ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information...

22
ISO/IEC 27001 WORKBOOK Putting theory into practice Version 1.0 The APMG International ISO/IEC 27001 and Swirl Device logo is a trademark of The APM Group Limited, used under permission of The APM Group Limited |

Transcript of ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information...

Page 1: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

ISO/IEC27001WORKBOOKPuttingtheoryintopractice

Version1.0

The APMG International ISO/IEC 27001 and Swirl Device logo is a trademark of The APM Group Limited, used under permission of The APM Group Limited |

Page 2: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

Thispageisintentionallyblank

Page 3: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

ISO27001PractitionerWorkbookIntroductionWelcometotheISO/IEC27001practitionerworkbook.ThisworkbookhasbeendesignedtopracticeandtestyourapplicationandanalyticalskillsbasedonspecificscenariosthatyoumaybefacedwithinanISO/IEC27001environment.ThisworkbookisadditionaltotheISO/IEC27001e-learningcourse,andshouldbeusedwithinthecoursemoduleswhenprompted.HowtousethisworkbookThisworkbookisfocusingonyourprofessionalskillsthatgobeyondmemoryoftheISO/IEC27001standardorthee-Learning,inthisworkbookyouwillbeintroducedtosimplescenariosthatmaybesimilartowhatyoucouldfaceintherealworld.Withthis,analyseeachscenarioandthinkaboutwhatyouhavelearnt–therecouldbefundamentalissueswithinthem,thatyoushouldnowbeabletoidentify.Thisworkbookisnotmarkedorevaluated,butitshouldnotbeignoredasitwillhelpyouapplywhatyouhavelearnt,andthuswillhelpyouinternalisetheinformationforbothyourexam,andreallifeprojectsyoumaybeworkingon.Anapproachtousethisbookisthefollowing1. Takethee-Learningmodule2. Readthescenario3. Readtheadditionalinformationforthequestion4. Tacklethequestionsinthisworkbook5. Refertoyoure-learningforguidanceifneeded6. FillintheanswerandcheckifyouarerightAsaguide,eachquestionshouldtakeyounomorethan30minutestocomplete.AnswerstoquestionsYes,thereareanswerstoeachquestionorproblem.Thesearelocatedatthebackofyourworkbook.Wewouldhighlyencourageyoutonotgostraighttotheseanswerswhenyoumaybelostwithaquestionasthisdefeatsthepoint.Thequestionsareopenended,inthisyouneedtoanalyse,analyse,analysethencompareagainsttheIOS/IEC27001andfinallycomeupwithyourconclusion.

Page 4: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

ScenarioNote:thiscasestudyhasbeentakendirectlyfromthepracticeexamguideyoutodepthtoexpectonyourfinalexam–ThiscasestudyisownedbyAPMGCaseStudy:EquitableProducts(Theorganisationandpeoplewithinthescenarioarefictional.)BackgroundEquitableProductsareafoodprocessingandsupplycompanytosupermarkets.Theysupplyfoodpackagedundertheirownbrandnametogeneralretailersand‘supermarketbrand’packagedgoodstosupermarketchains.Inaddition,theyhaverecentlybegunsupplyingfrozen'readymeal'productstoamajorrestaurantchain.Tosupporttheirbusiness,EquitableProductshasfoodprocessingplantsattwosites.Onesitedealswiththeprocessingandre-packagingofbulkfoodstuffsintobrandedpackages(ownbrandandsupermarket).Theothersiteproducesreadymealswhicharesuppliedasfrozenproductstogeneralretailcustomersandtherestaurantchain.OrganisationTherearethreemarketingdivisionswithintheorganisationtoservicetheseparateretail,supermarketandrestaurantmarkets.Eachofthemarketingdivisionshastheirownbusinesstargets,objectivesandprocesses.AninternalITunitisresponsiblefortheprovisionofITserviceswithinEquitableProducts.Eachdivisionusessomespecific,dedicatedITservices,togetherwithacoresetofsharedcorporateITservicestosupporttheirbusinessoperations.Forexample,theEquitableProducts'ITsystemsnowinterfacedirectlywiththesupermarkets’ITsystemstoenable'justintime're-orderinganddelivery.Therestaurantchain'sITsystemsarealsonowconnectedtotheEquitableProducts'ITsystems.AllthenewRestaurantReadyMealproductsaremicrochippedwithaRadioFrequencyIdentificationDevice(RFID).Allrestaurantproductsmustbeconsumedwithinfivedaysofproduction.TheRFIDtechnologyenablestheindividualrestaurants’usagetobemonitoredbyEquitableProducts.Aproductionscheduleisproducedfortherestaurantreadymealproductsinordertoreducewastage.CurrentStatus

