ISO 27001 Foundation Course Instructor Guide - ITpreneurs

llllllllll

lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll

Certified ISO/IEC 27001

Foundation

Instructor Guide

Information Security Training

Copyright ISO 27001 Foundation, Classroom course, release 2.0.0

Copyright and Trademark Information for Partners/Stakeholders.

ITpreneurs Nederland B.V. is affiliated to Veridion.

Copyright © 2013 ITpreneurs. All rights reserved.

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.

Certified ISO/IEC 27001 | Foundation | Instructor Guide

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1

Follow Us Before you start the course, please take a moment to:

“Like us” on Facebook

http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus

http://gplus.to/ITpreneurs

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

"Watch us" on YouTube

http://www.youtube.com/user/ITpreneurs

This

page

has b

een l

eft bl

ank i

ntenti

onall

y



Contents Certified ISO/IEC 27001 Foundation Day 1 ------------------------------------------------------------ 2 Day 2 ------------------------------------------------------------ 114 Appendix A: Exercises List ---------------------------------- 205 Appendix B: Correction Key ---------------------------------- 217 Appendix C: Release Notes ---------------------------------- 224



Day 1

ISO 27001 Foundation



DAY 1

ISO 27001Foundation

Schedule for Day 1 Section 1: Course objective and structure Section 2: Standard and regulatory framework Section 3: Information Security Management System (ISMS) Section 4: Understanding the organization, analyze of the existing system and security policies Section 5: Selection of the approach and methodology for risk assessment and identification of risk Section 6: Risk Estimation and Evaluation Section 7: Risk Treatment and Risk Acceptance Section 8: Statement of applicability and authorization by management for the ISMS implementation Section 9: Definition of the organizational structure of Information Security © 2011 PECB Version 3.1 Principal authors: René Saint-Germain and Éric Lachapelle Document number: 27001FdD1V3.1 Documents provided to participants are strictly reserved for training purposes and are copyrighted by PECB. Unless otherwise specified, no part of this publication may be, without PECB’s written permission, reproduced or used in any way or format or by any means whether it be electronic or mechanical including photocopy and microfilm.



2

ISO 27001 Foundation Training

Section 1Course objective and structure

1. Meet and greet

2. General points

3. Training objectives and structure

4. Instructional approach

5. Learning assessment



3

ActivityMeet and greet

To break the ice, participants introduce themselves stating: • Name • Position • Knowledge of and experience with Information Security • Knowledge and experience with the ISO/IEC 27000 family of standards • Knowledge and experience with other management systems

(ISO 9001, ISO 14001, ISO 20000, etc.) • Objectives to be reached by participating in this course Duration of activity: 20 minutes



4

Smoking Meals Timetable and breaks

Mobiles Absences

General Information

For simplification, only the masculine is used throughout this training.



5

Explain the components of an Information Security Management System based on ISO/IEC 27001:2005 and its principal processes

Explain the goal, content and correlation between ISO/IEC 27001:2005 and ISO/IEC 27002:2005 as well as with other standards and regulatory frameworks

Understand the concepts, approaches, standards, methods and techniques for the implementation and effective management of an ISMS

1

2

3

Training ObjectivesAcquiring Knowledge

The training focuses on the acquisition of knowledge necessary for the implementation of a compliance framework for ISO/IEC 27001:2005 and not on the acquisition of expertise in information security. Minimal knowledge of information security is however required for successful completion of the course.



6

Educational ApproachStudents at the center

This course is primarily based on: • Trainer lead sessions, where questions are welcomed. • Student involvement in various ways: exercises, notes, reactions, discussions (participant

experiences). Remember, this course is yours: you are the main players of its success. Students are encouraged to take additional notes Exercises are essential in the acquisition of the competencies necessary to acquire the foundation level. Thus it is very important to do them conscientiously. Moreover, even if they are not scored, exercises prepare students for the exam.



7

The objective of the exam is to assure that candidate has the basic knowledge and skills to participate in the implementation of an Information Security Management System (ISMS) based on ISO 27001.The exam only contains essay questionsThe participants have the right to use all their documentationThe exam lasts 1 hourMinimum passing score: 70%

7

Examination and CertificationExam

The objective of the exam is to assure that candidate has the basic knowledge and skills to participate in the implementation of an Information Security Management System (ISMS) based on ISO 27001. The exam consists of essay-type questions. During the examination participants may use all PECB provided documentation plus their own course notes but will not be permitted to use any computer, laptop or any other electronic device. The exam lasts one hour.



