iso 27001 foundation course student handbook - itpreneurs

llllllllll

lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll

Certified ISO/IEC 27001

Foundation

Participant Handbook

Information Security Training

Copyright ISO 27001 Foundation, Classroom course, release 2.0.0

Copyright and Trademark Information for Partners/Stakeholders.

ITpreneurs Nederland B.V. is affiliated to Veridion.

Copyright © 2013 ITpreneurs. All rights reserved.

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.

Certified ISO/IEC 27001 | Foundation | Participant Handbook

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1

Follow Us Before you start the course, please take a moment to:

“Like us” on Facebook

http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus

http://gplus.to/ITpreneurs

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

"Watch us" on YouTube

http://www.youtube.com/user/ITpreneurs

This

page

has b

een l

eft bl

ank i

ntenti

onall

y



Contents Certified ISO/IEC 27001 Foundation Day 1 ------------------------------------------------------------ 2 Day 2 ------------------------------------------------------------ 56 Appendix A: Exercises List ---------------------------------- 102 Appendix B: Correction Key ---------------------------------- 114 Appendix C: Release Notes ----------------------------------- 121



Day 1

ISO 27001 Foundation



DAY 1

ISO 27001Foundation

2

ISO 27001 Foundation Training

Section 1Course objective and structure

1. Meet and greet

2. General points

3. Training objectives and structure

4. Instructional approach

5. Learning assessment



3

ActivityMeet and greet

4

Smoking Meals Timetable and breaks

Mobiles Absences

General Information



5

Explain the components of an Information Security Management System based on ISO/IEC 27001:2005 and its principal processes

Explain the goal, content and correlation between ISO/IEC 27001:2005 and ISO/IEC 27002:2005 as well as with other standards and regulatory frameworks

Understand the concepts, approaches, standards, methods and techniques for the implementation and effective management of an ISMS

1

2

3

Training ObjectivesAcquiring Knowledge

6

Educational ApproachStudents at the center



7

The objective of the exam is to assure that candidate has the basic knowledge and skills to participate in the implementation of an Information Security Management System (ISMS) based on ISO 27001.The exam only contains essay questionsThe participants have the right to use all their documentationThe exam lasts 1 hourMinimum passing score: 70%

7

Examination and CertificationExam

8

ISO 27001 FoundationPrerequisites for Certification

Pass the exam

Adhere to the PECB Code of Ethics

No professional experience required

No security experience required

1234

ISO 27001 Foundation



9

Certificates

Candidates who met all the prerequisites forcertification will receive a certificate:

10

What is PECB ?

Main services: 1. Certification of personnel

(Auditor and Consultant)2. Certification of training organizations 3. Certification of trainers

Professional Evaluation and Certification Board



11

Customer ServiceComments, questions and complaints

TrainingProviderTrainingParticipant

2. Answer in writing

Answer

1. Submit a complaint

Submit a

3. Appeal 4. Finalarbitration

PECB

1212

Schedule for the training



13

QUESTIONS?

14


Section 2 Standard and regulatory framework

1. ISO structure

2. Fundamental ISO principles

3. Main ISO standards

4. Integrated normative framework

5. Information Security Standards

6. ISO 27000 family



15

What is ISO?

ISO is a network of national standardization bodies of over 160 countries

The final results of ISO works are published as international standards

Over 17,000 standards have been published since 1947

16

1. Equal representation: 1 vote per country

2. Voluntary membership: ISO does not have the authority to implement its standards

3. Business orientation: only develops standards that fill market needs

4. Consensus approach: looking for a large consensus among the different stakeholders

5. International cooperation: over 160 member countries

1. Equ

2. Vauth

3. tha

4. Ccon

5. Intercountri

Basic principles of ISO standards

Basic Principles – ISO Standards



17

Eight ISO Management Principles

18

Management System StandardsMain standards that an organization can get certification