Page 5: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

Asaresultofinternationalconcernovercontaminationofproducts,EquitableProductsdecidedthattheyshouldtakemorecontroloftheirsupplychain.Theyhaverecentlyacquiredanestablishedchainofdairyfarmswhichwill,inthefuture,providemostoftheirfreshdairyproducts.Thiswillbetterenablethemtotrackingredientsfrom'fieldtoplate'.Theotherproductsandingredientsusedintheprocessingplantsaresourcedfromavarietyofthirdpartysuppliers.WhereverpossiblethecontractswiththosesuppliersrequirethesupplierstomaintainISO/IEC27001certification.ThediagrambelowshowstheinteractionbetweenthevariouspartiesandEquitableProducts’divisions.

Diagram1-TheinteractionbetweenthevariouspartiesandEquitableProducts’divisionsThecontractswiththemajorsupermarketsrequireEquitableProductstomaintainISO/IEC27001certificationandthereisanestablishedISMSinplace.However,thedairyfarmchainhasneverhadISO/IEC27001certificationandneedstobebroughtintothescopeofcertification.EquitableProducts’corporateclientsaresupportiveofthereasonsandobjectivesofacquiringthedairyfarmchain.However,theyrequiretheISO/IEC27001certificationtobeextendedtoincludethisnewbusinessdivision.InformationSecurityManagementStructureTheEquitableProductsChiefFinancialOfficerhastheroleofDirectorofInformationManagement.InthisrolehehasbeengiventheorganisationalresponsibilitytoensurethatISO/IEC27001conformanceismaintained.TheChiefInformationOfficerreportsdirectlytotheDirectorofInformationManagementandhastwoInformationSecurityOfficerswhoworkforhim.TheyareresponsibleforensuringthatthecompanyanditsthirdpartysuppliersmaintaintherequiredISO/IEC

Page 6: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

27001certifications.TheHeadoftheITServicesDivisionalsohasanInformationSecuritySpecialistwithinhisteam.ThespecialistisresponsibleforensuringthattheITserviceisdeliveredinaccordancewithISO/IEC27001.InformationSecurityObjectivesInformationsecurityrisksmustbemanagedeffectively,collectivelyandproportionatelyinacosteffectiveway.Asecureandconfidentialworkingenvironmentshouldalsobemaintained.Toachievethis,theinformationsecurityobjectivesofEquitableProductsincludethefollowing:a) Tomaintaintheconfidentiality,integrityandavailabilityofcorporateandcustomer

informationb) TomaintainISO/IEC27001certificationc) Toensurecompliancewithlegalandregulatoryrequirementsd) Tosupporteffectiveandresilientprocessestorespondto,investigateandrecoverfromany

informationsecurityincidentswithnecessarycontrols,identifiedbyformalriskassessment.©TheAPMGroupLtd2014.ThiscasestudyremainsthepropertyofTheAPMGroup(APMG).Thisdocumentisnottobereproducedorre-soldwithoutexpresspermissionfromTheAPMGroupLtd.2.TheAPMG-InternationalISO/IEC27001logoisaTradeMarkofTheAPMGroupLimited.TheAPMG-InternationallogoisaTradeMarkoftheAPMGroupLtd.

Page 7: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

1. LeadershipLeadershipScenarioAdditionally,reviewthesupplementarypaperforthisexerciseTheEquitableProductsChiefFinancialOfficerhasjustcompletedanexecutiveboardmeetingandashasbeenappointedtopromoteandco-ordinatetheinformationsecurityprocessaspartofhisroleastheITDirector.Hisfirstactionwastodefinethesecuritystakeholdersofeachdepartmentthatwouldbewiththescopeofthecertification.Themainconsensuswasthatsecurityresponsibilitieswouldbedelegatedtotheindividualroleswiththeorganisationassecurityiseveryone’sresponsibility.TherolesandresponsibilitiesweredecidedasbelowRole BriefDescriptionofresponsibilitySeniorManagement Forvision,strategicdecisionsandcoordinatesactivitiestodirect

andcontroltheorganisation.LineManagers Hasthetopresponsibilityfororganisationalfunctions.LocalITstaff HasoverallresponsibilityoftheforthesecuritytasksSystemAdministrator HasfullaccountabilityofallsecuritybreechesHumanResources Theperson/personswithoverallresponsibilityforthestaff.TheLineManagershavestatedthattheydonotneedtodiscusstheirsecurityissueswithotherdepartments,asthiswouldbeasecurityweaknessandassuchwouldprefertoworkalonewithintheirareaofconcern.1.1 Havetherolesandresponsibilitiesbeendefined?(LE03-01,04-01)