8

ISO 27001 FoundationPrerequisites for Certification

Pass the exam

Adhere to the PECB Code of Ethics

No professional experience required

No security experience required

1234

ISO 27001 Foundation

Passing the exam is one of the pre-requisites for attaining an ISO 27001 Foundation professional credential. A second important pre-requisite is to adhere to the PECB Code of Ethics. As the ISO 27001 Foundation professional certification is an entre-level credential, there is not required the students have professional experience, ISMS project and/or audit experience. The criteria and process leading to certification will be explained in full during Day 2 of the course.



9

Certificates

Candidates who met all the prerequisites forcertification will receive a certificate:

When the candidate receives certification, he receives from PECB an attestation (i.e. the credential) valid for three years. Afterwards a renewal is issued on the condition that he continues to meet the requirements for maintaining certification.



10

What is PECB ?

Main services: 1. Certification of personnel

(Auditor and Consultant)2. Certification of training organizations 3. Certification of trainers

Professional Evaluation and Certification Board

Founded in 2005, PECB is a personnel certification body for various standards, including ISO 9001 (Quality), ISO 14001 (environment), OHSAS 18001 (Health & Safety), ISO 20000 (IT Service), ISO 22000 (Food safety), ISO 22301 (Business continuity), ISO 26000 (Social Responsibility), ISO 27001 (Information security), ISO 27005 (information security risk) and ISO 28000 (Supply Chain Security). Our mission is to provide our clients with comprehensive individual examination and certification services. PECB develops, maintains and continuously improves high quality recognized certification programs. The purpose of PECB, as stated in its Bylaws, is to develop and promote professional standards for certification and to administer credible certification programs for individuals who practice in disciplines involving the audit and the implementation of a compliance management system. This principal purpose includes:

• Establishing the minimum requirements necessary to qualify certified professional • Reviewing and verifying the qualifications of applicants for eligibility to sit for the certification

examinations • Developing and maintaining reliable, valid, and current certification examinations • Granting certificates to qualified candidates, maintaining certificant records, and publishing a

directory of the holders of valid certificates • Establishing requirements for the periodic renewal of certification and determining compliance with

those requirements • Ascertaining that certificants meet and continue to meet the PECB Code of Ethics • Representing its members, where appropriate, in matters of common interest • Promoting the benefits of certification to employers, public officials, practitioners in related fields,

and the public



11

Customer ServiceComments, questions and complaints

TrainingProviderTrainingParticipant

2. Answer in writing

Answer

1. Submit a complaint

Submit a

3. Appeal 4. Finalarbitration

PECB

In order to ensure your satisfaction and continuously improve the training, the PECB Customer Service has established a system for handling complaints. In case of dissatisfaction with the training (trainer, equipment ...), or the certification process, please contact us. As a first step, we invite you to discuss the situation with the trainer. If needed do not hesitate to contact the head of the training organization where you are registered. In all cases, we remain at your disposal to arbitrate any dispute that might arise between you and these parties. PECB Customer Service 7275 Sherbrooke East, Suite 32 CP 49060 Montreal, QC H1N 1H0 Canada www.pecb.org [email protected]



1212

Schedule for the training

Day 1 (AM): Introduction to ISO/IEC 27001:2005 and planning of an ISMS • Section 1 : Course objective and structure • Section 2 : Standard and regulatory framework • Section 3 : Information Security Management System (ISMS) • Section 4 : Understanding the organization, analyze of the existing system and security policies • Section 5: Selection of the approach and methodology for risk assessment and identification of risk

(part 1) Day 1 (PM): Risk assessment, treatment and acceptance and Statement of Applicability

• Section 5: Selection of the approach and methodology for risk assessment and identification of risk (part 2)

• Section 6: Risk Estimation and Evaluation • Section 7: Risk Treatment and Risk Acceptance • Section 8: Statement of applicability and authorization by management for the ISMS

implementation • Section 9: Definition of the organizational structure of Information Security

Day 2 (AM): Implementation of an ISMS

• Section 10: Definition of the document management process • Section 11: Design of security controls and drafting of specific policies & procedures • Section 12: Implementation of security controls

Day 2 (PM): Check of an ISMS, Continuous Improvement and exam

• Section 13: Check of an ISMS • Section 14: Continuous Improvement • Section 15: Closure of the training and exam preparation • Exam



13

QUESTIONS?

