stand out: why you should become iso 27001 certified
TRANSCRIPT
Stand Out – ISO 27001 | 1
STAND OUT
Why You Should Become ISO 27001 Certified
Stand Out – ISO 27001 | 2
• Introduction • ISO 27001 – What it is • ISO 27001 – What it is not • Internal Importance • External Importance • Sector-Specific Application • The Process
Contents
Stand Out – ISO 27001 | 3
ISO 27001 What it is
Stand Out – ISO 27001 | 4
• ISO/IEC 27001:2013 – Information Technology – Security Techniques – Information Security Management Systems – Requirements
• Management system that can be certified by an accredited registrar / certification body
• Information Security Management System (ISMS) and supporting controls
What is ISO 27001
Stand Out – ISO 27001 | 5
• Management System – Collection of policies, procedures, people, processes and
controls to address information security with the scope
• Not greenfield but not inherent • Focused on the identification, treatment, and monitoring
of information security risk
The ISMS
Stand Out – ISO 27001 | 6
• Requirements within Clauses 4-10 • Scope • Leadership • Planning • Support • Operation • Performance Evaluation • Improvement
ISMS Components
Stand Out – ISO 27001 | 7
• 114 total controls across 14 control domains • General information technology controls (access
management, change management, network security, operations management)
• Additional considerations for human resources security, supplier relationships, disaster recovery, compliance
• Applicable based on direct or indirect information security risk
ISO 27001 Annex A – The Control Set
Stand Out – ISO 27001 | 8
• Valid for a three year term • Active management system • Evidenced with Certificate • No centralized repository • Continued integration and improvement
ISO 27001 Certification
Stand Out – ISO 27001 | 9
ISO 27001 What it is not
Stand Out – ISO 27001 | 10
• Not a controls-focused audit • Not point in time or backward looking • Not absolute assurance • Not a simple effort • Not an individual project • Not an end but a beginning
What ISO 27001 Isn’t
Stand Out – ISO 27001 | 11
Internal Importance
Stand Out – ISO 27001 | 12
• Reduce information security risk within the organization – From door locks to encryption
• Information security risk transparency – Removes the unknown – Allows for risk dashboard
• Commitment and participation from top to bottom – Management commitment – Security awareness
Why ISO 27001?
Stand Out – ISO 27001 | 13
• Fundamental foundation for related compliance efforts – Most elements of common compliance efforts – Compliance efforts included in planning and control set
• Focus (and requirement) on continued improvement – Initial year prove conformance – Subsequent years improvement and optimization
Why ISO 27001?
Stand Out – ISO 27001 | 14
External Importance
Stand Out – ISO 27001 | 15
• By the numbers – From 429 in 2011 to 835 in 2014 (most recent numbers) – US in top five countries in growth in 2014 – Still only 3.5% of total certificates globally (@24,000)
• Global market is growing – Anticipating and meeting customer demands
Customer Assurance
Stand Out – ISO 27001 | 16
• Demonstration of “only a certificate” – Actively monitoring information security risk – Information security risk management in the fabric of the
organization – Right policies, procedures, processes and people to address
security concerns
• Communication of trust
Customer Assurance
Stand Out – ISO 27001 | 17
Sector-Specific Application
Stand Out – ISO 27001 | 18
• Service providers remain focus • Increase in specific groups
– Cloud providers – eDiscovery – Law firms
• Common theme of data and privacy
27001 By Sector
Stand Out – ISO 27001 | 19
• ISO 27017 – cloud service providers • ISO 27018 – PII in public clouds • ISO 27799 – healthcare • CSA STAR Certification
27001 Extensions
Stand Out – ISO 27001 | 20
The Process
Stand Out – ISO 27001 | 21
• Purchase the ISO 27001 standard • Perform internal gap assessment • Set reasonable planning expectations • Obtain management commitment • Secure proper resources to design and implement the
ISMS
Where to Begin
Stand Out – ISO 27001 | 22
ISMS Scoping and Planning • Consider end result when scoping
– Customer expectations – Focus on where the information security risk is
• Understanding the requirements – i.e. security awareness, communication plan, documentation
management, independent internal audit
• Apply the risk assessment to the scope • Be sure the controls don’t steal the stage
Stand Out – ISO 27001 | 23
• Two stage audit approach – Stage 1 – ISMS design – Stage 2 – ISMS operating effectiveness
• Nonconformities are common – Major – Minor
• Certificate issued once recommended post Stage 2
External Assessment
Stand Out – ISO 27001 | 24
• An active ISMS requires active participation • Required continued conformance and operating
effectiveness • Three year term for the certificate
– External surveillance during the lifecycle
• Recertification post three-year term
ISMS Maintenance
Stand Out – ISO 27001 | 25
LEARN MORE ABOUT ISO 27001 click here