Page 8: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

1.2Doyouthinkthattherolesandresponsibilitiesareappropriaterequiredforinformationmanagementandoperation?(LE03-02,04-02)

1.3Doyouthinkthattheconcepts,responsibilitiesandrequirementsaboutthecontextleadershipsupportanISMSperClauses4,5,and7(Contextoftheorganisation,Leadershipandsupport)oftheISO/IEC27001?(LE03-03,04-03)

Page 9: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

2. PlanningandOperationoftheISMSPlanningandoperationscenarioTheCFOunderstandsthattheyneedarisktreatmentplanandhaddecidedthatheneededtodefineandestablishthesecurityriskprocessesandthecriteriaforriskacceptance,howtoperformriskassessments,whowouldbetheriskownersandwhowouldanalysetheinformationsecurityrisks.Additionally,theCFOwasverykeentounderstandwhatinformationsecurityrisktreatmentoptionswereavailableandrequiresaStatementofApplicability(SoA)toproduceforcriticalrisks.TheCFOwasalsoadamantthattherehastobeoperationalplanningandcontrolwithintheplanwhichistoincludecontrolplannedchanges.Allrisksandchangesoftheirstatusshouldbemonitored,measured,analysed,andevaluated,additionally,documentationaboutinformationriskassessmentsandinformationrisktreatmentwouldbestoredinlinewiththeinformationpolicies.2.1Whenapplyingtheconcepts,responsibilities,requirementsandprocessesrelatingtoplanningandoperationofanISMSwithinclauses6,8,9and10oftheISO/IEC27001whatareimportantconsiderationstomake?(PL03-07)

Page 10: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

2.2Lookingattheplanningandoperationscenario-Doyouthinkthatapplicationoftheconcepts,responsibilities,requirementsandprocessesrelatingtoplanningandoperationofanISMSwithinclauses6,8,9and10oftheISO/IEC27001wherecarriedout,ifnotwhatwasmissingornotcompleted?(PL04-07)

Page 11: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

3. InformationSecurityControlObjectivesandControlsInformationsecuritycontrolobjectivesandcontrolsscenarioTheCFOhadrequestedthatareporttobecreateddetailingtheactionscompletedandanyoutstandingareasinrelationtothecontrolswithinISO/IEC27001.Thereportfindingsarebelow:

ISO/IEC27001ControlsReportControl Status

Informationsecuritypolicies

Theboardofdirectorshaveagreedthatinformationsecurityisofthehighestpriorityandsecuritypoliciesmustbedefined,howevertheyalsounderstandthatthesecuritypoliciesshouldnothinderbusinessgrowthorbecomeabusinessdisabler–assuchtheyhavecommissionedafullassessmentonwhatthebusinesssecurityrequirementsandrequiredpolicesareandwillthenrequiretheITsecuritypolicies(including,highlevelgeneralpolicies,highleveltopic-specificpoliciesanddetailspolicies)tobebroughtin-linewiththebusinesssecuritypolicies.

Organisationofinformationpolices

TheCFOactingastheITDirectorhasbeenmadeaccountableofITSecurity,andassuchhasputinplaceapoliceregardingtheorganisationofinformationsecurity.Thisincludesthefollowing• Definingowners,producersandusersofinformation,withthe

associatedRACImatrixhighlightingresponsibilitiesforeachrole

• Asthereallemployeeshavemultipleroleshedoesnotseethevalueinsegregationofduties,andtrustshisteamnottoshareinformation

• Thereisafullcommunicationplaninplacetoensurethatifthereisasecurityincidentthecorrectauthoritiesarenotifiedwithintheagreedtimeframes

• IntergroupcommunicationbetweenEquitableProducts,theretailersandsupermarketshavebeendefinedwithapolicystatingwhatinformationandhowitshouldbepassedbetweenthespecialinterestgroups

• Therehasbeenclearpoliciesandproceduresputinplacethathighlightthemeasuresthatshallbeusedformobiledevicesinclusiveofanyteleworkingequipmentandemployees