Section summary: • The main objective of this training is to acquire the basic knowledge and skills to participate in the

implementation of an Information Security Management System (ISMS) based on ISO 27001. • Success of the training is based on participant involvement (experience feedback, discussions,

exercises, etc.). • Final exam is an open-book 1-hour exam and is focused on the candidate’s understanding of ISMS

concepts applied to ISO 27001 certification.



14


Section 2 Standard and regulatory framework

1. ISO structure

2. Fundamental ISO principles

3. Main ISO standards

4. Integrated normative framework

5. Information Security Standards

6. ISO 27000 family

During this training, we will adopt the following convention: standards will often be referenced as “ISO XXXX” in the slide instead of their official designation “ISO/IEC XXXXX:20XX” without specifying their publication date, each referring to its latest version. ISO documents provided to participants are strictly reserved to this training session and are copyright protected by ISO. No part of this publication may be reproduced by any means or used in any way whether it be electronic our mechanical, including photocopies and microfilms, without written permission from ISO (see address below) or a member to the ISO organization located in the country of the person of the related organization. Copies of the different ISO standards can be bought on the www.iso.org site or from the accreditation authority of each country.



15

What is ISO?

ISO is a network of national standardization bodies of over 160 countries

The final results of ISO works are published as international standards

Over 17,000 standards have been published since 1947

History The International Standards Organisation, more commonly called ISO, was created in 1947. It is a non-governmental organization that holds a special position between the public sector and the private sector. Its members include national standards organizations who often are part of government structures in their countries or who are mandated by these governments. On the other hand, other members only have their roots in the private sector created by national partnerships of industry associations. Goals/Advantages The role of ISO is to facilitate international coordination and the uniformization of industrial standards. To reach these objectives, ISO has published technical standards. These standards contribute to the development, manufacturing and delivery of products and services that are more effective, safer and clearer. They facilitate fair trade between countries. In addition, they bring a technical foundation for health, security, and environmental legislation to governments; and they help transfer technologies to developing countries. ISO standards are also used to protect consumers and general users of products and services. These standards are also used to simplify their lives. Source : www.iso.org



16

1. Equal representation: 1 vote per country

2. Voluntary membership: ISO does not have the authority to implement its standards

3. Business orientation: only develops standards that fill market needs

4. Consensus approach: looking for a large consensus among the different stakeholders

5. International cooperation: over 160 member countries

1. Equ

2. Vauth

3. tha

4. Ccon

5. Intercountri

Basic principles of ISO standards

Basic Principles – ISO Standards

ISO basic principles 1. Equal representation: Every ISO member (full-fledged member) has the right to participate in the development of any standard it judges important to the economy of its country. Whatever the size or strength of the economy, each participating member can claim their right to vote. ISO activities are thus carried out in a democratic structure where member countries are on the same footing in terms of their influence on work orientation. 2. Voluntary: ISO standards are voluntary. As a non-governmental organization, ISO has no legal authority for their implementation. A percentage of ISO standards – more particularly those related to health, security and the environment – have been adopted in several countries as part of the regulatory framework, or are mentioned in the legislation for which they act as technical basis. Such adoptions are sovereign decisions by regulatory organizations or governments of the affected countries. ISO itself does not regulate, or legislate. However, although ISO standards are voluntary, they can become a market requirement, as is the case with ISO 9001 or with freight container dimensions, the traceability of food products, etc. 3. Business orientation: ISO only develops standards for which a market demand exists. Work is carried out by experts in the related industrial, technical and business sectors. These experts may be joined by other experts holding the appropriate knowledge such as public organizations, academic world and testing laboratories. 4. Consensus approach: ISO standards are based on a representative consensus approach of the different stakeholders (experts, industries, researchers, governments, etc.). This ensures a larger broadcast and a greater application. 5. International cooperation: ISO standards are technical agreements that bring, at the international level, technological compatibility structures. Developing a technical consensus on an international scale



is a major activity. 3,000 technical ISO groups are identified (technical committees, subcommittees, work groups, etc.) within which 50,000 experts take part in developing standards annually. Source: www.iso.org

17

Eight ISO Management Principles

• Customer orientation: Organizations depend on their customers. Consequently the current and future needs of clients should be understood, their requirements be fulfilled, and their expectations be anticipated. ISO 27001 Implications -> Security controls to be set in place and determination of the risk acceptance threshold must account for business needs and client concerns.

• Leadership: Top management establishes the purpose and orientations (policies) of the

organization. It is agreed that they create and maintain an internal environment where people can get fully involved in the achievement of the organization’s objectives. ISO 27001 Implications -> Without a clear demonstration of leadership, the implementation of a system as complex as ISO 27001 is doomed to failure.