ISO 9001Quality

ISO 14001Environment

ISO 18001Health and Safety

at work

ISO 20000IT Service

ISO 22000Food Safety

BS 25999Business continuity

ISO 27001Information

security

ISO 28000Physical Safety



19

Integrated management systemPAS 99:2006, Annex B

PAS 99:2006 ISO9001:2000

ISO 14001:2004

ISO20000:2005

ISO 27001:2005

4.1 General requirements

4.1 4.1 3 4.1, 4.2

4.2 Management system policy 5.1, 5.3 4. 2 3.1, 4..4.1 5.1

4.3 Planning 5.2, 5.3(b), 5.4.1, 5.4.2, 5.5, 7.2.1, 7.2.2,

8.34.3, 4.4.1, 4.4.7 4.1, 4.2, 5.0, 8.2 4.2

4.4 Implementation and operation

4.2, 5.3(d), 5.5.1, 5.5.3, 6, 7

4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6,

4.5.4

4.2, 6.0, 3.1, 3.2, 3.3, 7

4.2.2, 4.2.4(c), 4.3, 5.2.1, 5.2.2

4.5 Performance evaluation 8.1, 8.2.2, 8.2.4, 8.3 4.5.1, 4.5.2, 4.5.3,

4.5.5 4.3 4.2.3, 4.2.4, 6

4.6 Improvement 8.5.1, 8.5.2, 8.5.3 4.5.3 4.4, 4.2.4(b), 8.2, 8.3 4.2.4, 8.1, 8.2, 8.3

4.7 Management review 5.6.1, 5.6.2, 5.6.3 4.6 3.1(g) 7.1, 7.2, 7.3

20

Security StandardsExamples



21

ISO/IEC 27000 Family

Voca

bula

ryRe

quire

men

tsG

ener

algu

ides

Indu

stry

guid

es

ISO 27001ISMS requirements

ISO 27006Certification organization requirements

ISO 27005Risk management

ISO 27004Metrics

ISO 27003Implementationguide

ISO 27002Code of practices

ISO 27007-27008Audit guides

ISO 27011Telecommunications

ISO 27799Health

ISO 270XXothers

ISO 27000Vocabulary

22

Legal Conformity

The organization must comply to the applicable laws and regulationsIn most countries, the implementation of an ISO standard is a voluntary decision of the organization, not a legal conditionIn all cases, laws take precedence over standards

ISO 27001 can be used to comply to several laws and regulations



23

Certification Schema

Accreditation authoritiesEx: ANAB (USA) – SCC (Canada) – UKAS (UK) COFRAC (France) – BELAC (Belgium) – SAS (Switzerland)

Certification bodiesEx: SGS – Bureau Veritas – DNV – Swiss TS

Personnel certification bodies Ex: PECB/IRCA/RABQSA

Auditee AuditorsTraining organizationsEx: Behaviour

Certify organizations

Certify auditors

Hire auditors Certifytrainers

Train the auditors

Audit the auditees

Accredit

24

Certification Process

1. ISMS implementation

2. Internal audit and review of ISMS (by the auditee)

3. Selection of a certification body

5. Stage 1 audit4. Pre-evaluation audit (optional)

7. Follow-up audit(if applicable)

8. Confirmation of registration

6. Stage 2 audit(on-site audit)

9. Continualimprovement and surveillance audit

Befo

re th

e au

dit

Initi

al a

udit

Follo

win

g th

e au

dit



25


Section 3 Information Security Management System (ISMS)

1. Definition of an ISMS

2. Process approach

3. Structure of the ISO 27001 standard

4. Overview – Clauses 4 to 8

5. Annex A

6. Implementation methodology

26

Information Security Management System

ISO 27001, clause 3.7

“ That part of the overall management system,based on a business risk approach, to establish,implement, operate, monitor, review, maintain andimprove information security ”

Note : The management system includesorganizational structure, policies, planning activities,

responsibilities, practices, procedures, processes and resources



27

Structure of the ISO/IEC 27001:2005 standard

Annex AControl objectives and controls

Clause 4.2.1Establishthe ISMS

Clause 4.2.3 Monitor and

review the ISMS

Clause 4.2.4 Maintain and

improve the ISMS

Clause 4.2.2Implement and

operate the ISMS

Clause 7 Management

review

Clause 8 ISMS

improvement

Clause 6 Internal ISMS

audits

Clause 5 Management responsability

28

Establish the ISMSISO 27001, clause 4.2.1 a to j

a) Define scope and boundaries of the ISMS

b) Define an ISMSpolicy

c) Define the risk assessmentapproach

f) Identify and evaluate risk treatment options

e) Analyze and evaluatethe risks

i) Obtain management approval

g) Select control objectives and controls

j) Prepare the statement of applicability

d) Identify the risks

h) Approve residual risks



29

ISO 27001, clause 4.2.2

Implement the controls and define how to measure the effectiveness of the selected controls

Manage ISMS operations daily

Define the plan (actions, resources, responsibilities, priorities, objectives) and put it in place

