Professional Documents
Culture Documents
Amy Zhu
MSN: amyseeger@hotmail.com
14/01/2010
Agenda
14/01/2010
ISO 2700x
Overview
14/01/2010
ISO 2700x Series Standard
ISO/IEC Std. Description
14/01/2010
ISO/IEC 27001 : 2005
Security Policy
Organizing Information Security
Asset Management
Human Physical & Comm . & Information
Resource Env . Operation Systems
Security Security Management Acquisition ,
Development
Access Control and
Maintenance
14/01/2010
ISO 27001 Audit Stages
14/01/2010
ISMS Methodology
14/01/2010
PDCA model applied to ISMS process
Maintain and Improve the ISMS Establish
the ISMS
- Scope
-ISMS policy / Security Org.
-Management Authorization
-GAP Analysis
Implement the Improvements - -RA approach / RA / RTP options
Corrective Act. and Preventive Act. - -SOA
-C&CO
Info. Sec.
Req. & Exp. Managed
Monitor and Improve the ISMS Implement and Operate the Info. Sec.
ISMS
14/01/2010
High Level Certification Plan
Phase I Phase II
1 Month 5 Months
14/01/2010
ISO Core Team
14/01/2010
Security Committee
Role
The is a key driver of our organization’s security aspects.
The Committee needs to meet and review at planned intervals the
effectiveness of the Information Management system. The review shall also
include assessing opportunities for improvement and the need for change. The
Committee will be the final authority in reviewing and taking appropriate action
against all information security related risks.
Frequency
At least once in a quarter. However till the time of certification, the
Security Committee will meet regularly since the Committee has to approve all
documents and play an active role in the Risk assessment
Outcomes
Key decision made on the effectiveness on ISMS
•
14/01/2010
Risk Assessment - Phases
Risk Measure
Asset
Threat Threat Probability Vulnerability Asset Value *
Identification and
Identification Analysis identification Threat Probability
Valuation
* Impact
14/01/2010
Asset Identification and Valuation
Categorize
Assets
Physical Assets Valuate Assets based on C.I.A.
Confidentiality
Ensuring that information is accessible only
Information Assets to those authorised to have access.
Software Assets
Integrity
Safeguarding the accuracy and
Services completeness of information and processing
methods.
Voice Information
Availability
Ensuring that authorised users have access
to information and associated assets when
required.
14/01/2010
Threat Identification
14/01/2010
Threat Probability Analysis
TL Guideline
1 Once per 3 years or more / no
2 occurrence
Once per year
3 Once per quarter
4 Once per month
TL = Threat Level
Rating
14/01/2010
Vulnerability Identification & Mapping
14/01/2010
Risk Assessment and Risk Treatment
14/01/2010
ISMS Auditing
14/01/2010
Requirement for Internal Audit
14/01/2010
What do we mean
by
Audit?
14/01/2010
Audit – 审核
•
•
14/01/2010
BS EN 19011:2002 – Scope 适用范围
14/01/2010
Management Systems Auditing 管理系统审
核
14/01/2010
Type of Audit
•
•
14/01/2010
The Audit Process
14/01/2010
Audit Objectives 审核的目标
14/01/2010
The Scope of the Audit 审核范围
14/01/2010
Audit Criteria 审核准则
14/01/2010
The Benefits of Audit
14/01/2010
Auditor’s Responsibilities
14/01/2010
Planning the Audit
14/01/2010
Audit Programme
14/01/2010
Planning and Preparation
14/01/2010
Audit Planning
14/01/2010
Decisions at the Planning Stage
14/01/2010
Audit Duration
14/01/2010
Audit Preparation
14/01/2010
Preparing for the Audit
14/01/2010
Audit Preparation - Information
14/01/2010
Audit Documents
14/01/2010
Benefits of the Checklists
14/01/2010
Checklist – Audit Starting Point
14/01/2010
Checklist – Clear Screen/Desk Policy
14/01/2010
Exercise – Preparing an Audit Checklist
14/01/2010
Conducting the Audit
14/01/2010
Audit Activities
14/01/2010
Opening Meeting
14/01/2010
Collecting the Facts
14/01/2010
Establish the Facts
14/01/2010
Audit Evidence
14/01/2010
Evidence
14/01/2010
Techniques for Qustioning
14/01/2010
Recording the Facts
14/01/2010
Documenting the Findings
14/01/2010
Evaluating
14/01/2010
Finding Classification - 1
14/01/2010
Finding Classification - 2
14/01/2010
Finding Classification - 3
14/01/2010
The name does not
matter , they are all
‘ Opportunities for
Improvement ’
14/01/2010
Recording the
Results
14/01/2010
Documenting Non-Conformities
14/01/2010
Non-Conformity Report
14/01/2010
Reporting the Audit
14/01/2010
Exercise – NC report
14/01/2010
Audit Report Meeting
14/01/2010
Close Meeting
•
Avoid Confrontation
14/01/2010
Conduct of Meeting
14/01/2010
Follow-up Options
•
But Always Record your Actions
14/01/2010
Successive Audits
14/01/2010
Reporting
14/01/2010
Q & A
14/01/2010