• Personnel involvement: People at all levels are the essence of an organization and total

involvement on their part allows the use of their skills for the benefit of the organization. ISO 27001 Implications -> An information security program could not reach its objectives without the involvement of the majority of stakeholders and having them understand their responsibilities.

• Process approach: This is the idea that any activity of an organization can be designed as an

interrelated series of actions. The Process approach allows to target improvement interventions and to quantify/measure the performance of the organization.



ISO 27001 Implications -> The organization must identify the key processes to determine those critical to the success of the organization and therefore those that must be protected.

• System Management approach: The organization’s activities must be managed as a system whose goal is to allow the organization to achieve its mission. ISO 27001 implications -> The organization must put controls in place that protect the information wherever it is located in the organization.

• Continuous improvement: the continuous improvement of the global performance is a

permanent objective of the organization. ISO 27001 Implications -> The organization will need to continually improve the efficiency of the ISMS using the information security policy, information security objectives, audit results, analysis of supervised events, corrective and preventive actions and management review and validation.

• Factual approach to decision making: Effective decisions are based on the analysis of data and

information. ISO 27001 implications -> Management must be able to make informed decisions in regards to security. This involves the implementation of metrics and a scoreboard to determine the facts and carry out event analyses.

• Mutually beneficial supplier relationship: An organization and its suppliers are interdependent

and relations benefiting both parties increases their capacity to create value. ISO 27001 implications -> Security controls to be set in place and determining the risk acceptance threshold must account for the business needs and obligations of partners and suppliers.

Source: www.iso.org



18

Management System StandardsMain standards that an organization can get certification

ISO 9001Quality

ISO 14001Environment

ISO 18001Health and Safety

at work

ISO 20000IT Service

ISO 22000Food Safety

BS 25999Business continuity

ISO 27001Information

security

ISO 28000Physical Safety

From 1947 to date, ISO has published over 17,000 international standards. ISO work program includes standards related to traditional activities such as agriculture and construction, media devices and the most recent development in information technologies, such as the digital coding of audiovisual signals for multimedia applications. ISO 9000 and ISO 14000 families are among the most known ISO standards. The ISO 9000 standard has become an international reference with respect to the quality requirements in commerce and business transactions. The ISO 14000 standard, for its part, is used to help organizations meet challenges of an environmental nature. ISO 9001:2008 is related to quality management. It contains the good practices that aim to improve customer satisfaction, achievement of customer requirements and regulatory requirements as well as continuous improvement actions in those fields. In December of 2007, 951,486 organizations were certified ISO 9001:2000 (China having the most organizations certified: 210,773). ISO 14001:2004 is mainly related to environmental management. It defines the actions that the organization can implement for the maximum reduction of negative impacts of its activities on the environment and for the continuous improvement of its environmental performance. In December 2006, 154,572 organizations were certified ISO 14001:2004 (Japan having the most certified organizations: 30,489). OHSAS 18001:2007 (OHSAS = Occupational Health and Safety Assessment Series) defines objectives for the management of occupational health and safety. The ISO 18001 standard was never published because of disagreements within ISO committees, so OHSAS 18001 became the de facto standard for organizational safety. OHSAS is a private standard based on national standards (BS 8800, UNE 81900, VCA) and guidance from certification bodies (OHSMS, SafetyCert, SMS 8800).



ISO/IEC 20000-1:2005 defines the requirements that an information technology service provider must apply. This standard applies to service providers regardless of the organization’s size or form. The standard consists of two parts. The first part defines the specifications the organization shall apply to obtain certification. The second part (ISO/IEC 20000-2:2005) explains the different practices or recommendations to reach the objectives previously defined. ISO 22000:2005 creates and manages a food safety management system (FSMS). This standard applies to all organizations that are involved in any aspects of the food supply chain and want to implement a system to continuously provide safe food. This standard focuses on personnel competencies, continuous information research about food products (new legislations, standards, rules…). Organizations must perform a HACCP (Hazard Analysis Critical Control Point) to identify, analyze and evaluate the risks for food safety. For each risks that has been defined as significant, the organization must define controls to implement. BS 25999-2:2007 defines the requirements that an organization must apply to certify a Business Continuity Management System (BCMS). The first part (BS 25999-1:2006) is a code of practices that explains the different practices or recommendations to establish a BCMS. BS 25999-1:2006 establishes the procedures, principles and terminology of the BCM. It defines a basis for the understanding, the development and the implementation of business continuity in an organization, whatever its size or sector. Its methodology is based on the lifecycle of the BCMS. ISO/IEC 27001:2005 defines the requirements that an organization must apply to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls. ISO 28000:2007 prescribes the requirements applicable to a security management system of the supply chain. An organization has to define, implement, maintain, and improve a supply chain security management system during each step of production: that is manufacturing, maintenance, storage or transport of goods.