Set in place a training and awareness program

Set in place an incident management process to detect and treat them rapidly

RiskTreatment

Plan

Implement the

controls

ISMS Management

Incident Management

Training & Awareness

Implement the ISMS

30

Documentation requirementsISO 27001, clause 4.3

Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and ensure that the recorded results are reproducibleIt is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives

ISO 27001, clause 4.3.1

ISMS Policy and Objectives

Slide 31



31

2. Regular review of the effectiveness of the ISMS taking into account the feedback and suggestions of interested partied

4. Review of risk assessments

1. Monitoring and review of detection and security event prevention procedures

3. Measurement of the effectiveness of controls

6. Management review and update of security plans

5. Conducting the internal audits

ISMS Monitoring and ReviewISO 27001, clause 4.2.3

Note: Each of these actions must be documented and recorded

ISMS monitoring and review

32

Management responsibilityISO 27001, clause 5

5.1. Management commitmentManagement shall provide evidence of its commitment to the ISMS

5.2.1 Make resources available

5.2.2 Training, awareness & competency

Management shall determine and provide the necessary resources for the ISMS

Management shall ensure that personnel who have been assigned responsibilities defined in the ISMS have the necessary competencies to perform the required tasks



33

ISMS Internal AuditsISO 27001, clause 6

The organization shall conduct ISMS internalaudits at regular intervals

An audit program must be planned taking intoaccount the importance of processes andscopes to audit, as well as previous audit results

34

ISMS Management ReviewISO 27001, clause 7

Management review input elements Management review output elements

1. Results of ISMS audits and reviews2. Feedback of interested parties3. Suggestion to improve the performance

and effectiveness of the ISMS4. Status of preventive and corrective

actions5. Vulnerabilities or threats that have not

been adequately assigned during the previous risk evaluation

6. Results from effectiveness measurements

7. Follow-up actions from previous management reviews

8. Any change that can affect the ISMS9. Recommendations for improvement

1. Improvement of the effectiveness of the ISMS

2. Update of the risk evaluation and the risk treatment plan

3. Modification of information security procedures and controls

4. Resource needs

5. Improvement in the way efficiency of controls is measured



35

ISMS ImprovementISO 27001, clause 8.1

The organization shall continually improvethe effectiveness of the ISMS through theuse of the information security policy,information security objectives, audit results,analysis of monitored events, corrective andpreventive actions, and management reviewemmmmmmmmmmmmmmmmmmmmmmeeeeeeeeeennnnnnnnntttttttttt rrrrrrrrreeeeeeeeevvvvvvvvviiiiiiiiieeeeeeeeeewwwwwwwww

36

ISO 27001, Annex A

A 5 Security policyA 6 Organization of information securityA 7 Asset managementA 8 Human resources securityA 9 Physical and environmental securityA 10 Communications and operations managementA 11 Access controlA 12 Information systems acquisition, development and maintenanceA 13 Information security incident managementA 14 Business continuity managementA 15 Compliance

ISO 27002 Domains



37

Exercise 1Reasons to adopt ISO 27001

38

1. Improvement of security

2. Good governance

3. Conformity

4. Cost reduction

5. Marketing

1. Imp

2. G

3.

4. C

5. Ma

ADVANTAGES

ISO 27001 Advantages



39

Plan Do Check Act

Proposed methodology

Understanding the organization

Analyze the existing system

Scope

Security and ISMS Policy

Risk Assessment

Statement of applicability

Organizational structure

Document management

Concept of controls & procedures

Implementation of concepts & procedures

Training, Awareness & communication

Incident management

Operations management

Monitoring and review

Performance measurement

Internal audit

Management review

Identification of non-conformities

Treatment of non-conformities

Continuous improvement

C

40

ISO 27001 Foundation TrainingSection 4Understanding the organization, analyze of the existing system and security policies

1. Understanding the organization

2. Identification and analysis of interested parties

3. Determination of objectives

4. Gap analysis

5. Definition of the scope

6. ISMS Policy and Security Policies



41

Understanding the organization and clarifying the information security objectivesISO 27003, clause 5.2 and ISO 27005, clause 7

Input

General information about the organizationStrategic objectives of the organizationList of applicable laws, contracts and signed agreements

ActionsEstablish and analyze the external and internal environmentClarify the objectives of information securityIdentify and analyze the applicable requirements of the ISMS

Output

Brief description of the organizationList of stake-holdersObjectives, priorities and requirements related to ISMSList of applicable legal, regulatory and contractual obligationsPreliminary Scope

