iso 27001 information security management system (isms) · gap analysis report including a broad...
TRANSCRIPT
ISMS Approach
Page 1
Approach
June 2016
ISO 27001Information Security Management System (ISMS)
ISMS Approach
Page 2
CONTENTS
Section Page No.
1. Introduction 3
2. Project Methodology 9
3 Our Approach 11
Appendix A : Company Profile
ISMS Approach
Page 3
1. INTRODUCTION
ISMS Approach
Page 4
Disruption of Services
Exposure to targeted attacks
Loss of Reputation
Poorly integrated and
deployment of security
products
Inability to discover
sophisticated attack
techniques
Lack of threat-
intelligence capabilities
Poor patch-management processes
Ad hoc processes and procedures for
managing operations
Lack of post-incident “lessons learned”
discipline
Lack of awareness for today’s
threat landscape
Lack of skilled resources
Poorly defined security roles and
responsibilities
People
Process
Technology
EMERGING THREAT LANDSCAPE
ISMS Approach
Page 5
An ISMS enables an organization to systematically create and operate a
management system for information security.
By establishing an ISMS, an organization can initiate a formal process to
help it determine the necessary security level requirements, create plans
based on Risk Assessment and select countermeasures to mitigate
Unacceptable Risk. With an ISMS, an organization can maintain and
improve Confidentiality, Integrity, and Availability of its informational
assets.
In particular, by measuring the effectiveness of controls implemented
through risk assessment within the ISMS, an organization is able to
improve its information security in an efficient and effective manner.
The most popular ISMS follows the ISO 27001 standard which offers an
international certification scheme.
What is ISMS?
ISMS Approach
Page 6
ELEMENTS OF SECURITY
ISMS Approach
Page 7
CONTROLS (ANNEX A and ISO/IEC 27002)
ISMS Approach
Page 8
MANAGEMENT COMMITMENT IN SECURITY IMPLEMENTATION
ISMS Approach
Page 9
2. PROPOSED METHODOLOGY
ISMS Approach
Page 10
OUR METHODOLOGY FOR ISMS
PDCA Approach
Plan Phase : conduct gap analysis and provide road map for
ISO 27000 implementation.
Do Phase : Improve all ITSM documentation including policies
and procedures, Risk analysis according to ISO 20000 and
assist in implementation
Check Phase : ITSM internal audits, coordination during
certifying audit
Act Phase : post audit follow-up (including CAPA reports and
assistance in implementation to close the audit points)
ISMS Approach
Page 11
3. OUR APPROACH
ISMS Approach
Page 12
OUR APPROACH FOR ISMS
OUR APPROACH
PLAN
Understand business processes
Finalize on the ISMS Scope
Review of Controls
Perform ‘As-Is’ analysis (Current State Assessment)
Plan for ISO 27001:2013 Implementation
DO
Perform ISMS Implementation Training
Assist in performing Asset Inventory
Assist in preparing the Information Risk Management
Perform Vulnerability Assessment and Penetration
Testing
Drafting necessary Information Security Policies
Assist in Implementation of Information Security Policies
CHECK
Perform ISMS Internal Audit
Discuss Internal Audit Findings with ISMS
Coordinator
Assist in preparing Audit Response Plan
Prepare Corrective and Preventive Action Reports
ACT
Assist in implementation of Audit Response Plan
PHASE 1 PHASE 2 PHASE 3 PHASE 4
ISMS Approach
Page 13
PHASE 1- PLAN
Objective: To conduct Gap Analysis and prepare plan for implementation of ISMS
Activities Deliverables
Understand the core and supporting business functions
Understand and discuss the information security requirements of the organization
Finalize on the ISMS Scope
Review security architecture
Review existing documents like policies, procedures, forms etc related to ISMS
and other certification achieved by an organization.
Perform ‘As-Is’ analysis (Current State Assessment)
Gap Analysis Report including a broad roadmap for ISMS.