19

Integrated management systemPAS 99:2006, Annex B

PAS 99:2006 ISO9001:2000

ISO 14001:2004

ISO20000:2005

ISO 27001:2005

4.1 General requirements

4.1 4.1 3 4.1, 4.2

4.2 Management system policy 5.1, 5.3 4. 2 3.1, 4..4.1 5.1

4.3 Planning 5.2, 5.3(b), 5.4.1, 5.4.2, 5.5, 7.2.1, 7.2.2,

8.34.3, 4.4.1, 4.4.7 4.1, 4.2, 5.0, 8.2 4.2

4.4 Implementation and operation

4.2, 5.3(d), 5.5.1, 5.5.3, 6, 7

4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6,

4.5.4

4.2, 6.0, 3.1, 3.2, 3.3, 7

4.2.2, 4.2.4(c), 4.3, 5.2.1, 5.2.2

4.5 Performance evaluation 8.1, 8.2.2, 8.2.4, 8.3 4.5.1, 4.5.2, 4.5.3,

4.5.5 4.3 4.2.3, 4.2.4, 6

4.6 Improvement 8.5.1, 8.5.2, 8.5.3 4.5.3 4.4, 4.2.4(b), 8.2, 8.3 4.2.4, 8.1, 8.2, 8.3

4.7 Management review 5.6.1, 5.6.2, 5.6.3 4.6 3.1(g) 7.1, 7.2, 7.3

The standards related to the implementation of a management system based on all the same principles and contain a set of requirements that are common or similar such as: • Policy of the Management System • Management Commitment • Internal Audit • Management Review • Continuous Improvement

PAS 99:2006 PAS 99 (Publicly Available Specification) is a reference framework helping organizations wanting to implement a management system by integrating more than one of the following standards: ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, or OHSAS 18001 (Occupational Health and Safety Assessment Series). The objective of the implementation of PAS 99 is to simplify the setting up (deployment) of several management systems originating from different standards by avoiding conflicts between systems and in reducing document doublets and over documentation (align and incorporate ISMS to requirements of other management systems).



20

Security StandardsExamples

ISO/IEC 15408:2005-2008 : Under the general title Common Criteria, the scope of this standard is to be used as a basis to evaluate the security properties of products and systems of Information Technology (IT). It contains the following parts:

Part 1: Introduction and general model (2005) Part 2: Functional security requirements (2008) Part 3: Assurance of security requirements (2008)

ISO/IEC TR 18044:2004: Information Technologies – Security Techniques – Information security incident management. This standard is a guide in matters of incident management of information security aimed at those involved in the security of information systems. ISO/IEC 21827:2008 specifies the Systems Security Engineering - Capability Maturity Model® (SSE-CMM®), which describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering. ISO/IEC 21827:2008 does not prescribe a particular process or sequence, but captures practices generally observed in industry. The objective is to facilitate an increase of maturity of the security engineering processes within the organization. The SSE-CMM® is related to other CMMs which focus on different engineering disciplines and topic areas and can be used in combination or conjunction with them. ISO/IEC 27033-1:2009 provides an overview of network security and related definitions. It defines and describes the concepts associated with, and provides management guidance on, network security. (Network security applies to the security of devices, security of management activities related to the devices, applications/services and end-users, in addition to security of the information being transferred across the communication links.). Overall, it provides an overview of the ISO/IEC 27033 series and a “road map” to all other parts.



21

ISO/IEC 27000 Family

Voca

bula

ryRe

quire

men

tsG

ener

algu

ides

Indu

stry

guid

es

ISO 27001ISMS requirements

ISO 27006Certification organization requirements

ISO 27005Risk management

ISO 27004Metrics

ISO 27003Implementationguide

ISO 27002Code of practices

ISO 27007-27008Audit guides

ISO 27011Telecommunications

ISO 27799Health

ISO 270XXothers

ISO 27000Vocabulary

The ISO/IEC 27000 family is progressively published since 2005. ISO/IEC 27001:2005 is the only certifiable standard of the ISO/IEC 27000 family. The other standards are guidelines.

• ISO/IEC 27000:2009: This information security standard develops the basic concepts as well as the vocabulary that applies when analyzing an ISMS.