42

List of activitiesUnderstanding the organization, determination of the objectives and security policies

Initiatingthe ISMS

1. Mission, objectives,

values, strategies

5. IT Infrastructure4. Key processes and activities

9. Definition of scope

6. Interested parties

3. Internalenvironment

7. Legal, regulatory & contractual

requirements

11. Security and ISMS Policy

8. Clarification of the objectives

2. External environment

10. Gap Analysis



43

Financial institutions

Interest groups

Board of Directors

UnionsEmployees

Management Team

Organization

oard of

Suppliers Customers

Media Public

Em

Legislator

s

Shareholders

Identification and analysis of interested parties

44

Legal and Regulatory

All laws and regulations that the organization must

comply to

StandardsInternational standards and codes of practices related to the industry

sector that are voluntary implemented by the

organization

Internal policies

All requirements inside the organization: internal policies, code of ethics,

work rules, etc.

Market

All contractual obligations that the organization has

signed with its stakeholders

Exte

rnal

Inte

rnal

VoluntaryMandatory

Identification and analysis of requirements



45

Determine the objectivesISO 27003, clause 5.2

Improved risk management• Can the ISMS improve risk

management?

Effective security management• Can the ISMS improve the

effectiveness of information security management ?

Business advantageDoes the implementation of an ISMS can provide competitive advantages?

Determine the objectives

1 2 3

46

Definition of the ISMS scopeISO 27003, clause 6.2

A key process

A department

The organization as a whole

The organization and its stakeholders



47

Gap analysis and level of maturity

Gap analysisTechnique to determine the steps to move from current state to a desired future state

1. Comparison of the current performance of the security management system with the ISO 27001 requirements

2. Identifying the improvement needs3. Basis for drafting the ISMS project

plan

48

Definition of Security and ISMS PoliciesISO 27003, annex D

High Level Topic-specific Policies

Specific guidance on a topic

Detailed Policies

Specifies the internal requirements of another policyUsually covers a very specific and / or target audience

Policy on access control

Policy on cryptography

Policy on Continuity of

activities

Incident Management

Policy

Information Security Policy ISMS Policy

Security Policy

High level General Policies

General guidelines for the management of a sector of activities: procurement & supply, human resources, sales, marketing, etc.



49

Example of the ISMS policyModel (extract)

2. Introduction•The information and processes, systems and networks that enable the treatment of important assets for [ABC] in carrying out i ts business mission.• [ABC] should ensure respect for the integrity, confidentiality and availability of information generated or stored within the scope of the

ISMS.• [ABC] shall ensure the protection of its information assets against threats internal or external, accidental or deliberate.

3. Scope of the ISMS• This policy supports the security policy and the information security policy.• This policy applies to all activities of [ABC] shall included in the scope of the management system of information security.

4. Objectives of the policy• Ensure continuity of critical business activities.• Ensure that all information processed, stored, traded or released by the organization is of absolute integrity.• Ensure that all information relevant to the organization will be monitored and stored according to procedures for maintaining

appropriate confidentiality.• Ensure the selection of appropriate and proportionate security controls to protect the assets and give confidence to the interested

parties.• Ensure effective and efficient management of information security.

5. Principles of the ISMS policy• [ABC] shall establish, implement, operate, monitor, review, maintain and improve an ISMS based on a documented approach to risk

related with the activity and compliance with all requirements of ISO/IEC 27001.• [ABC] should take into account all legal, regulatory and contractual requirements in the management of the ISMS in order to avoid

breaching its legal, statutory, regulatory or contractual obligations and security requirements.• The legal and regulatory requirements will be met in priority, even if they are inconsistent with the policy described here.• [ABC] shall establish and implement a risk management program documented in accordance with the requirements of ISO/IEC

27001. Criteria for evaluation and acceptance of risk must be established, formalized and approved by management.• This policy has been approved by management and is subject to an annual review.

50

Example of the Information Security PolicyModel (extract)

1. Policy Summary • Information should always be protected, whatever its form and however it is shared, communicated or stored.

2. Introduction • Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or

by using electronic means, shown on films, or spoken in conversation. • Information security is the protection of information from a wide range of threats in order to ensure business

continuity, minimize business risk, and maximize return on investments and business opportunities. 3. Scope

• This policy supports the organization’s general security policy. • This policy applies to all of the organization.

