iso27001+introduction very imp
TRANSCRIPT
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 1/33
I SO/ I EC 27001: 2005 I SO/ I EC 27 001: 2005
A brief int roduct ion A br ief int roduct ion
Dimitris P etropoulosManaging Director
ENCODE Middle EastSeptember 2006
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 2/33
“Information is an asset which, like otherimportant business assets, has value to anorganization and consequently needs to besuitably protected.”
Information
Ø Printed or written on paperØ Stored electronicallyØ Transmitted by mail or electronic meansØ Spoken in conversationsØ
…
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 3/33
What is Information Security
Ø ISO 27001 defines this as the preservation of:
Ensuring thatinformation isaccessible only tothose authorized to
have access
security
s e c ur i t y
security
security
Ensuring thatauthorized users haveaccess to informationand associated assetswhen required
Threats
Risks
Information
Integrity Confidentiality
Availability
Safeguarding theaccuracy andcompleteness ofinformation andprocessing methods
Vulnerabilities
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 4/33
Achieving Information Security
4 Ps of Information Security
PeoplePeople ProductsProducts
Policy
&
Procedures
Policy
&
Procedures
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 5/33
Drivers & Benefits of compliance with the standard
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 6/33
ISO27001 Drivers
Ø Internal Business Drivers– Corporate Governance– Increased Risk Awareness– Competition– Customer Expectation– Market Expectation– Market Image
Ø Regulators
Ø Reasons for seekingCertification according toa BSI-DISC survey
38%
35%
18%
9%
Best PracticeBusiness SecurityCompetitive AdvantageMarket Demand
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 7/33
Benefits of compliance [1]
Ø Improved effectiveness of Information SecurityØ Market DifferentiationØ Provides confidence to trading
partners, stakeholders, andcustomers (certificationdemonstrates 'due diligence')
Ø The only standard with globalacceptance
Ø Potential lower rates oninsurance premiums
Ø Compliance with mandates andlaws (e.g., Data Protection Act,Communications Protection Act)
Ø Reduced liability due to un-implemented or enforcedpolicies and procedures
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 8/33
Benefits of compliance [2]
ØSenior Management takesownership of Information Security
Ø Standard covers IT as well asorganization, personnel, andfacilities
Ø Focused staff responsibilities
Ø Independent review of theInformation Security ManagementSystem
Ø Better awareness of securityØ Combined resources with other
Management Systems (eg. QMS)
Ø Mechanism for measuring thesuccess of the security controls
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 9/33
ISO27001 Evolution
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 10/33
BS 7799 Part 1
New issue of BS 7799 Part 1 & 2
ISO 17799:2000
New BS 7799-2
19991999
20022002
DecDec 200200 00
ISO27001/ISO17799/BS7799:History
19981998BS 7799 Part 2
New ISO 17799:2005 releasedISO 27001:2005 released
20052005
19951995
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 11/33
ISO 27001, ISO17799 & BS7799StandardsØ ISO/IEC 17799 = BS 7799-Part 1Code of Practice for Information Security
Management– Provides a comprehensive set of security controls– Based on best information security practices– It cannot be used for assessment and registration
Ø ISO 27001 = BS 7799-Part 2Specification for Information Security ManagementSystems– Specifies requirements for establishing, implementing,
and documenting Information Security ManagementSystems (ISMS)
– Specifies requirements for security controls to beimplemented
– Can be used for assessment and registration
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 12/33
Why BS7799 moved to ISO27001
Ø Elevation to international standard status
Ø More organizations are expected to adopt it
Ø Clarifications and Improvements made by theInternational Organization for Standardization
Ø Definition alignment with other ISO standards(such as ISO/IEC 13335-1:2004 and ISO/IEC TR 18044:2004)
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 13/33
Ø ISO 27000 – principles and vocabulary (in development)Ø ISO 27001 – ISMS requirements (BS7799 – Part 2)
Ø ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards)Ø ISO 27003 – ISMS Implementation guidelines (due 2007)Ø ISO 27004 – ISMS Metrics and measurement (due 2007)Ø ISO 27005 – ISMS Risk ManagementØ ISO 2700 6 – 270 10 – allocation for future use
The ISO 27000 series
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 14/33
ISO 27001 Overview
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 15/33
What is ISO27001?
þ An internationally recognized structuredmethodology dedicated to information security
þ A management process to evaluate, implementand maintain an Information Security ManagementSystem (ISMS)
þ A comprehensive set of controls comprised of bestpractices in information security
þ Applicable to all industry sectorsþ Emphasis on prevention
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 16/33
ISO27001 Is Not…
ý A technical standardý Product or technology drivený An equipment evaluation methodology such as the
Common Criteria/ISO 15408– But may require utilization of a Common Criteria
Equipment Assurance Level (EAL)
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 17/33
Holistic Approach
Ø ISO 27001 defines best practices for informationsecurity management
Ø A management system should balance ph ys i c a l ,t e c h n i c a l , procedura l , and personne ls e c u r i t y
Ø Without a formal Information SecurityManagement System, such as a BS 7799-2 basedsystem, there is a greater risk to your securitybeing breached
Ø Information security is a management process, nota technological process
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 18/33
ISO 27001:2005 - PDCA
1. Establish the ISMS
• Establish security policy, objectives,targets, processes and proceduresrelevant to managing risk and improvinginformation security to deliver results inaccordance wit h an organization’s overallpolicies and objectives.
2. Implement and operate the ISMS
• Implement and operate thesecurity poli cy, controls, processesand procedures.