• ISO/IEC 27001:2005: This information security standard defines the requirements of the ISMS. • ISO/IEC 27002:2005 (previously ISO/IEC 17799): Guide of best practices for the management of

information security. This standard defines objectives and recommendations in terms of information security and anticipates meeting global concerns of organizations relating to information security for their overall activities.

• ISO/IEC 27003:2010: Guide for implementing or setting up an ISMS. • ISO/IEC 27004:2009: This International Standard will provide guidance and advice on the

development and use of measurements in order to assess the effectiveness of ISMS, control objectives, and controls used to implement and manage information security, as specified in ISO/IEC 27001.

• ISO/IEC 27005:2008: Guide for information security risk management which complies with the concepts, models and general processes specified in ISO 27001.

• ISO/IEC 27006:2007: Guide for organizations auditing and certifying ISMS’s. • ISO/IEC 27007:20XX and ISO/IEC 27008:20XX: Guide for auditing ISMS’s. • ISO/IEC 27011:2009: Guidelines for the use of ISO/IEC 27002:2005 in telecommunication

industry. • ISO/IEC 27799:2009: Guidelines for the use of ISO/IEC 27002:2005 in health services.



22

Legal Conformity

The organization must comply to the applicable laws and regulationsIn most countries, the implementation of an ISO standard is a voluntary decision of the organization, not a legal conditionIn all cases, laws take precedence over standards

ISO 27001 can be used to comply to several laws and regulations

ISO/IEC 27002:2005, domain 15 - Conformity 15.1 Compliance with legal requirements Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. The design, operation, use, and management of information systems may be subject to statutory, regulatory, and contractual security requirements. Advice on specific legal requirements should be sought from the organization’s legal advisers, or suitably qualified legal practitioners. Legislative requirements vary from country to country and may vary for information created in one country that is transmitted to another country (i.e. trans-border data flow). 15.1.1 Identification of applicable legislation Control: All relevant statutory, regulatory, and contractual requirements and the organization’s approach to meet these requirements should be explicitly defined, documented, and kept up to date for each information system and the organization. Implementation guidance: The specific controls and individual responsibilities to meet these requirements should be similarly defined and documented.



23

Certification Schema

Accreditation authoritiesEx: ANAB (USA) – SCC (Canada) – UKAS (UK) COFRAC (France) – BELAC (Belgium) – SAS (Switzerland)

Certification bodiesEx: SGS – Bureau Veritas – DNV – Swiss TS

Personnel certification bodies Ex: PECB/IRCA/RABQSA

Auditee AuditorsTraining organizationsEx: Behaviour

Certify organizations

Certify auditors

Hire auditors Certifytrainers

Train the auditors

Audit the auditees

Accredit

The certification process involves the following parties: • Accreditation authorities (responsible for the assessment and the accreditation of certification

organizations) (SCC, UKAS, COFRAC, etc.); • Certification bodies (responsible for managing the certification activities of their customers and

performing audits on their customers’ management system) (BSI, Bureau Veritas, DNV, TUV, etc.); • Organizations whose management system is subject to certification and who are customers of

certification bodies. Certification bodies are responsible for the registration of organizations to ISO/IEC 27001:2005 and to employ auditors.



24

Certification Process

1. ISMS implementation

2. Internal audit and review of ISMS (by the auditee)

3. Selection of a certification body

5. Stage 1 audit4. Pre-evaluation audit (optional)

7. Follow-up audit(if applicable)

8. Confirmation of registration

6. Stage 2 audit(on-site audit)

9. Continualimprovement and surveillance audit

Bef

ore

the

audi

tIn

itial

aud

itFo

llow

ing

the

audi

t

Selection of the certification body (registrar): Each organization can select the certification body (registrar) of its choice. Pre-evaluation (optional): An organization can choose to do a pre-audit to measure the gap between it current ISMS and the ISO 27001 requirements. Stage 1 audit: It is the conformity review of the design of the ISMS and the documents related. The main objective is to verify that the ISMS is designed to achieve the organization’s policy objectives and to meet the requirements of the audit standard. It is recommended that at least some portion of the stage 1 audit is performed on-site at the auditee’s premises. Stage 2 audit (On-site audit) : The stage 2 audit objective is to evaluate if the declared ISMS is conform to all ISO/IEC 27001:2005 requirements, is actually implemented in the organization and can allow the organization to reach its security objectives. Stage 2 takes place at the site(s) of the organization where the ISMS is implemented. Follow-up audit and confirmation of registration: If the auditee has nonconformities that require a new audit before being certified, the auditor will perform a follow-up visit to validate only the action plans linked to the nonconformities (usually one day). If the organization has complied to the conditions of the standard, the registrar confirms the registration and publishes the certificate. Continuous improvement and surveillance audit: Once an organization is registered, surveillance activities are conducted by the certification body to ensure that the ISMS still complies with the standard. The surveillance activities must include on-site audits (at least 1/year) that allow to verify the conformity of the certified client's management system and can also include: investigations following a complaint, review of a Website, a written request for follow-up, etc.



