Khachab-Top Management role to implement ISO 27001
-
Upload
mohamad-khachab -
Category
Documents
-
view
164 -
download
0
Transcript of Khachab-Top Management role to implement ISO 27001
Top Management Role in Implementing ISO/IEC 27001
Mohamad Khachab, MBA, PECB Certified Trainer,
ISO 27001 LI, ISO 27005 RM
January 27, 2016 1
Mohamad Khachab Lecturer, Management
Consultant Mr. Mohamad Khachab has 30 years of professional experience in management consultancy,
project management, teaching/training, IT Procurement, preparing proposals, information risk
management, research, developing bidding documents, and business development activities.
703-962-0793
www.ics4business.com
linkedin.com/in/mohamadkhachab
Top Management Role in Implementing
ISO/IEC 27001 Agenda
• Introduction
• ISO 27001 Standard
• Structure & Controls
• Costs
• PDCA Mode
• Data Qualities
• Management Planning
• Decision Making factors
• Implementation Project Phases
3 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Introduction
• All about “Tone at the Top”
• Strategic & healthy atmosphere
• TQM is a long term strategy
• Enterprise-wide awareness
• Senior management involvement
• Education/training (facts only, statistical methods, no myth)
• Decision making techniques
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 4
ISO 27001
• ISO 27001 requires a company to establish, implement, and maintain a continuous improvement approach to manage its ISMS.
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 5
ISO 27001 Standard
1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action
Annex A: List of controls and their objectives.
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
6
ISO 27001 Standard ISO 27001:2013 details 114 controls or security measures organized into 14 groups: • Information security policies (2 controls) • Organization of information security (7 controls) • Human resource security - 6 controls that are applied before, during, or after
employment • Asset management (10 controls) • Access control (14 controls) • Cryptography (2 controls) • Physical and environmental security (15 controls) • Operations security (14 controls) • Communications security (7 controls) • System acquisition, development and maintenance (13 controls) • Supplier relationships (5 controls) • Information security incident management (7 controls) • Information security aspects of business continuity management (4 controls) • Compliance; with internal requirements, such as policies, and with external
requirements, such as laws (8 controls)
7 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Costs
Are driven by risk perception and how much risk the organization is prepared to accept. Four costs to consider by management:
1- Internal resources
2- External resources
3- Certification
4- Implementation
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 8
Process Objectives
Easy understanding and implementation
Desired results:
- Time and cost savings in mind.
- Management Review of processes.
10 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Data Qualities
• Confidentiality – Ensure information is accessible only to those authorized to have access
• Integrity – Safeguard the accuracy and completeness of information and processing methods.
• Availability – Ensure that authorized users have access to information and assets when required.
11 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
What is your organization Like?
• I want you to think in terms of:
– Culture
– Management practice
– Formal processes
– Maturity of TQM processes
– Strategies and business planning
– Internal Audit function
– IT Department and customer satisfaction
• Senior managers decisions making rational?
12 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Do you have a TQM Strategy?
TQM strategies vary from one organization to another, but there must be a set of primary elements present:
• Top management has identified TQM as one of the organizations’ long term and competitive strategies and is committed to it.
13 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Management Planning
Vital to the success of implementation are two critical functions:
1. Effective input and early involvement of The Internal Audit Dept contribute to:
effective development of implementation strategy, and management review (contribution) during certification stages.
14 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Management Planning (Cont.)
2. IT Department will have to dedicate resources and time to the ISO 27001 implementation project.
Many Constraints and questions: - Are there other IT compliance initiatives? - Procedures & policies (in-works)? - How mature are the existing IT processes and
controls? - Are they aligned with the ISO 27001
Requirements?
15 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Enterprise Wide Project
Other business departments play an important role in the ISMS implementation.
16 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Decision Making Factors
A number of factors influence when and how to implement a standard: – Business Objectives and priorities – Existing IT maturity levels – User acceptability and awareness – Internal audit capability – Contractual obligations – Customer requirements – Ability to adapt to change – Adherence to internal processes – Existing compliance efforts and legal requirements – Existing training programs
17 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Implementation Roadmap
• Initial Approach
• Management Support
• Scoping
• Planning
• Communications
• Risk Assessment
• Controls Selection
• Documentation
• Testing
• Successful Certification
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
18
Advise
- Address risks and opportunities rather than preventive action.