3. Monitor and review the IS MS
• Assess and, where applicable, measureprocess performance against securitypolicy, objectives and practical experienceand report the results to m anagement forreview.
4. Maintain and improve the ISMS
• Take corrective and preventive action s, based on theresults of the m anagement review, to achieve continualimprovement of the ISMS.
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 19/33
ISO 27001:2005 Structure
Five Mandatory requirements of the standard:Ø Information Security Management System
• General requirements• Establishing and managing the ISMS (e.g. Risk Assessment)• Documentation Requirements
ØManagement Responsibility• Management Commitment
• Resource Management (e.g. Training, Awareness)Ø Internal ISMS AuditsØ Management Review of the ISMS
• Review Input (e.g. Audits, Measurement, Recommendations)• Review Output (e.g. Update Risk Treatment Plan, New Recourses)
Ø ISMS Improvement• Continual Improvement• Corrective Action• Preventive Action
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 20/33
The 11 Domains of InformationManagement
SecurityPolicy
Organization of Information
Security
AssetManagement
Human
ResourcesSecurity
Physical & Environmental
Security
Communications& OperationsManagement
AccessControl
InformationSystems
acquisition,development
an dmaintenance
Business
ContinuityManagement
Compliance
InformationSecurityIncident
management
Overall the standard can be put in :Overall the standard can be put in :
•• Domain AreasDomain Areas –– 11,11,•• Control ObjectivesControl Objectives –– 39,39,
andand•• ControlsControls –– 133133
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 21/33
ISO27001 vs BS7799
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 22/33
ISO27001 vs BS7799 [1]
ComplianceCompliance
Business Continuity ManagementBusiness Continuity Management
Information Security IncidentManagement
Inform ation Systems Acquisition, *Development and M aintenance
Systems Development & Maintenance
Access ControlAccess Control
Communications & OperationsManagement *
Communicatio ns & OperationsManagement
Physical & Environmental Security *Physical & Environmental Security
Human R esources Security *Personnel Security
Asset Management *Asset Classification & Control
Organising Information Security *Security Organisation
Security PolicySecurity Policy
ISO 27001BS7799
* - new control/s added
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 23/33
ISO 27001 Implementation
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 24/33
Implementation Process
Assemble a Teamand Agree toYour Strategy
Identification ofInformation
Assets
Determinationof Value ofInformation
Assets
Determinationof Risk
Determination ofPolicy(ies) and the Degree
of Assurance Requiredfrom the Controls
Identification ofControl
Objectives andControls
Define ScopeReview
ConsultancyOptions
Definition of Policies,Standards, andProcedures toImplement the
Controls
Implementation ofPolicies, Standards,
and Procedures
Completion ofISMS
DocumentationRequirements
Update Statement of Applicability
Identification ofLegal, regulatory &
contractualrequirements
Definition ofSecurity
Strategy &Organisation
Statement of Applicability
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 25/33
Contracts and agreements
Defining Scope and Participants
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 26/33
ISMS Documentation
Procedure
Work Instructions,checklists,
forms, etc.
Records
Security ManualPolicy,Organisation,
risk assessment,statement of applicability
Describes processes – who,what, when, where
Describes how tasks and specificactivities are done
Provides objective evidence of compliance toISMS requirements
Management framework policies relating to
ISO 27001
Level 2
Level 3
Level 4
Level 1
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 27/33
Implementation Issues
Approval byCEO
Security Awareness Program is a very important issue.Security Awareness Program is a very important issue.A Tool is essential to make security policies visible across theA Tool is essential to make security policies visible across the organization andorganization andto translate policy objectives into actual compliance.to translate policy objectives into actual compliance.
Develop Documentation
Disseminate Policy
Conduct Awareness
Select ExternalConsultant
AcquirePolicy Tool
EducatePersonnel
Devel op SecurityNewsletter
Monitor & Measure Compliance
Develop other missing controls (Physical, BCP etc.)
Update Security Technologies (if needed)
ISO27001External Assessment
Continue Awareness
Enforce Poli cySec AwarenessMaterial ISO27001
Internal Assessment
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 28/33
Registration Process
Choose aRegistrar
InitialInquiry
Audit and Review ofInformation SecurityManagement System
QuotationProvided
ApplicationSubmitted
ClientManager
Appointed
Pre-Assessment
Phase 1Undertake a
Desktop
Review
RegistrationConfirmed
Phase 2Undertake a
Full Audit
Upon SuccessfulCompletion
ContinualAssessment
InternalExternal
Continuing (every 6 months)Re-Assessment (every 3 years)
Optional
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 29/33
Critical Success Factors
Ø Security policy that reflects business objectives
Ø Implementation approach consistent with company culture
Ø Visible support and commitment from management
Ø Good understanding of security requirements, risk assessment
and risk managementØ Effective marketing of security to all managers and employees
Ø Providing appropriate training and education
Ø A comprehensive and balanced system of measurement which is
used to evaluate performance in information securitymanagement and feedback suggestions for improvement
Ø Use of automated Security Policy Management tool.
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 30/33
Closing Remarks
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 31/33
ISO27001 can be…
Ø Without genuine support from the top – a failure
Ø Without proper implementation – a burden
Ø With full support, proper implementation andongoing commitment – a major benefit
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 32/33
ENCODEENCODE Middle EastMiddle East
Thank you for your time…
For more information please contact:
P.O. Box 500328Dubai Internet CityDubai – UAE
Tel.: +971-4-3608430
http://[email protected]
8/7/2019 ISO27001+Introduction VERY IMP
http://slidepdf.com/reader/full/iso27001introduction-very-imp 33/33
www.encodegroup.com _