25


Section 3 Information Security Management System (ISMS)

1. Definition of an ISMS

2. Process approach

3. Structure of the ISO 27001 standard

4. Overview – Clauses 4 to 8

5. Annex A

6. Implementation methodology



26

Information Security Management System

ISO 27001, clause 3.7

“ That part of the overall management system,based on a business risk approach, to establish,implement, operate, monitor, review, maintain andimprove information security ”

Note : The management system includesorganizational structure, policies, planning activities,

responsibilities, practices, procedures, processes and resources

Organizations use management systems to develop policies and implement them using: • An organizational structure • Systematic processes and associated resources • An evaluation methodology • A review process to ensure that problems are properly corrected and that the opportunities for

improvement are recognized and implemented when appropriate. Note: What has been implemented should be monitored and measured; what is controlled and measured must be managed. ISO/IEC 27001:2005 states that an organization must evaluate the effectiveness of the implemented controls to ensure that security requirements are met (clause 4.2.3.c). This clause is an essential part of ISMS because without measuring the performance of security controls, it is impossible to know the effectiveness of controls and therefore whether the organization is truly protected.



27

Structure of the ISO/IEC 27001:2005 standard

Annex AControl objectives and controls

Clause 4.2.1Establishthe ISMS

Clause 4.2.3 Monitor and

review the ISMS

Clause 4.2.4 Maintain and

improve the ISMS

Clause 4.2.2Implement and

operate the ISMS

Clause 7 Management

review

Clause 8 ISMS

improvement

Clause 6 Internal ISMS

audits

Clause 5 Management responsability

An organization seeking certification to ISO/IEC 27001:2005 must comply with all terms defined in sections 4 to 8 of the standard, define, in the statement of applicability, the applicable controls and justify the inapplicable controls of Annex A. This international standard adopts the process model “Plan-Do-Check-Act” (PDCA) or the “Deming wheel” which is applied to the structure of all the processes in an ISMS. The figure illustrates how an ISMS uses as input the requirements concerning information security and the expectations of the stakeholders, and how it produces, with the necessary actions and processes, the information security results that meet the requirements and expectations. Plan (establishing the ISMS): Establish the policy, the ISMS objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization. Do (implementing and workings of the ISMS): Implement and exploit the ISMS policy, controls, processes and procedures. Check (monitoring and review of the ISMS): Assess and, if applicable, measure the performances of the processes against the policy, objectives and practical experience and report results to management for review. Act (update and improvement of the ISMS): Undertake corrective and preventive actions, on the basis of the results of the ISMS internal audit and management review, or other relevant information to continually improve the said system.



28

Establish the ISMSISO 27001, clause 4.2.1 a to j

a) Define scope and boundaries of the ISMS

b) Define an ISMSpolicy

c) Define the risk assessmentapproach

f) Identify and evaluate risk treatment options

e) Analyze and evaluatethe risks

i) Obtain management approval

g) Select control objectives and controls

j) Prepare the statement of applicability

d) Identify the risks

h) Approve residual risks

ISO/IEC 27001:2005, clause 4.2.1 Establish the ISMS • Define the scope and boundaries of the ISMS • Define an ISMS policy • Define the risk assessment approach of the organization • Identify the risks • Analyse and evaluate the risks • Identify and evaluate options for the treatment of risks • Select control objectives and controls for the treatment of risks • Obtain management approval of the proposed residual risks • Obtain management authorization to implement and operate the ISMS • Prepare the Statement of Applicability



29

ISO 27001, clause 4.2.2

Implement the controls and define how to measure the effectiveness of the selected controls

Manage ISMS operations daily

Define the plan (actions, resources, responsibilities, priorities, objectives) and put it in place

Set in place a training and awareness program

Set in place an incident management process to detect and treat them rapidly

RiskTreatment

Plan

Implement the

controls

ISMS Management

Incident Management

Training & Awareness

Implement the ISMS

The organization that wishes to implement an ISMS must document, maintain, monitor and improve it continually. Its implementation includes a risk analysis as well as the implementing of controls to reduce the risks that are based on the information and the organization. The implementation of the ISMS involves a certain number of tasks including: • Documenting the planning of actions to implement with the resources (financial human, hardware,

software) as well as the priorities and responsibilities to treat the identified risks. • Implementing the controls listed in the risk treatment plan and defining evaluation methods for the

efficiency of the controls. • The organization must implement a program to raise awareness and train all stakeholders on

security issues. This could be done through internal training, distribution of a newsletter, implementation of an intranet or of more formal communications.

