Copyright © 2012 BSI. All rights reserved.

Certification value on IT Governance & ManagementInformation Security Management Systems

Certification value on IT Governance & Management

24/10/2012 Fabrizio Giara (Fabrizio.giara@bsigroup.com)

Copyright © 2012 BSI. All rights reserved. 2

2

Global

independent

business

services

organization

Founded

in

1901

No owners/

shareholders…

all profit

reinvested into

business

>2,500 staff

and

>50% non-UK

57 offices

located

around the

world

#1

certification

body in the

UK, USA and

Korea

Who is BSI? – 10 fast facts

64,000 clients

in

147 countries

£244.9m

revenue in

2011

World’s #1

Standards

Body

Standards,

Assessment,

testing

certification,

training,

software

Copyright © 2012 BSI. All rights reserved. 3

Agenda

• Main points

• IT Governance

• IT Security (series Iso 27000- certification Iso 27001)

• IT Risk Analysis (Iso 27005- Iso 31000 series)

• Iso 27001 benefits

• Key 27000 series standards

• Trends in Information Risk / Security

Copyright © 2012 BSI. All rights reserved. 4

IT Governance

• IT Corporate Governance of IT (Iso/Iec 38500:08 – see picture)

• BUSINESS PROCESS (ITIL (Service delivery and Service support/COBIT Control objectives –Audit // with best practices)

• ISMS security- series Iso 27000 (Iso 27001 for certification) (CONFORMANCE-DIRECT)

• IT risk management (Iso 27005 and Iso 31000 series) (EVALUATE)

• Audit: ISO 19011 :2011 Guidelines for auditing management systems (MONITOR)

Copyright © 2012 BSI. All rights reserved. 5

ISO 27001 vs COBIT/ITIL

• ISO27001 vs ITIL/COBIT

• ISO 27001 only addresses the selection and management of information security controls (COBIT/ITIL focus on IT Governance (service delivery, service support, control objectives, audit guideline, management guidelines)

• ISO 27001 is interested in:• WHAT (requirements).

• WHY (risk mitigation and risk analysis and risk treatment).

• WHEN (tasks and schedules, window of vulnerability).

• WHO (roles and responsibilities).

• not HOW (COBIT/ITIL)

Copyright © 2012 BSI. All rights reserved. 6

The Importance of Information Security

For an organization to succeed, its information must be:

• available when needed

• reliable

• accessible only to those who need it

including customers, suppliers and other key stakeholders…

“Information can have great value as an organisational asset but can become a toxic liability if not handled properly”

Richard Thomas, UK Information Commissioner, 2008

Copyright © 2012 BSI. All rights reserved. 7

77

What ISO/IEC 27001 is not

• ISO/IEC 27001 is not an IT only standard.• There are no technology requirements in ISO/IEC 27001, such as a firewall or even the need

for a computer.

• There are however IT related controls.

Copyright © 2012 BSI. All rights reserved. 8

8

ISO/IEC 27002 Controls8

Copyright © 2012 BSI. All rights reserved. 9

9

Building a Framework

Copyright © 2012 BSI. All rights reserved. 10

10

ISO/IEC 27001:2005 Annex A

1 Information Security Domains

5 Security policy

6 Organization of information security

7 Asset management

8 Human resources security

9 Physical and environmental security

10 Communications and operations management

11 Access control

12 Information systems acquisition, development and maintenance

13 Information security incident management

14 Business continuity management

15 Compliance

10

Copyright © 2012 BSI. All rights reserved. 11

1111

Establish the ISMS (Plan)

Define the scope and boundaries of the Information Security Management System (ISMS)

Copyright © 2012 BSI. All rights reserved. 12

IT risk analysis – (Iso 27005 (Iso 31000))

Copyright © 2012 BSI. All rights reserved. 13

Iso 27001 and Iso 20000-1 certification (from iso 27013)

Copyright © 2012 BSI. All rights reserved. 14

14

Benefits of ISO/IEC 27001 Certification

Framework that will take account of your legal, regulatory and contractual requirements (see domain and connected to Dlgs 231/01 to control different Information crimes).

Gives you the ability to demonstrate, and independently assure, the internal controls of your organization (corporate governance)

Proves that your senior management are commitment to the security of your business and your customer’s information

Helps provide your organization with a competitive advantage

Give you a “reference” criteria how to manage the IT system (“ISMS treaceability with Iso std”)

Increase the stakeholder trust vs company “management risk” approach

Copyright © 2012 BSI. All rights reserved. 15

1515

Benefits of ISO/IEC 27001 Certification

Formalizes, and independently verifies, your Information Security processes, procedures and documentation

Independently verifies that risks to your organization are properly identified and managed

Demonstrates to your customers that security of their information is taken seriously

Risk analysis will be integrated with other management system (ie QMS/EMS/OHSAS) and monitoring and measuremnt plan will be the tools to mitigate/control the risk