Page 12: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

Humanresourcessecurity

ThehumanresourcepolicyissplitintothreemaincategoriesasfollowsPriortoemployment:• Allpotentialemployeesarerequiredtogothroughascreen

processofthreeinterviewsandafullbackgroundcheckdependentontheirrole

• Termsandconditionsshouldbetailoredforeachemploymentgradesothatitensurethattheminimumandrequiredinformationsecuritysafeguardsareapplied

Duringemployment• Aninitialorientationsessionshallbeconductedforallnew

employeesthatdefinestheinformationsecurityindividualandmanagementresponsibilities

• Yearlyrefresherinformationsecuritytrainingshallbeconductedtoallemployees,withadditionalspecialisedtrainingconductedalignedwiththeemployees/skill/function/role

• Thepolicydefinesandcommunicatesaformaldisciplinaryprocesstoallemployees

Terminationandchangeofemployment• Thereisadefinedprocessforchangeofroles,including

terminationofaccounts,monitoringofaccessactivitiesandaeducationabouttheemployeestermsandconditions.

Assetmanagement

ThereisasingleinventoryregisterwithinEquitableProductswhichdefinedtheownersofalltheassets.Eachownerofeachassethasdefinedtheacceptableuseoftheirassociatedasset.TheassetpolicystatesthattheassetsandanydataheldwithinthembelongtotheEquitableProducts,andthatuponanemployee/contractorleavingthefirmshouldhandbacktheassetsintact,additionallythepolicystateshowassetsshouldbehandledandstored.Informationassetshaveadefinedclassificationdependentonthecriticalityoftheinformationwithdefinedproceduresforhandlingatthedefinedlevel,whichisasfollows.Alldocumentationisrequiredtohavetheclassificationlabelintheheaderandfooter.

Accesscontrol

TheorganisationusestheITILAccessManagementprocesswhichhasbeendefinedonAccessManagementPolicy,thisincludesdirectionon:• Userregistrationandderegistration• Useraccessprovisioning• Managementofprivilegedaccessrights• Managementofsecretauthenticationinformationofusers• Reviewofusersaccessrights

Page 13: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

• Removaloradjustmentofaccessrights• Useofsecretauthenticationinformation• Informationaccessrestriction• Securelogonprocedures• Passwordmanagementsystem• Useofprivilegedutilitysystems• Accesscontroltoprogramsourcecode

Cryptography

Thereisahigh-levelcryptographicpolicythatwasproducedfromanofftheshelftemplatekit.Itcoversallthegenericitemssuchascryptographiccontrolsandkeymanagement

Physicalandenvironmentalsecurity

Thereisamaturepolicythatcoversphysicalandenvironmentalsecuritycontrolsincluding:• Secureareas(allcontrols)• Equipment(allcontrols)Thispolicywaslastupdatedthreeyearsago

Operationssecurity

Ataprocessgovernancelevel,therearemultipleprocessesandproceduresavailablebasedChange,Capacity,AvailabilityIncidentandITServiceContinuitywhicharealignedtoITIL.Thesehavebeentailoredtofocusoninformationsecuritymatters.Atanoperationallevel,thereareestablishedandwelladoptedpolicies,processesandproceduresthatcover• Separationofdutiesandenvironments• Definedcontrolsagainstmalware(basedonchangingrisk

assessments• Grandfather/Father/Soninformationbackuppolicy• Loggingandmonitoringprocedures• DefinitiveMediaLibrary(DML)thatcontrolsoperation

softwareandrestrictionsoninstallation• Patchandtechnicalvulnerabilitiesmanagement• Ahigh-levelpolicyonauditrolesandresponsibilitiesandrule

toconductauditsincludingprocessinganddataretention.Communicationssecurity

Thereisacommunicationpolicythatcoversthefollowingareas• Ensuresthatthereisasegregationofusers,information

systemsandnetworks• Allemployeesandcontractorsareheldtoanondisclosure

agreementthatwillremainineffectfor12monthsaftertheycompleteworkwiththecompany

• Alldigitaldeviceshavetheabilitytoberemotelywiped• Thereareformalpoliciesandproceduresforthetransferof

sensitivematerial• Networkcontrolsareinplacetoprotectsystemsand

applications

Page 14: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

Systemacquisitionanddevelopment

ThereisanoldSystemAcquisition,DevelopmentandMaintenancepolicy,whichneedstobeupdatedinlinewiththecurrentorganisationalstrategies.Currentlythepolicycontainsthefollowingcontrols• Securedevelopmentpolicy• Systemchangecontrolprocedures• Technicalreviewofapplicationsafteroperatingplatform

changes• Restrictioninchangestosoftwarepackages• Restrictionsonchangestosoftwarepackages• Outsourcedenvironment• Systemssecuritytesting