• The organization must be able to manage the ISMS on a long term basis and demonstrate that is has the necessary resources to operate an ISMS.

• The organization must implement an efficient and documented process for the detection and treatment of security incidents.



30

Documentation requirementsISO 27001, clause 4.3

Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and ensure that the recorded results are reproducibleIt is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives

ISO 27001, clause 4.3.1

ISMS Policy and Objectives

An organization wishing to be conform to ISO 27001 shall at least: • Publish all documents required; • Develop a procedure for control of documents; • Develop a procedure to control records.

Each organization determines the extent of the necessary documentation and media types to use. It depends on factors such as type and size of the organization, complexity and interaction of processes, information systems and technologies available, the requirements of stakeholders such as customers and suppliers, applicable regulatory requirements, etc. In many organizations, the creation of the documentation is disproportionate. The preparation of documents should not be an end in itself. It must be create an added value supporting the management system. A too heavy documentation is difficult to manage, often not understood by users - therefore, not used... The primary value of documentation is to allow communication of the objectives of the organization and to ensure consistency of the actions. Documentation contributes to:

• Achieving compliance with legal, regulatory and contractual obligations; • Providing media for communication and training; • Ensuring repeatability and traceability; • Providing evidence to prepare for the certification audit; • Evaluating the effectiveness and continued relevance of the management system; • Improving processes and security controls included in the management system.



31

2. Regular review of the effectiveness of the ISMS taking into account the feedback and suggestions of interested partied

4. Review of risk assessments

1. Monitoring and review of detection and security event prevention procedures

3. Measurement of the effectiveness of controls

6. Management review and update of security plans

5. Conducting the internal audits

ISMS Monitoring and ReviewISO 27001, clause 4.2.3

Note: Each of these actions must be documented and recorded

ISMS monitoring and review

Once the ISMS is implemented, the PDCA model requires permanent monitoring of the system as well as periodic reviews to improve its operation:

• Monitoring and review of detection and prevention procedures of security events (incidents, errors

and flaws) • Regular review of the ISMS effectiveness taking into account propositions from stakeholders • Measurement of the efficiencies of controls • Review of risk assessments, levels of residual risks and changes in risk factors (organizational

change, identification of new threats, introduction of new technologies, etc.) • Conducting internal audits at fixed intervals (see clause 6) • Management review (see clause 7) and update of security plans

Note: each of these actions must be documented and recorded.



32

Management responsibilityISO 27001, clause 5

5.1. Management commitmentManagement shall provide evidence of its commitment to the ISMS

5.2.1 Make resources available

5.2.2 Training, awareness & competency

Management shall determine and provide the necessary resources for the ISMS

Management shall ensure that personnel who have been assigned responsibilities defined in the ISMS have the necessary competencies to perform the required tasks

Management shall provide clear general provisions in accordance with the business objectives of the organization and shall demonstrate its support and its commitment towards information security by: • Having reasonable assurance that the legal and regulatory requirements as well as contractual

security obligations are taken into account in the ISMS (5.2.1c) • Determining the objectives for the ISMS (5.1b) • Determining the risk acceptance criteria and the levels of acceptable risks (5.1f) • Defining the roles and responsibilities for information security (5.1c) • Establishing a policy concerning ISMS (4.2.1b.5) • Approving residual risks (4.2.1h) • Approving the implementation and exploitation of the ISMS (4.2.1i) • Providing enough resources to establish, implement, operate, monitor, review, update and improve

the ISMS (5.2.1) • Establishing an information security awareness and training program (5.2.2) • Having reasonable assurance that personnel of the organization possess and maintain the

competencies to establish, implement, operate, monitor, review, update and improve the ISMS (5.2.2)

• Performing management reviews of the ISMS (7) • Having assurance that the internal audits of the ISMS are conducted (6) • Documenting management decisions and keeping the records (4.3.1)

ISO 27001 Foundation Course Instructor Guide - ITpreneurs

Documents

Transcript of ISO 27001 Foundation Course Instructor Guide - ITpreneurs