Client Requirements Expected Duration
Provide Business Objectives,
Provide information on Critical business processes, critical IT Processes, Quality
Processes
Existing P&P
Existing security processes, service processes and documentation
<Based on Scope>
ISMS Approach
Page 14
PHASE 1- SAMPLE DELIVERABLES
ISMS Approach
Page 15
PHASE 2- DO
Objective: To Improve ISMS
Activities Deliverables
Performing ISMS training
Reviewing existing asset management practices
Updating and improving existing Information Security Policies
Assistance in improving of Information Security Policies
Assist in improving the Service Risk Management ;
Finalize ISMS Documentation
Do Handholding in ISMS Improvement
Client Requirements Expected Duration
Documentation and Technical details where necessary
ISMS Approach
Page 16
PHASE 2- SAMPLE DELIVERABLES FOR ISMS TRAINING
ISMS Approach
Page 17
PHASE 3- CHECK (INTERNAL Audit ISMS )
Objective: To conduct Internal Audit to assess the preparedness for ISO 27001:2013 Certification
Activities Deliverables
Management Review meeting on Gap Analysis
Management Discussion on implemented policies & procedures
Perform ISMS Internal Audit
Discussing Internal Audit Findings with ISMS co-coordinators
Assist in preparing Audit Response Plan
Prepare Corrective and Preventive Action Report
Internal Audit Report
Corrective and Preventive Action Reports
Client Requirements Expected Duration
Provide information on Critical business processes, critical IT Processes Necessary
reports
Existing Documentation and Records
ISMS Approach
Page 18
PHASE 4- ACT (POST AUDIT FOLLOW-UP)
Activities Deliverables
Assist in implementation of Audit Response Plan (Corrective and Preventive Action
Reports)
High Level Recommendation on email
Client Requirements Expected Duration
List on implementation done base on recommendations
Objective: To maintain and improve ISMS
ISMS Approach
Page 19
CERTIFICATION AUDIT BY AUTHORATATIVE BODY*
Objective: Calling authoritative body and award CLIENT with its ISO 27001 Certificate
Activities Deliverables
Calling the external certification authority for performing ISO27001 audit
(Surveillance Audit)
ISO 27001 Certification upon successful completion of the audit.
Client Requirements Expected Duration
Closure of all gaps identified in the Audit Report
*ISO 27001 Certification Audit will be conducted by an external certifying authority.
ISMS Approach
Page 20
APPENDIX A - COMPANY PROFILE - INFOPERCEPT
ISMS Approach
Page 21
ABOUT INFOPERCEPT
Infopercept is a unique combination of young and enthusiastic blood, with a fire in our belly and are
mentored by Industry highly experienced veterans.
we are executing varied (3600) projects and tasks, with emerging technologies and innovative
thought process, to design and deliver a complete package of quality, efficiency and effectiveness
based on Quality Assurance theorem.
Infopercept epitomize on all kind of projects of Information Technology and Information Technology
enabled projects which are on high demands these days.
Vision
Infopercept is built with Core vision to provide 360 degree technology expertise and deliver
quality services globally by harmonizing though three C’s - "Creativity”, “Competency", and
"Cost“.
Mission
Infopercept is firmly emerging with the lightning speed as we strongly believe in customer
satisfaction and service excellence supported by our 3 Pillars - "People", "Process" and
"Professionalism".
Core Values
Infopercept most valuable Asset is our People Team, who has passion to help our clients build
business success and deliver all projects with three E's - "Efficiency”, “Effectiveness” and
“Enthusiasm”.
ISMS Approach
Page 22
Thank You!
Regd. Office: INFOPERCEPT CONSULTING PRIVATE LIMITED 43 HARIOM VILLA, NEAR ISCON
FLOWER, BOPAL, AHMADABAD - 380054, Gujarat, INDIA
Website: www.infopercept.com
Email: [email protected]; [email protected]