ISO27001+Introduction VERY IMP

8/7/2019 ISO27001+Introduction VERY IMP

http://slidepdf.com/reader/full/iso27001introduction-very-imp 1/33

I SO/ I EC 27001: 2005 I SO/ I EC 27 001: 2005

A brief int roduct ion A br ief int roduct ion

Dimitris P etropoulosManaging Director

ENCODE Middle EastSeptember 2006



“Information is an asset which, like otherimportant business assets, has value to anorganization and consequently needs to besuitably protected.”

Information

Ø Printed or written on paperØ Stored electronicallyØ Transmitted by mail or electronic meansØ Spoken in conversationsØ

…



What is Information Security

Ø ISO 27001 defines this as the preservation of:

Ensuring thatinformation isaccessible only tothose authorized to

have access

security

s e c ur i t y

security

security

Ensuring thatauthorized users haveaccess to informationand associated assetswhen required

Threats

Risks

Information

Integrity Confidentiality

Availability

Safeguarding theaccuracy andcompleteness ofinformation andprocessing methods

Vulnerabilities



Achieving Information Security

4 Ps of Information Security

PeoplePeople ProductsProducts

Policy

&

Procedures

Policy

&

Procedures



Drivers & Benefits of compliance with the standard



ISO27001 Drivers

Ø Internal Business Drivers– Corporate Governance– Increased Risk Awareness– Competition– Customer Expectation– Market Expectation– Market Image

Ø Regulators

Ø Reasons for seekingCertification according toa BSI-DISC survey

38%

35%

18%

9%

Best PracticeBusiness SecurityCompetitive AdvantageMarket Demand



Benefits of compliance [1]

Ø Improved effectiveness of Information SecurityØ Market DifferentiationØ Provides confidence to trading

partners, stakeholders, andcustomers (certificationdemonstrates 'due diligence')

Ø The only standard with globalacceptance

Ø Potential lower rates oninsurance premiums

Ø Compliance with mandates andlaws (e.g., Data Protection Act,Communications Protection Act)

Ø Reduced liability due to un-implemented or enforcedpolicies and procedures



Benefits of compliance [2]

ØSenior Management takesownership of Information Security

Ø Standard covers IT as well asorganization, personnel, andfacilities

Ø Focused staff responsibilities

Ø Independent review of theInformation Security ManagementSystem

Ø Better awareness of securityØ Combined resources with other

Management Systems (eg. QMS)

Ø Mechanism for measuring thesuccess of the security controls



ISO27001 Evolution



BS 7799 Part 1

New issue of BS 7799 Part 1 & 2

ISO 17799:2000

New BS 7799-2

19991999

20022002

DecDec 200200 00

ISO27001/ISO17799/BS7799:History

19981998BS 7799 Part 2

New ISO 17799:2005 releasedISO 27001:2005 released

20052005

19951995



ISO 27001, ISO17799 & BS7799StandardsØ ISO/IEC 17799 = BS 7799-Part 1Code of Practice for Information Security

Management– Provides a comprehensive set of security controls– Based on best information security practices– It cannot be used for assessment and registration

Ø ISO 27001 = BS 7799-Part 2Specification for Information Security ManagementSystems– Specifies requirements for establishing, implementing,

and documenting Information Security ManagementSystems (ISMS)

– Specifies requirements for security controls to beimplemented

– Can be used for assessment and registration



Why BS7799 moved to ISO27001

Ø Elevation to international standard status

Ø More organizations are expected to adopt it

Ø Clarifications and Improvements made by theInternational Organization for Standardization

Ø Definition alignment with other ISO standards(such as ISO/IEC 13335-1:2004 and ISO/IEC TR 18044:2004)



Ø ISO 27000 – principles and vocabulary (in development)Ø ISO 27001 – ISMS requirements (BS7799 – Part 2)

Ø ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards)Ø ISO 27003 – ISMS Implementation guidelines (due 2007)Ø ISO 27004 – ISMS Metrics and measurement (due 2007)Ø ISO 27005 – ISMS Risk ManagementØ ISO 2700 6 – 270 10 – allocation for future use

The ISO 27000 series



ISO 27001 Overview



What is ISO27001?

þ An internationally recognized structuredmethodology dedicated to information security

þ A management process to evaluate, implementand maintain an Information Security ManagementSystem (ISMS)

þ A comprehensive set of controls comprised of bestpractices in information security

þ Applicable to all industry sectorsþ Emphasis on prevention



ISO27001 Is Not…

ý A technical standardý Product or technology drivený An equipment evaluation methodology such as the

Common Criteria/ISO 15408– But may require utilization of a Common Criteria

Equipment Assurance Level (EAL)



Holistic Approach

Ø ISO 27001 defines best practices for informationsecurity management

Ø A management system should balance ph ys i c a l ,t e c h n i c a l , procedura l , and personne ls e c u r i t y

Ø Without a formal Information SecurityManagement System, such as a BS 7799-2 basedsystem, there is a greater risk to your securitybeing breached

Ø Information security is a management process, nota technological process



ISO 27001:2005 - PDCA

1. Establish the ISMS

• Establish security policy, objectives,targets, processes and proceduresrelevant to managing risk and improvinginformation security to deliver results inaccordance wit h an organization’s overallpolicies and objectives.

2. Implement and operate the ISMS

• Implement and operate thesecurity poli cy, controls, processesand procedures.