Supplierrelationships

ThereisasupplierrelationshippolicythathasbeentailoredinlinewiththeITILsuppliercategories,itishoweverunsurewhetherthisisstillrelevanttothenewvision.Thepolicyincludes:• Anoverarchingpolicyforallsupplierrelationshipsincluding

howsuppliersareallowedaccesstotheorganisationsassets• Detailedprocedureshowthemanagementofinformationwill

bemanagedwithinthesupplier’senvironmentincluding,storage,access,process,andcommunicationofinformation

• Ownershipofinformationthecommunicationtechnologyusedtowithinthesupplychain

• HowsupplierauditsandreviewsareconductedIordertomonitorandreviewsupplierservices

• Contractmanagement,andhowtomanagechangestosupplier’scontractsandservices

Securityincidentmanagement

ITILIncidentManagementprocesshasbeenadopted,andthereisnofurtherrequirementfortailoringtowardsSecurityincidents

Businesscontinuitymanagement

Thereisadisasterrecoveryplaninplacethatcoverstherestorationofbusinessapplicationsandhardwareintheeventofadisaster.Inlinewiththelegislationandcontractualrequirements,thisconsistsofusingamixofhostedservicesfromawell-knownhostingproviderandsomein-houseservices,bothoptionsneedupto24hourstoinstallthelatestbackupwhichiskeptintheparentlocation.Thereisalsoahighavailabilitysolutioninplaceswithfocusonensuringthereisredundancyinplaceformissioncriticalservices.

Compliance

Thereisacompliancepolicywhichcoversallofthecontrolshoweverthisisappliedinanad-hocmanner,andthereislittlegovernancetoshowitisapplied.

Page 15: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

3.1Thisquestionisbrokendownintototwoparts–Analysethereportandanswerthefollowing.1. Doyouthinkthatthefollowingaspectshavebeenappliedandtailoredtothesituation

correctly?2. AnalysethereasonstosupportyourdecisionAspect Applied/Tailored ReasonsforyourdecisionInformationsecuritypolices

Organisationofinformationpolices

Humanresourcessecurity

Assetmanagement

Accesscontrol

Cryptography

Physicalandenvironmentalsecurity

Page 16: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

Operationssecurity

Communicationssecurity

Systemacquisition,developmentandmaintenance

Supplierrelationships

Informationsecurityincidentmanagement

Informationsecurityaspectsofbusinesscontinuitymanagement

Compliance

Page 17: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

AnswersHerearesomehigh-levelanswersfortheexercises,pleasenotethatthisisnotsomucharightorwrongtypeofexercise,butmoreofapracticalwayforyoutointernalisesomeoftheconceptstaughtinthiscourse.LeadershipQuestion1Pointsyoushouldhavenoticedare:

1. TheCFOhasbeenappointedtopromotetheinformationsecurityprocess2. Thestakeholdershavebeendefined(representativesofeachdepartmenthavebeen

identifiedwiththescope3. Roleshavebeenallocatedwithintheorganisation

Question2Pointsyoushouldhavenoticedare:

1. TheSystemadministratorshouldnothavefullaccountabilityofallsecuritybreaches2. TheLocalITstaffshouldnothaveoverallresponsibilityofthetasks,asthisremains

theresponsibilityatthemanagementlevelQuestion3Pointsyoushouldhavenoticedare:Concepts–Theconceptshavebeenad-hocapplied,howeverthereislittlestructureevidencedwiththestructure.Requirements–themostimportantconsiderationsasdefinedinthesupplementarypaperhavebeenaddressedb) Overallresponsibilityforthetasksremainsatthemanagementlevel,c) Oneperson(usuallytheChiefInformationSecurityOfficer)isappointedtopromoteandco-

ordinatetheinformationsecurityprocess,d) Eachemployeeisequallyresponsibleforhisorheroriginaltaskandformaintaining

