ISMS Approach

Page 1

Approach

June 2016

ISO 27001Information Security Management System (ISMS)

ISMS Approach

Page 2

CONTENTS

Section Page No.

1. Introduction 3

2. Project Methodology 9

3 Our Approach 11

Appendix A : Company Profile

ISMS Approach

Page 3

1. INTRODUCTION

ISMS Approach

Page 4

Disruption of Services

Exposure to targeted attacks

Loss of Reputation

Poorly integrated and

deployment of security

products

Inability to discover

sophisticated attack

techniques

Lack of threat-

intelligence capabilities

Poor patch-management processes

Ad hoc processes and procedures for

managing operations

Lack of post-incident “lessons learned”

discipline

Lack of awareness for today’s

threat landscape

Lack of skilled resources

Poorly defined security roles and

responsibilities

People

Process

Technology

EMERGING THREAT LANDSCAPE

ISMS Approach

Page 5

An ISMS enables an organization to systematically create and operate a

management system for information security.

By establishing an ISMS, an organization can initiate a formal process to

help it determine the necessary security level requirements, create plans

based on Risk Assessment and select countermeasures to mitigate

Unacceptable Risk. With an ISMS, an organization can maintain and

improve Confidentiality, Integrity, and Availability of its informational

assets.

In particular, by measuring the effectiveness of controls implemented

through risk assessment within the ISMS, an organization is able to

improve its information security in an efficient and effective manner.

The most popular ISMS follows the ISO 27001 standard which offers an

international certification scheme.

What is ISMS?

ISMS Approach

Page 6

ELEMENTS OF SECURITY

ISMS Approach

Page 7

CONTROLS (ANNEX A and ISO/IEC 27002)

ISMS Approach

Page 8

MANAGEMENT COMMITMENT IN SECURITY IMPLEMENTATION

ISMS Approach

Page 9

2. PROPOSED METHODOLOGY

ISMS Approach

Page 10

OUR METHODOLOGY FOR ISMS

PDCA Approach

Plan Phase : conduct gap analysis and provide road map for

ISO 27000 implementation.

Do Phase : Improve all ITSM documentation including policies

and procedures, Risk analysis according to ISO 20000 and

assist in implementation

Check Phase : ITSM internal audits, coordination during

certifying audit

Act Phase : post audit follow-up (including CAPA reports and

assistance in implementation to close the audit points)

ISMS Approach

Page 11

3. OUR APPROACH

ISMS Approach

Page 12

OUR APPROACH FOR ISMS

OUR APPROACH

PLAN

Understand business processes

Finalize on the ISMS Scope

Review of Controls

Perform ‘As-Is’ analysis (Current State Assessment)

Plan for ISO 27001:2013 Implementation

DO

Perform ISMS Implementation Training

Assist in performing Asset Inventory

Assist in preparing the Information Risk Management

Perform Vulnerability Assessment and Penetration

Testing

Drafting necessary Information Security Policies

Assist in Implementation of Information Security Policies

CHECK

Perform ISMS Internal Audit

Discuss Internal Audit Findings with ISMS

Coordinator

Assist in preparing Audit Response Plan

Prepare Corrective and Preventive Action Reports

ACT

Assist in implementation of Audit Response Plan

PHASE 1 PHASE 2 PHASE 3 PHASE 4

ISMS Approach

Page 13

PHASE 1- PLAN

Objective: To conduct Gap Analysis and prepare plan for implementation of ISMS

Activities Deliverables

Understand the core and supporting business functions

Understand and discuss the information security requirements of the organization

Finalize on the ISMS Scope

Review security architecture

Review existing documents like policies, procedures, forms etc related to ISMS

and other certification achieved by an organization.

Perform ‘As-Is’ analysis (Current State Assessment)

Gap Analysis Report including a broad roadmap for ISMS.

Client Requirements Expected Duration

Provide Business Objectives,

Provide information on Critical business processes, critical IT Processes, Quality

Processes

Existing P&P

Existing security processes, service processes and documentation

<Based on Scope>

ISMS Approach

Page 14

PHASE 1- SAMPLE DELIVERABLES

ISMS Approach

Page 15

PHASE 2- DO

Objective: To Improve ISMS

Activities Deliverables

Performing ISMS training

Reviewing existing asset management practices

Updating and improving existing Information Security Policies

Assistance in improving of Information Security Policies

Assist in improving the Service Risk Management ;

Finalize ISMS Documentation

Do Handholding in ISMS Improvement

Client Requirements Expected Duration

Documentation and Technical details where necessary

ISMS Approach

Page 16

PHASE 2- SAMPLE DELIVERABLES FOR ISMS TRAINING

ISMS Approach

Page 17

PHASE 3- CHECK (INTERNAL Audit ISMS )

Objective: To conduct Internal Audit to assess the preparedness for ISO 27001:2013 Certification

Activities Deliverables

Management Review meeting on Gap Analysis

Management Discussion on implemented policies & procedures

Perform ISMS Internal Audit

Discussing Internal Audit Findings with ISMS co-coordinators

Assist in preparing Audit Response Plan

Prepare Corrective and Preventive Action Report

Internal Audit Report

Corrective and Preventive Action Reports

Client Requirements Expected Duration

Provide information on Critical business processes, critical IT Processes Necessary

reports

Existing Documentation and Records

ISMS Approach

Page 18

PHASE 4- ACT (POST AUDIT FOLLOW-UP)

Activities Deliverables

Assist in implementation of Audit Response Plan (Corrective and Preventive Action

Reports)

High Level Recommendation on email

Client Requirements Expected Duration

List on implementation done base on recommendations

Objective: To maintain and improve ISMS

ISMS Approach

Page 19

CERTIFICATION AUDIT BY AUTHORATATIVE BODY*

Objective: Calling authoritative body and award CLIENT with its ISO 27001 Certificate

Activities Deliverables

Calling the external certification authority for performing ISO27001 audit

(Surveillance Audit)

ISO 27001 Certification upon successful completion of the audit.

Client Requirements Expected Duration

Closure of all gaps identified in the Audit Report

*ISO 27001 Certification Audit will be conducted by an external certifying authority.

ISMS Approach

Page 20

APPENDIX A - COMPANY PROFILE - INFOPERCEPT

ISMS Approach

Page 21

ABOUT INFOPERCEPT

Infopercept is a unique combination of young and enthusiastic blood, with a fire in our belly and are

mentored by Industry highly experienced veterans.

we are executing varied (3600) projects and tasks, with emerging technologies and innovative

thought process, to design and deliver a complete package of quality, efficiency and effectiveness

based on Quality Assurance theorem.

Infopercept epitomize on all kind of projects of Information Technology and Information Technology

enabled projects which are on high demands these days.

Vision

Infopercept is built with Core vision to provide 360 degree technology expertise and deliver

quality services globally by harmonizing though three C’s - "Creativity”, “Competency", and

"Cost“.

Mission

Infopercept is firmly emerging with the lightning speed as we strongly believe in customer

satisfaction and service excellence supported by our 3 Pillars - "People", "Process" and

"Professionalism".

Core Values

Infopercept most valuable Asset is our People Team, who has passion to help our clients build

business success and deliver all projects with three E's - "Efficiency”, “Effectiveness” and

“Enthusiasm”.

ISMS Approach

Page 22

Thank You!

Regd. Office: INFOPERCEPT CONSULTING PRIVATE LIMITED 43 HARIOM VILLA, NEAR ISCON

FLOWER, BOPAL, AHMADABAD - 380054, Gujarat, INDIA

Website: www.infopercept.com

Email: jitenb@infopercept.com; jayeepr@infopercept.com