ISO27001:2005 Introduction

• Introduction to Information Security • Implementation Methodology• Deliverables• Management Commitment

Agenda

Information Security

Information

Information is an asset, which, like any other important business asset, adds immense value to an organization due to its critical nature and hence needs to be suitably protected. Whatever form information takes, or whatever the means by which it is shared or stored, the need to protect it cannot be

underestimated

Information Security

Information systems security

“The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.”

Information Security Characteristics

Confidentiality: Ensuring that access to information is appropriately authorized

Integrity: Safeguarding the accuracy and completeness of information and processing methods

Availability: Ensuring that authorized users have access to information when they need it

In addition, other properties are the Authenticity, Accountability, Reliability and Non-Repudiation

Protect, detect, and recover from insecurities.

Threats to Information Security

The possible threats to Information Security are:

• Computer-assisted fraud• Espionage• Sabotage• Vandalism• Fire or flood – Natural Calamity• Computer viruses• Computer hacking or malicious software• Denial of service attacks

Information Security Management System

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, business processes and also includes IT systems.

ISMS – The PDCA Model

Monitor and review- Execute monitoring procedures

- Undertake regular reviews

of the effectiveness - Conduct internal audits at planned intervals

Establish the context - Define ISMS scope- Define policy- Identify risks- Assess risks- Select control objectives and control for treatment of risks- Prepare a statement of applicability (SOA)

Implement and operate- Formulate a risk treatment plan- Implement the risk treatment plan- Implement controls selected to meet the control objectives

Plan

Do Check

Act

Improvement

Continual

Maintain and Improve

- Identify improvements in the ISMS and implement them - Take appropriate corrective and preventive actions - Communicate the results and actions and agree with all interested parties - Ensure that improvements achieve their intended

objectives

Overview of ISO27001 “A proven framework to initiate, implement, maintain and manage information security within your organization”

• A specification for the management of Information Security.

• Applicable to all sectors of industry & commerce and not confined to information held on computers.

• Addresses the security of information in whatever form it is held

• It takes a Risk Management approach

Security and Raymonds

Raymonds’s Business Needs • To ensure that all Business related information is secured from

unauthorized access.

• To ensure information integrity

• To ensure data availability to authorized persons when needed.

• To ensure that the risk to data is reduced to business acceptable levels.

• To ensure Raymonds complies to Regulatory bodies for information protection

Implementation Methodology

11 Domains of ISO 27001

Methodology

Developing ISMS

Imparting Training to end users

Mapping ISO Domains to Policy Doc

Preparing Policy document

Statement of Applicability

Risk Treatment Plan

Risk Assessment

Asset Identification

Implementing Security Policy

Internal Audit & Management Review

Fixing Non Conformances

External Review

Recommendations for Certification

ISO 27001 Certification

Team Composition

ISF/ISSC

Project Manager – Consultant Co

Consultants – Consultant Co

Core team members - Raymonds

CISO

Project Manager - Raymonds

Deliverables

DeliverablesStage 1 - Current State Assessment• Current State Assessment of Information Security and Process

Current State Assessment Report comprising of current information security infrastructure, information security incidences, critical business processes, critical success factors, business requirements, hardware, software, applications, user feedback,.

• Review Existing Policies & ProceduresReview Report for current Policies and Procedures, Information Security Policies and Procedures.

• Performing Gap Analysis vis-à-vis ISO 27001 control objectivesGap Analysis against the 133 control objectives and the current state of policies and procedures.

DeliverablesStage 2 - Establish the Context• Define Business Objectives

Document defining the business objectives, critical business processes, critical success factors, dependencies on environmental factors, dependencies on external factors, dependencies on time factor, dependencies on IT.

• Create Security Forum and Information Security Policy

Establishing a security forum with representation from business, operations and IT persons, documenting the security objective, vision and mission, corporate security policy statement and project plan for the security initiative.

Deliverables

Stage 3 - Risk Identification & Assessment• Business Risk Identification & Assessment

Documentation of various business processes, identification of critical processes, identification of various business risks, risk analysis giving probability and consequences of various risk scenarios and alternatives to mitigate the risk impact.

• Asset Identification & ClassificationAsset register identifying all the critical assets.Security classification schemaAsset classification as per the classification schema

Deliverables

Stage 4 – Managing the Risks• Information Security Management System documentation• Selection of Controls and preparation of statement of

applicability• Information Security Policies & Procedures • Information Security Architecture • Formulation of Business Continuity & Disaster Recovery Plan

DeliverablesStage 5 – Suggestion & Implementation of Controls

Training • End User Awareness Training Program• Top Management Training Program

Vulnerability Fix• Analyze the vulnerability assessment report • Implement recommendations for various business process

components• Implement security policy guidelines• Implement latest security patches

Management Commitment

ISMS Team Structure

Information Security ForumChaired by ISM

Chief Information Security Officer

Information Security Management Team (Headed by Chief Information Security Officer)

Management Commitment

Management Commitment• The Top Management shall be committed to the development

and implementation of Information Security policies and procedures and to the continuous improvement of its effectiveness.

• Establishing roles and responsibilities for information security• Communicating to the organization the importance of

meeting information security objectives and conforming to the information security policy

• Ensuring that internal ISMS audits are conducted• Conducting management reviews of the ISMS

Management Review

• Management shall review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

• This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives.

• The results of the reviews shall be clearly documented and records shall be maintained

Thank You