informationsecurityintheworkplaceandintheorganisation.Leadership–

Page 18: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

TheCFOhasbeenappointedtopromoteandcoordinateactivitiestheinformationsecurityprocesses.However,thereseemstobelittlemiddlemanagementleadershipwhichcanbeseenbytheLocalITstaffbeingmadeoverallresponsibleforthetasks–whichshouldremainatmanagementlevel.Additionally,theCFOshouldensurethatthereiscollaborationwiththeappropriatebusinessspecialists(thislookstobeabsentwiththesoiledworkingoftheLinemanagersPlanningandOperationsoftheISMSQuestion1Importantconsiderationstomakewouldinclude• Actionstoaddressrisksandopportunities

o Informationsecurityriskassessmento Informationsecurityrisktreatment

• Informationsecurityobjectivesandplanningtoachievethem• Operationplanningandcontrol• Informationsecurityriskassessment• Informationsecurityrisktreatment• Monitoring,measurement,analysisandevaluation• Internalaudits• Managementreview• Non-conformityandcorrectiveaction• ContinualimprovementQuestion2Concepts-Planning–TheCFOhasdecidedtoestablishriskmanagementprocessesbyplanningthecriteriaforhowriskisdefined,acceptedandwhatrisktreatmentoptionsareavailablewithaviewofformulatingarisktreatmentplan.Therewasnoevidencetoseehoweverthattheriskplanandactionswerealignedwiththeorganisationssecuritypolicy–thishowevermayhavebeenassumed.Additionally,therewaslittleornoevidenceshownofhowtherequirementsandresultsoftheassessmentandrisktreatmentwouldbecommunicated.Responsibilities–Fromtheinformationshowntherewasnoapparentdelegationofresponsibilitiesgivenwithinthisscenario.Requirements–Planning–TheCFOhadshownthattherehadtobeplanningacontrol,andhighlightedthatchangecontrolandcontrolofdocumentationwasimportant.

Page 19: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

Performanceevaluation–Planning–TheCFOdidstateatahighlevelthatallrisksandchangestotheirstatusshouldbemonitored,measured,analysedandevaluated.Processes–Planning–TheCFOdiddiscusstheChangeProcessandthatalldocumentationshouldhavebeenstoredin-linewiththeinformationpolicies.Improvement–Planning–Noimprovementactivitieswerediscussed.InformationSecurityControlObjectivesandControlsQuestion1Aspect Applied/Tailored ReasonsforyourdecisionInformationsecuritypolices

Yes

A.5.1.1ThebusinesshasrequestedthattheITsecuritypoliciesarebroughtinlinewiththebusinesspolicies(tailoring).A.5.1.2Thebusinesshasaskedforreviewoftheinformationsecuritypoliciesagainstthebusinesspolicies

Organisationofinformationpolices

Partially

A.6.1.1Informationroleshavebeendefined(atahighlevel),andaRACImatrixshowingtheresponsibilitieshasbeendevelopedA.6.1.2Segregationofduties,hasnotbeenapproached,andwillbeariskA.6.1.3Thereisacommunicationplanhighlightwhenandhowcontactswithauthoritiesshouldtakeplace.A.6.1.4GroupshavebeensetupthataregovernedbycommunicationpoliciesA.6.1.5NothingismentionedregardinginformationsecurityisprojectmanagementA.6.2.1&A.6.2.2Thereisapolicythatsupportstheuseofmobiledevicesandteleworkers

Humanresourcessecurity

Yes

A.7.1.1EmployeesarescreenedA.7.1.2Therearedefinedtermsandconditionsofemployment

Page 20: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

A.7.2.1BothmanagementandemployeesresponsibilitiesaredefinedandcommunicatedA.7.2.2thereisperiodicgenericandspecialisedtraininggivenA.7.2.3ThereisadefineddisciplinaryprocessA.7.3.1Thereisadefinedterminationprocedure

Assetmanagement

Partially

A.8.1.1ThereisaninventoryofassetsA.8.1.2ThereareownersfortheassetsA.8.1.3Eachassetownerdefinestheacceptableuseoftheasset–thismaycauseconflictandareasofweakinformationsecurityA.8.1.4ThereisadefinedreturnofassetpolicyA.8.2.1thereisadefinedclassificationforinformationA.8.2.2AllinformationshouldbelabelledwithitsclassificationA.8.2.3ThereisinformationabouthandlingandstorageThereisnoinformationshownregardingmediahandlingA.8.3.1,A.8.3.2,A.8.3.3

Accesscontrol Yes

Atahighlevel–theaccesspolicydirectsalltheA.9Accessmanagementclauses

Cryptography No

Thereisacryptographicpolicybasedonagenerictemplate,howeverthishasnotbeentailoredtotheorganisationandmaynotbealignedtotheregulationsandnationalrestrictionsthatmightapply.

