,
what & when4. Recovery Planning
BCM Life Cycle
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
21/26
1. Setup the Program
2. What have you got structure, functions, risks3. How do you recover who,
what & when4. Recovery Planning
5. Conduct Test, record andimprove
BCM Life Cycle
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
22/26
1. Setup the Program
2. What have you got structure, functions, risks3. How do you recover who,
what & when4. Recovery Planning
5. Conduct Test, record andimprove
6. Build Culture
BCM Life Cycle
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
23/26
Clause 1 - Scope and applicability
Clause 2 - Terms and definitions for the BS25999 perspectives
Clause 3 - Overview of Business Continuity Management (BCM)Clause 4 - The business continuity Management PolicyClause 5 - BCM Program managementClause 6 Understanding the organization
Clause 7 Determining the Business Continuity StrategyClause 8 Developing & implementing a BCM responseClause 9 BCM Exercising maintaining and reviewing BCMarrangements
Clause 10 Embedding BCM in the organizations culture.
BS25999 Domains
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
24/26
BS25999 Benefits
Demonstrate an accepted level ofpreparedness for a crisis or adisaster
Clear business advantage Best practice and not general
practice It is a single reference point Scalable and straightforward Allows confidence in the supply
chain
Other.
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
25/26
Wrap-up
Standards evolution is based on its maturity, General they are bornas PAS (Publicly available specification) and become BS and finally
ISO
ISO 27001 & BS 25999 are standards leading to better governance
They are Best practices and not general practices
Standards are scalable and straightforward, applicable to small,SME or a large organization
They are also applicable globally in an industry
BS25999 is the most latest standard and has10 domains to address
-
8/8/2019 20071121_Nalin_IS27001 & BS25999
26/26