Copyright © 2012 BSI. All rights reserved. 16

1616

Product Attractiveness

Economic interested areas

LowAgriculture, fishing

Chemical products and fibres

Construction

Engineering services

Machinery and equipment

Printing companies

Recycling

Shipbuilding

MediumEducation

Electricity Supply

Food products, beverages and tobacco

Gas Supply

Hotels and restaurants

Publishing companies

Transport, storage and communication

Water Supply

Wholesale and retail trade

HighAerospace

Financial

Health and social work

Information Technology

Nuclear fuel

Other social services

Pharmaceuticals

Post and Telecommunications

Government, Local Government, Public administration and defence

Copyright © 2012 BSI. All rights reserved. 17

Proven Benefits of 27001

87% of respondents to a recent BSI Erasmus survey stated that implementing ISO/IEC 27001 had a “positive” or “very positive” outcome.• Increased ability to meet compliance requirements (69%)• Increased ability to respond to tenders* (43%)• Increased external customer satisfaction (51%)• Increased relative competitive position* (43%) • Decreased number of security incidents (39%) • Decreased down-time of IT systems (39%)• ROI and Sales increased despite rise in cost to develop and support IT

* “Although we have only recently gained certification to ISO 27001, there are at least three recent incidences where we have won contracts as a result of certification.”

Copyright © 2012 BSI. All rights reserved. 18

Key 27000 series standards

• ISO/IEC 27002 - Code of Practice for Information Security ManagementEstimated publication date of revision: 2013 (NOT CERTIFIABLE)

Establishes:guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.

• ISO/IEC 27001 - Requirement for an Information Security Management SystemEstimated publication date of revision: 2013 (CERTIFIABLE)

Specifies:the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of the organization’s overall business risks.

It specifies requirements for the implementation and selection of adequate and proportionate security controls

Copyright © 2012 BSI. All rights reserved. 19

19ISO/IEC 27000 Series - Published

ISO/IEC 27000 - Overview and vocabulary 2009

ISO/IEC 27001 - Information security management systems – Requirements (today is on ISO/IEC CD 27001

(today the TC: JTC1/SC27 is in stage 30.60)

2005

2013

ISO/IEC 27002 - Code of practice for Information security management 2005

ISO/IEC 27003 - ISMS implementation guidance 2010

ISO/IEC 27004 - Information security management - Measurement 2009

ISO/IEC 27005 - Information security risk management 2011

ISO/IEC 27006 - Guidance to Certification Bodies 2007

ISO/IEC 27007 - Guidelines for ISMS auditing 2011

ISO/IEC 27008 - Guidelines for auditors on information security controls 2011

ISO/IEC 27010 - Guidance for inter-sector and inter-organizational communications 2012

ISO/IEC 27011 - Guidance to telecommunications 2008

ISO/IEC 27031 - Guidelines for ICT readiness for business continuity 2011

ISO/IEC 27033-1 - Security Techniques, Network Security 2009

Copyright © 2012 BSI. All rights reserved. 20

Other 27000 standards in development

ISO/IEC 27013 Guidelines on the integrated implementation of ISO/IEC 27001 & ISO/IEC 20000-1 (2012)

ISO/IEC 27014 Governance of information security (2012)

ISO/IEC 27015 Information security management guidelines for financial services (2013)

ISO/IEC 27016 Information security management – Organizational economics (2014/15)

ISO/IEC 27017 Information Security in Cloud Computing (relevant controls in 27001) (2014)

ISO/IEC 27018 Information Security in Cloud Computing (relevant controls in 27001 - DP/Privacy) (2014)

ISO/IEC 27032 Guidelines for cyber-security (2012)

ISO/IEC 27034 Guidelines for application security (6 part standard) (2012…)

ISO/IEC 27036 Information security for supplier relationships (4 part standard) (2012/13)

ISO/IEC 27037 Guidelines for identification, collection, acquisition and preservation of digital evidence (possibly a 4 part standard)

(2013/14)

ISO/IEC 27038 Specification for digital redaction (2013)

ISO/IEC 27039 Selection, deployment and operations of intrusion detection and prevention systems (2013/14)

ISO/IEC 27040 Storage security (2014)

Copyright © 2012 BSI. All rights reserved. 21

Trends in Information Risk / Security

• Government move towards ‘shared services’

• Greater outsourcing / off-shoring

• Cloud Computing (“Software as a Service”…) For cloud area the JT1 is working on new ISO/IEC DIS 17826:2011 Cloud Data Management Interface (CDMI™)-

• In the cloud area , BSI is working, with Cloud Security Alliance and other primary organisations, to consider the objective controls with the new architecture structural cloud (ie ISO/IEC WD TS 27017 Information technology – Security techniques -- Information security management - Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 )

• New Iso 27001 (final version 2013) today is on ISO/IEC CD 27001 ( the TC: JTC1/SC27 is in stage 30.60)

• Convergence of business continuity, resilience and ICT readiness (new Iso 22301 business continuity, 24 May in Milan there was a national presentation, focus on Business continuity plan (clause 8.4.4) and recovery (clause 8.4.5) on Iso 22301)

Copyright © 2012 BSI. All rights reserved. 22

Trends in Information Risk / Security

• Risk analysis will be the tools to manage and control the risk (Iso 31000)

• •The third party registraion helps to follow the new EU directive on IT field referred to new technologies (Annex A Iso 27001)

• • PAS 99:2006 Specification of common management system requirements as a framework for integration management system (ie for Iso/Iec 27001:05 and Iso/Iec 20000:05 Information technology- Service management- see Iso 27013)

• Increased use of mobile working / ‘consumerisation’ (“Bring Your Own Device”)

• Growth in use of social media