3. Monitor and review the IS MS

• Assess and, where applicable, measureprocess performance against securitypolicy, objectives and practical experienceand report the results to m anagement forreview.

4. Maintain and improve the ISMS

• Take corrective and preventive action s, based on theresults of the m anagement review, to achieve continualimprovement of the ISMS.



ISO 27001:2005 Structure

Five Mandatory requirements of the standard:Ø Information Security Management System

• General requirements• Establishing and managing the ISMS (e.g. Risk Assessment)• Documentation Requirements

ØManagement Responsibility• Management Commitment

• Resource Management (e.g. Training, Awareness)Ø Internal ISMS AuditsØ Management Review of the ISMS

• Review Input (e.g. Audits, Measurement, Recommendations)• Review Output (e.g. Update Risk Treatment Plan, New Recourses)

Ø ISMS Improvement• Continual Improvement• Corrective Action• Preventive Action



The 11 Domains of InformationManagement

SecurityPolicy

Organization of Information

Security

AssetManagement

Human

ResourcesSecurity

Physical & Environmental

Security

Communications& OperationsManagement

AccessControl

InformationSystems

acquisition,development

an dmaintenance

Business

ContinuityManagement

Compliance

InformationSecurityIncident

management

Overall the standard can be put in :Overall the standard can be put in :

•• Domain AreasDomain Areas –– 11,11,•• Control ObjectivesControl Objectives –– 39,39,

andand•• ControlsControls –– 133133



ISO27001 vs BS7799



ISO27001 vs BS7799 [1]

ComplianceCompliance

Business Continuity ManagementBusiness Continuity Management

Information Security IncidentManagement

Inform ation Systems Acquisition, *Development and M aintenance

Systems Development & Maintenance

Access ControlAccess Control

Communications & OperationsManagement *

Communicatio ns & OperationsManagement

Physical & Environmental Security *Physical & Environmental Security

Human R esources Security *Personnel Security

Asset Management *Asset Classification & Control

Organising Information Security *Security Organisation

Security PolicySecurity Policy

ISO 27001BS7799

* - new control/s added



ISO 27001 Implementation



Implementation Process

Assemble a Teamand Agree toYour Strategy

Identification ofInformation

Assets

Determinationof Value ofInformation

Assets

Determinationof Risk

Determination ofPolicy(ies) and the Degree

of Assurance Requiredfrom the Controls

Identification ofControl

Objectives andControls

Define ScopeReview

ConsultancyOptions

Definition of Policies,Standards, andProcedures toImplement the

Controls

Implementation ofPolicies, Standards,

and Procedures

Completion ofISMS

DocumentationRequirements

Update Statement of Applicability

Identification ofLegal, regulatory &

contractualrequirements

Definition ofSecurity

Strategy &Organisation

Statement of Applicability



Contracts and agreements

Defining Scope and Participants



ISMS Documentation

Procedure

Work Instructions,checklists,

forms, etc.

Records

Security ManualPolicy,Organisation,

risk assessment,statement of applicability

Describes processes – who,what, when, where

Describes how tasks and specificactivities are done

Provides objective evidence of compliance toISMS requirements

Management framework policies relating to

ISO 27001

Level 2

Level 3

Level 4

Level 1



Implementation Issues

Approval byCEO

Security Awareness Program is a very important issue.Security Awareness Program is a very important issue.A Tool is essential to make security policies visible across theA Tool is essential to make security policies visible across the organization andorganization andto translate policy objectives into actual compliance.to translate policy objectives into actual compliance.

Develop Documentation

Disseminate Policy

Conduct Awareness

Select ExternalConsultant

AcquirePolicy Tool

EducatePersonnel

Devel op SecurityNewsletter

Monitor & Measure Compliance

Develop other missing controls (Physical, BCP etc.)

Update Security Technologies (if needed)

ISO27001External Assessment

Continue Awareness

Enforce Poli cySec AwarenessMaterial ISO27001

Internal Assessment



Registration Process

Choose aRegistrar

InitialInquiry

Audit and Review ofInformation SecurityManagement System

QuotationProvided

ApplicationSubmitted

ClientManager

Appointed

Pre-Assessment

Phase 1Undertake a

Desktop

Review

RegistrationConfirmed

Phase 2Undertake a

Full Audit

Upon SuccessfulCompletion

ContinualAssessment

InternalExternal

Continuing (every 6 months)Re-Assessment (every 3 years)

Optional



Critical Success Factors

Ø Security policy that reflects business objectives

Ø Implementation approach consistent with company culture

Ø Visible support and commitment from management

Ø Good understanding of security requirements, risk assessment

and risk managementØ Effective marketing of security to all managers and employees

Ø Providing appropriate training and education

Ø A comprehensive and balanced system of measurement which is

used to evaluate performance in information securitymanagement and feedback suggestions for improvement

Ø Use of automated Security Policy Management tool.



Closing Remarks



ISO27001 can be…

Ø Without genuine support from the top – a failure

Ø Without proper implementation – a burden

Ø With full support, proper implementation andongoing commitment – a major benefit



ENCODEENCODE Middle EastMiddle East

Thank you for your time…

For more information please contact:

P.O. Box 500328Dubai Internet CityDubai – UAE

Tel.: +971-4-3608430

http://[email protected]

http://www.encodegroup.com/

mailto:[email protected]

mailto:[email protected]




www.encodegroup.com _




ISO27001+Introduction VERY IMP

Documents

Transcript of ISO27001+Introduction VERY IMP