Physicalandenvironmentalsecurity

Partially

ThereisamaturepolicythatdoescoverallofthecontrolsstatedwithinA.11physicalandenvironmentalsecurity.However,thishasnotbeenupdatedforthreeyears,whichcouldmeanthatitisnotalignedtothechangingbusinessneeds.Additionally,thishighlightsalackofgovernanceoverthecontrols.

Operationssecurity

Yes

AllofthecontrolswithinA.12OperationsSecurityhavebeencovered,withvariouslevelsofdetail

Page 21: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

Communicationssecurity

Partially

A.13CommunicationsecuritycontrolsareaddressedapartfromA.13.1.2Securityofnetworkservices

Systemacquisition,developmentandmaintenance

Partially

Thereisapolicyhere,butitisoutofdateandisalsomissingthefollowingcontrols• A.14.2.5Securesystemengineeringprinciples• A.14.2.6Securedevelopmentenvironment• A.14.2.9Systemsacceptancetesting• A.14.3.1Protectionoftestdata

Supplierrelationships

Yes

AllthecontrolswithinA.15Supplierrelationshipsareshown.However,wouldrecommendedthatthecontrolsareassessedtodefineiftheyarestillalignedwiththebusinessobjectives.

Informationsecurityincidentmanagement

No

EventhoughtheITILIncidentManagementprocesshasbeenadopted,thereisnoevidenceseentoshowthatthefollowingcontrolsareinplace:• A.16.1.1Responsibilitiesandprocedures• A.16.1.2Reportinginformationsecurityevents• A.16.1.3Reportinginformationsecurity

weaknesses• A.16.1.4Assessmentofanddecisionon

informationsecurityevents• A.16.1.5Responsetoinformationsecurity

incidents• A.16.1.6Learningfrominformationsecurity

incidents• A.16.1.7Collectionofevidence

Informationsecurityaspectsofbusinesscontinuitymanagement

Thisstatementhasthefollowingpositiveelements• Thereisadisasterrecoveryplaninplace• Thereisredundancyformissioncritical

services.• Thereisalignmentwithlegislationand

contractualagreementsThereishowevernomentionof• Intellectualpropertyrightsasthereisa

hostingserviceusedwithinthesolution• Availabilityofinformationprocessingfacilities

Page 22: ISO/IEC 27001 WORKBOOK certifications. The Head of the IT Services Division also has an Information Security Specialist within his team. The specialist is responsible for ensuring

• Verify,reviewandevaluateinformationsecuritycontinuity

Compliance No

Eventhoughthereisacompliancepolicythatdoescoverallthestatedcontrols,thereisalsoconcernaboutthegovernanceandapplicationofthecontrols


Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

help.csod.com  · Web view2020-06-10 · Certifications: Certifications Overview. Certifications: Certifications: Certifications Overview. Certifications: Certifications: Certifications

help.csod.com  · Web view2020-06-10 · Certifications: Certifications Overview. Certifications: Certifications: Certifications Overview. Certifications: Certifications: Certifications

Download Full Schedule - Academy of Self Defenseacademyselfdefense.com/downloads/schedule.pdf · Specialist Krav Maga Certifications Car Jacking Seminars Family Protection Seminars

Download Full Schedule - Academy of Self Defenseacademyselfdefense.com/downloads/schedule.pdf · Specialist Krav Maga Certifications Car Jacking Seminars Family Protection Seminars

REQUEST FOR PROPOSAL · Web viewProvide evidence of compliance through third-party audits results and any certifications (e.g. HITRUST, ISO 27001) or audit statements (e.g., SAS 70)

REQUEST FOR PROPOSAL · Web viewProvide evidence of compliance through third-party audits results and any certifications (e.g. HITRUST, ISO 27001) or audit statements (e.g., SAS 70)

Comparison of Controls between ISO/IEC 27001:2013 & ISO ... between 27001 2013 Vs 200… · Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005

Comparison of Controls between ISO/IEC 27001:2013 & ISO ... between 27001 2013 Vs 200… · Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005

Cirrus Networks · • JNCIS-ENT Enterprise Routing and Switching – Specialist x3 • JNCIS-SEC Networks Certified Specialist – Security x2 Capability and Certifications Section2