- Stress on maintaining documented information rather than the information record.
- Set objectives.
- Monitor performance and develop metrics.
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
19
ISO 27001 Suggested Steps
• Define an ISMS Policy.
• Define the scope of the ISMS.
• Perform a security risk assessment.
• Manage the identified risk.
• Select controls to be implemented and applied.
• Prepare an SOA.
20 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Identify Business Objectives
• You should know your interested parties (stakeholders).
• Identify and prioritize objectives to gain management support.
• Objectives are identified from business documents as: Mission, Strategic Plan and IT Business Plan.
21 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Identify Business Objectives
• Increase marketing reach.
• Assurance to business partners and customers.
• Increased revenue and profitability
• Assets identification
• Effective risk assessment
• Preserve organization’s reputation
• Compliance with government and industry regulators
22 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Obtain Management Support
Includes initiatives as: • Information security policy exist. • Information security objectives and plans. • Roles & Responsibilities Information security matrix exist. • Communicating the importance of adherence to information
security policies to the whole organization. • Sufficient resources identified (manage, develop, maintain,
and implement the ISMS). • Determination of the acceptable risk level. • Periodic management reviews of the ISMS. • Assurance of proper training to affected personnel by the
ISMS. • Appointment of competent personnel accordingly in their
assigned roles & duties.
23 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Implementation Scope
Standard requires listing scope exclusions and reasons. When setting scope, consider: - The selected scope helps achieve the identified business
objectives. - Organization’s overall scale of operations to determine the
process’ complexity level. - # of employees, business processes, # locations, products,
and services offered. - What areas, locations, assets or technologies will be
controlled by the ISMS. - Does the ISMS apply to suppliers? - Are there dependencies on other organizations? - Any regulatory or legislative standard applicable ?
24 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Define a Risk Assessment Method
Risk assessment method must be defined and documented. Things to consider:
• Which method used to assess the risk?
• Which risks are intolerable? and must be mitigated.
• Manage the residual risk!
25 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Prepare Inventory of Information Assets
Management has to prioritize assets (to be protected) according to risk classification plus record owners, location, criticality and replacement value of assets.
Three impact levels: high, medium, and low.
Identify risks and classify them according to severity and vulnerability.
Based on risk values, determine whether risk is tolerable? Do we need to implement a control to eliminate or reduce the risk.
26 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Create a Risk Treatment Plan
• Organizations must either accept, avoid, transfer or reduce the risk to an acceptable level.
• Identification of operational controls and additional proposed controls.
• It is very important to obtain management approval of the proposed residual risks.
• Develop a schedule of proposed control
implementation.
27 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Allocate Resources & Train your Staff
The ISMS process highlights one of the most important commitments for management: Resources to manage, develop, maintain, and implement the ISMS.
- Auditors ask to see documentation of training.
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 28
Monitor the Implementation of ISMS
• Internal audit review consists of testing of controls and identifying corrective/preventive actions.
• ISMS needs to be reviewed by management at periodic planned intervals.
• Project Management Review: Follows changes/improvement to policies, procedures, controls and staffing decisions.
• Document and maintain all results.
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 29
Prepare for the Certification Audit
To be certified:
• Organization must conduct a full cycle of internal audits,
• Management reviews and activities in the PDCA process,
• Retains evidence of reviews and audits, and
• Management should review risk assessments, risk treatment plans, SOA, and policies & procedures annually.
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 30
Conduct Periodic Assessment Audits
• ISO 27001 follows the PDCA cycle and assists management in knowing enterprise progression along the cycle.
• Follow-up reviews or periodic audits confirm that the organization remains in compliance with standard.
• Certification maintenance requires periodic reassessment audits to confirm that the ISMS continues to operate as specified.
31 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Top Management Role in Implementing ISO/IEC 27001
References
• http://www.isaca.org/Journal/archives/2011/Volume-4/Documents/jpdf11v4-Planning-for-and.pdf
• wwwo.aston-global.com/ISO900_14_setps_to_Implementation.pdf
• The Certified Manager of Quality/Organizational Excellence Handbook, Pages 293-294
32 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
? QUESTIONS
THANK YOU
703-962-0793
www.ics4business.com
linkedin.com/in/mohamadkhachab