4. Information Security Objectives • Strategic and operational information security risks are understood and treated to be acceptable to the organization. • The confidentiality of customer information, product development and marketing plans is protected. • The integrity of accounting records is preserved. • Public web services and internal networks meet specified availability standards.

5. Information Security Principles • This organization encourages risk-taking and tolerates risks that might not be tolerated in conservatively managed

organizations provided that information risks are understood, monitored and treated when necessary. Details of the approach taken to risk assessment and treatment are found in the ISMS policy.

• All staff will be made aware and accountable for information security as relevant to their job-role. • Provision will be made for funding information security controls in operational and project management

processes. • Possibilities for fraud associated with abuse of information systems will be taken into account in the overall

management of information systems. • Information security status reports will be available. • Information security risks will be monitored and action taken when changes result in risks that are not acceptable. • Criteria for risk classification and risk acceptability are found in the ISMS policy. • Situations that could place the organization in breach of laws and statutory regulations will not be tolerated .



51

Example of specific policiesExample of a policy on e-mail use

1. Policy Summary • The email system is a resource belonging to the company and is available to users for business purposes.• The occasional and not abusive emails for personal use are tolerated only insofar as they are made during the free time of the user

and only if they do not impair the performance of his work.2. Introduction • All outgoing email from the company may be identified as part of its public image, so an email management is necessary

to avoid that users will eventually tarnish this image.• This policy aims to regulate the use of emails for all users as part of their work.3. Scope • This policy covers appropriate use of any email sent with the email address of the company.• This policy applies to all employees, members of management and contract personnel using a corporate email address

provided by the company.4. Information Security Objectives • Preventing the public image of the company being tainted by improper use or inadequate corporate email addresses made

available to stakeholders.• To prevent the risks of junk email (spam) arising from improper use of email both internally and by third parties related to

the company or even outside bodies.5. Information Security Principles • Prohibited Use: The corporate email address will not be used for purposes being offensive, insulting or racism. Any user

who finds this type of use in the hands of one of his colleagues should immediately inform the directly responsible.• Personal: The reasonable use of company resources for personal purposes is acceptable but not professional emails will

be saved and filed in directories different from those used for business purposes. It is also forbidden to pass on chain emails or jokes. This prohibition also applies to relay emails that were received from colleagues.

• Monitoring: Users know they have no privacy about the work emails stored or sent through their systems. The company will monitor the messages circulating on its infrastructure without prior notification without being obliged to make this continuous surveillance or even obligatory.

• Penalties: Any user who violates this policy using the email may be subject to disciplinary action including dismissal or final termination of his contract in the case of contract personnel

52

ISO 27001 Foundation trainingSection 5Selection of the approach and methodology for risk assessment and identification of risk

1. Approach to risk assessment

2. Methodology for risk assessment

3. Identification of assets with their owners

4. Identification of threats

5. Identification of existing security controls

6. Identifying vulnerabilities

7. Identifying the consequences



53

Selection of the approach and methodology for risk assessmentISO 27001, clause 4.2.1c and 27005, clause 7

Input

• All relevant information on the organizationfor the implementation of risk management

• Scope• ISMS Policy

Activities• Choose the risk

assessment approach

• Choose the risk assessment methodology

• Define criteria for risk acceptance

• Identify acceptable levels of risk

• Plan the activities

Output• Description of the

risk assessment approach

• Description of the risk assessment methodology

• Criteria for risk acceptance

• Description of levels of acceptable risk

• Activity Planning

54

Information security riskISO 27005, clause 3.2 and ISO 27000, clause 2.24

Potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organizationNote: it is measured in terms of a combination of the likelihood of an event and its consequence.



55

The relation between ISO 27001 and ISO 27005

Important note: It is not required to refer to ISO 27005to obtain ISO 27001 certification

ISO 27001, clause 4.2.1 c to h

and 4.2.3 d

ISO/IEC27005

56

Information security risk management process according to ISO 27005

Risk Assessment

Ris

k C

omm

unic

atio

nR

isk Monitoring and R

eview

Risk Identification

Risk Estimation

Risk Evaluation

Risk Treatment

Risk Acceptance

Context Establishment

yesAssessment satisfactory?

Treatment satisfactory?yes

no

no

Risk Analysis



57

List of activitiesSelecting an approach and methodology for risk assessment

Understanding the organization

3. Riskassessmentcriteria

1. Riskassessment approach

Identify the risks

2. Riskassessmentmethodology

Scope

4. Acceptablerisk levels

58

1. Selecting an approach to risk estimationISO 27005, clause 8.2.2.1

Qualitative estimation:Qualitative estimation uses a scale of qualifying attributes to describe the magnitude of potential consequences (e.g. Low, Medium and High) and the likelihood that those consequences will occur.