Cirrus Networks · • JNCIS-ENT Enterprise Routing and Switching – Specialist x3 • JNCIS-SEC Networks Certified Specialist – Security x2 Capability and Certifications Section2

FFIEC Compliance on Services/Solutions... · iv. ISO 27001: AWS is . ISO 27001 certified under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is

FFIEC Compliance on Services/Solutions... · iv. ISO 27001: AWS is . ISO 27001 certified under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is

Common new technology - Transportstyrelsen · • In much the same certifications as Amazon –ISO 27001/27018 –SOC1/2/3 • The service commitment sound similar… –” Vi förbehåller

Common new technology - Transportstyrelsen · • In much the same certifications as Amazon –ISO 27001/27018 –SOC1/2/3 • The service commitment sound similar… –” Vi förbehåller

Supplier Registration: Certifications · Certifications tab to navigate to the certifications section. The Certifications tab contains information on your company’s certifications

Supplier Registration: Certifications · Certifications tab to navigate to the certifications section. The Certifications tab contains information on your company’s certifications

ISA Certifications - MAC-ISA · ISA Certifications . ISA Certified Arborist Municipal Specialist ... Arboriculture: Integrated Management of Landscape Trees, Shrubs, and Vines, 4th

ISA Certifications - MAC-ISA · ISA Certifications . ISA Certified Arborist Municipal Specialist ... Arboriculture: Integrated Management of Landscape Trees, Shrubs, and Vines, 4th

ISO 22301 Business Continuity Management System · 2 ISO 22301 T SD Low Liang Ngien Product Specialist, Auditing Centre Mr. Low is a Product Specialist and Auditor for IT certifications,

ISO 22301 Business Continuity Management System · 2 ISO 22301 T SD Low Liang Ngien Product Specialist, Auditing Centre Mr. Low is a Product Specialist and Auditor for IT certifications,

LASER LASER CERTIFICATIONS CERTIFICATIONS

LASER LASER CERTIFICATIONS CERTIFICATIONS

UMES MICROSOFT OFFICE SPECIALIST CERTIFICATION … · By earning Microsoft Office Specialist certifications you will be receiving a globally-acknowledged and industry-recognized credential.

UMES MICROSOFT OFFICE SPECIALIST CERTIFICATION … · By earning Microsoft Office Specialist certifications you will be receiving a globally-acknowledged and industry-recognized credential.

Security Assurance review for Microsoft Cloud Service … 365 Security and... · 2016-02-05 · Security Assurance review for Microsoft Cloud Service ... ISO 27001 ... these certifications

Security Assurance review for Microsoft Cloud Service … 365 Security and... · 2016-02-05 · Security Assurance review for Microsoft Cloud Service ... ISO 27001 ... these certifications

RECRUITMENT NOTIFICATION RECRUITMENT OF SPECIALIST ...€¦ · Database Operation preferably in Banking Projects. 06 Certifications (Desirable) Microsoft Certified Professional (MCP)

RECRUITMENT NOTIFICATION RECRUITMENT OF SPECIALIST ...€¦ · Database Operation preferably in Banking Projects. 06 Certifications (Desirable) Microsoft Certified Professional (MCP)

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013cbexcelente.wdfiles.com/local--files/est-seginfo-27001-de2005a2013... · 1 Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013 Carlos

Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013cbexcelente.wdfiles.com/local--files/est-seginfo-27001-de2005a2013... · 1 Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013 Carlos

iOS Security iOS 12.1 November 2018 - Apple Inc. · ISO 27001 and 27018 certifications Cryptographic validation (FIPS 140-2) Common Criteria Certification (ISO 15408) Commercial Solutions

iOS Security iOS 12.1 November 2018 - Apple Inc. · ISO 27001 and 27018 certifications Cryptographic validation (FIPS 140-2) Common Criteria Certification (ISO 15408) Commercial Solutions

27001 Guidelines

27001 Guidelines

ISO 27001:2005 Information Security Management Systems 27001.pdfSejarah ISO 27001:2005 (ISMS) ISO 27001:2005 atau yang disebut juga ISO 17799:2005-2 adalah suatu standar keamanan yang

ISO 27001:2005 Information Security Management Systems 27001.pdfSejarah ISO 27001:2005 (ISMS) ISO 27001:2005 atau yang disebut juga ISO 17799:2005-2 adalah suatu standar keamanan yang