Implementing ISO27001:2013Scott McAvoy | @5c077mc | Managing Security Consultant

Information securityInformation is defined as:

An asset that, like any other important business assets, is essential to an organisation’s business. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation.

Information security and its objectives are defined as protecting and preserving the following principles:

Confidentiality - The property that information is not made available or disclosed to unauthorised individuals, entities or processes;Integrity - The property of safeguarding the accuracy and completeness of assets;Availability - The property of being accessible and usable upon demand by an authorised entity.

Agenda

● ISO27001 history and certification bodies● ISO27001:2013 Clause 4-10● ISO27001:2013 Example Annex A controls

ISO27001:2013

• From 1995 to 2015• Certification bodies• Compliance or certification?

ISO27001: From 1995 to 2015

● 1995: UK Department for Trade & Industry (DTI) writes and the British Standards Institute (BSI) publishes BS7799.

● 2000: BS7799 adopted by the International Organisation for Standardisation (ISO) and International Electrotechnical Committee (IEC) and renamed ISO\IEC 17799.

● 2005: ISO/IEC 27001:2005 is published building in suggested security controls, risk assessment and management.

● 2014: ISO/IEC 27001:2013 published.

ISO27001: Certification bodies

ISO27001: Compliance or certification?

Compliance

Certification

Why? No contractual obligations.Best practice.

Why? Contractual obligation.Competitive advantage.

Pros Less cost.Less resource.

Pros Internationally recognised.Reduces impact of security on client relationships.Shows commitment.

Cons Prevents working with some clients.Adds overhead to working with some clients.

Cons Expensive.Potentially dedicated resource.

ISO27001:2013 Clause 4-10

• Context of the organisation• Leadership• Planning• Support• Operation• Performance evaluation• Improvement

ISO27001: Context of the organisation

What? •Organisation issues;•Interested parties needs and expectations;•Information Security Management System (ISMS) scope.

How? •PESTEL & SWOT analysis.

Required documentation

•ISMS scope.

ISO27001: LeadershipWhat? •Demonstration of top management commitment to

information security;•Information security policy;•Roles, responsibilities and authorities.

How? •Security forum;•Security task force;•Visible board support.

Required documentation

•Information security policy.

ISO27001: PlanningWhat? •Determine risks and opportunities which need to be

addressed;•Define an information security risk assessment process;•Define an information security risk treatment process;•Define information security objectives.

How? •SWOT analysis;•Risk assessment and treatment templates;•ISO27005;•Simple objectives with simple measures to begin with.

Required documentation

•Risk assessment process;•Risk treatment process;•Statement of Applicability;•Information security objectives.

ISO27001: SupportWhat? •Determine and provide the resources needed;

•Determine the necessary competence and ensure met;•Staff awareness;•Internal and external communication;•The need for documented information.

How? •Map competency to specific training;•Staff document set and test;•Comms plan;•Quality management control of documents.

Required documentation

•Evidence of competence.

ISO27001: OperationWhat? •Perform risk assessment;

•Perform risk treatment.How? •Risk assessment and treatment templates;

•Involve top management.Required documentation

•Results of risk assessment;•Results of risk treatment.

ISO27001: Performance evaluationWhat? •Monitoring and measuring;

•Internal audit;•Management review.

How? •Simple measures to begin with;•ISO27004;•Audit programme;•Review plan.

Required documentation

•Monitoring and measuring results;•Audit programme;•Audit results;•Management review results.

ISO27001: ImprovementWhat? •Nonconformities;

•Corrective actions;•Continual improvement.

How? •Nonconformity and corrective action templates;•Internal and external audit;•Internal and external penetration testing.

Required documentation

•Nature or nonconformities;•Corrective actions taken;•Results of corrective actions.

ISO27001:2013 Annex A Controls

• Mobile device policy• Access control policy• Physical entry controls• Clear desk and clear screen policy• Addressing security in supplier agreements• Compliance with Legal and Contractual requirements

Annex A.6.2.1 - Mobile device policy

● Registration of mobile devices;● Requirements for physical protection;● Restriction of software installation;● Restriction of connection to information services;● Access controls;● Cryptographic techniques;● Remote disabling, wipe or lockout.

When using mobile devices, special care should be taken to ensure that business information is not compromised.

Annex A.9.1.1 - Access control policy

● Relevant legislation and any contractual obligations regarding limitation of access to data or services;

● Formal authorisation of access requests;● Periodic review of access rights;● Removal of access rights;● Roles with privileged access.

Asset owners should determine appropriate access control rules, access rights and restrictions for specific user roles towards their assets.

Annex A.11.1.2 - Physical entry controls

● Date and time of entry and departure of visitors should be recorded;● Visitors should be escorted at all times;● Access to areas processing or storing sensitive information should be restricted

to authorised individuals only;● Physical or electronic records of access should be securely maintained;● All personnel, whether internal or external, should wear visible identification;● Access rights to secure areas should be regularly reviewed and updated.

Secure areas should be protected by appropriate entry controls to ensure only authorised personnel are allowed access.

Annex A.11.2.9 - Clear desk and clear screen policy

● Sensitive information should be locked away when not required or if the desk is vacated;

● Computer screens should be locked and require a password to unlock after a period of inactivity;

● Paper media should be removed from printers, scanners etc immediately after use.

A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted.

Annex A.15.1.2 - Addressing security within supplier agreements

● Descriptions of the information and methods for accessing it;● Legal and regulatory requirements;● Acceptable use of information;● Obligations of each party;● Incident management procedures;● Training and awareness requirements;● Right to audit.

Supplier agreements should be established and documented to ensure understanding between organisations with regard to their obligations regarding information security.

Annex A.18.1 - Compliance with legal and contractual requirements

● Identification of all legal and contractual obligations;● Data protection and retention;● Protection of personal identifiable information.

To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

Questions?Scott McAvoy | @5c077mc | Managing Security Consultant

References and linksISO\IEC, Oct 2013. ISO/IEC 27001:2013. Information technology - Security techniques - Information management systems - RequirementsISO\IEC, Oct 2013. ISO/IEC 27002:2013. Information technology - Security techniques - Code of practice for information security controls

7safe - Technical infrastructure and application testing training and external Penetration testingBSI - ISO27001 Implementation and Audit training and external auditIT Governance - ISO27001 toolkits27001 Academy - ISO27001 guidance and toolkitsAlien Vault - Security Incident & Event Monitoring (SIEM)SANS - Top 25 most dangerous errors in softwareOWASP - Top 10 most critical data risks