Quantitative estimation: Quantitative estimation uses a scale with numerical values (rather than the descriptive scales used in qualitative estimation) for both consequences and likelihood, using data from a variety of sources.



59

2. Selecting a risk assessment methodologyCriteria to take in account

1 Compatibility with all criteria required by ISO 27001

2 Language of the method - it is essential to master the vocabulary used

3 Existence of software tools facilitating the use

4 Documentation, training, support, skilled personnel available

5 Ease and pragmatic use of the method

6 Cost of utilization

7 Existence of comparison material (metrics, case studies, etc.)

60

Risk Management MethodologiesList of the most used tools available

Method Origin Brief description of the phases

OCTAVE U.S.(CERT)

The profiling of the security needs, the study of vulnerabilities and development strategy and security plan

CRAMM U.K.(SIEMENS)

The definition of assets put at risk, risk analysis and vulnerability and the identification and selection of security controls

MICROSOFT U.S.(Microsoft)

The assessment of risk, decision support, the establishment of controls and measurement of program effectiveness

EBIOS France(DCSSI )

The study of the context, defining the security needs, the study of threats and identifying security objectives and determining the security requirements

MEHARI France (CLUSIF)

The analysis and classification of the critical assets, the diagnosis of security services, risk analysis and definition of security plans



61

3. Determination of the basic criteriaISO 27005, clause 7.2

1. Risk evaluation

2. Impacts

3. Risk acceptance

62

4. Threshold of risk acceptanceExample - Qualitative Analysis

Asset value

Likelihood of occurrence - threat

Low Medium HighVulnerability Level

L M H L M H L M H0 0 1 2 1 2 3 2 3 4

1 1 2 3 2 3 4 3 4 5

2 2 3 4 3 4 5 4 5 6

3 3 4 5 4 5 6 5 6 74 4 5 6 5 6 7 6 7 8

3-5: Acceptable Risk 0-2 Risk not significant 6+ Risk not acceptable



63

1.Identification of assets

2.Identification of threats

3. Identification of existing controls

4. Identification of vulnerabilities

5. Identification of impacts

Impact assessment

Assessing the likelihood of an incident

Risk level estilmation

Risk level evaluation

based on risk criteria

Risk level evaluation

based on risk acceptance

Risk treatment options

Risk treatment plan

Evaluation of residual risk

Risk assessment

List of activities

Risk Treatment

Risk Acceptance

Risk analysisC

onte

xt E

stab

lishm

ent

Monitoring and review of risk

Risk Identification

Risk Estimation

Risk Evaluation

Risk treatment

plan acceptance

Risidual risk acceptance

64

1. Identification of assets27005, clause 8.2.1.2

Assetcategory

Supportingasset

Primaryasset

Businessprocess

Informationasset

Hardware

Software

Network

Personnel

Site

Organization’sstructure

Definition of assetAnything that has value to the organization(ISO 27000, 2.3)



65

2. Identification of threats27005, clause 8.2.1.3

Definition of threats

potential cause of an unwanted incident, which may result in harm to a system or organization(ISO 27000, 2.45)

66

Types of threatsISO 27005, annex C

Threat type Example1. Physical damage Fire

Water damage

2. Natural events Earth quakeFlooding

3. Loss of essential service Failure of air-conditioningPower Outage

4. Disturbance due to radiation Electromagnetic radiation Thermal radiation

5. Compromise of information Wire tapTheft of documents

6. Compromise of functions Equipment failureNetwork overload

7. Unauthorized action Non-authorized actionUse of pirate software



67

3. Identification of existing controls 27005, clause 8.2.1.4

In the initiation phase of ISMS, if the organization, has conducted agap analysis, it already has data on existing security controls.To gather the appropriate information in the organization, thefollowing may be helpful:1. Examination of documents containing information on security controls

(security management process, procedures, description of security controls, safety reports, etc.)

2. Interview with the people responsible for information security and persons who manage the daily operations related to security controls

3. On site review of the physical security controls4. Reviewing results

68

4. Identification of vulnerabilities27005, clause 8.2.1.5

Definition of vulnerability

Weakness of an asset or control that can be exploited by a threat (ISO 27000, 2.46)

iso 27001 foundation course student handbook - itpreneurs

Documents