Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
ISO27k Implementation Guidance 1v1

ISO27k Implementation Guidance 1v1

Ratings: (0)|Views: 312 |Likes:
Published by vishnukesarwani

More info:

Published by: vishnukesarwani on Oct 31, 2008
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as RTF, PDF, TXT or read online from Scribd
See more
See less





ISO/IEC 27001 & 27002 implementation guidance and metrics
Prepared by the international community of ISO27k implementers atISO27001security.comVersion 1.1 19
November 2007
This is a collaborative document created by ISO/IEC 27001 and 27002 implementers belonging to theISO27k implementers' forum. We wanted to documentand share some pragmatic tips for implementing the information security management standards, plus potential metrics for measuring and reporting the status of information security, both referenced against the ISO/IEC standards.
This guidance covers all 39 control objectives listed in sections 5 through 15 of ISO/IEC 27002 plus, for completeness, the preceding section 4 on riskassessment and treatment.
This document is meant to help others who are implementing or planning to implement the ISO/IEC information security management standards. Like theISO/IEC standards, it is generic and needs to be tailored to your specific requirements.
fLayoutInCell1fIsButton1fLayoutInCell1This work is copyright © 2007,ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-
Noncommercial-Share Alike 3.0 License.You are welcome to reproduce, circulate, use and create derivative works from this
that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers’ forum (www.ISO27001security.com), and (c) derivative works areshared under the same terms as this.
Ref.SubjectImplementation tipsPotential metrics
4. Risk assessment and treatment
4.1Assessing securityrisksCan use any information security risk management method,with a preference for documented, structured and generallyaccepted methods such asOCTAVE, MEHARI, ISO TR 13335  or BS 7799 Part 3(and in due courseISO/IEC 27005). Percentage of risks identified assessed as high, mediumor low significance, plus ‘un-assessed’.4.2Treating security risksManagement (specifically, the information asset owners) needto assess risks and decide what (if anything) to do about them.Such decisions must be documented as a Risk Treatment Plan(RTP). It is acceptable for management to decide explicitly todo nothing about certain information security risks deemed tobe within the organization's "risk appetite", but not for this to bethe default approach!Trend in numbers of information security-related risks ateach significance level.Information security costs as a Percentage of total revenueor IT budget.Percentage of information security risks for whichsatisfactory controls have been fully implemented.
5. Security policy
Ref.SubjectImplementation tipsPotential metrics
5.1Information securitypolicyThink in terms of an information security policy manual or wikicontaining a coherent and internally consistent suite of policies,standards, procedures and guidelines.Identify review frequency of the information security policy andmethods to disseminate it organization-wide. Review of suitability and adequacy of the information security policy maybe included in management reviews.Policy coverage (
. percentage of sections of ISO/IEC27001/2 for which policies plus associated standards,procedures and guidelines have been specified, written,approved and issued).Extent of policy deployment and adoption across theorganization (measured by Audit, management or ControlSelf Assessment).
6. Organizing information security
6.1Internal organizationMirror the structure and size of other specialist corporatefunctions such as Legal, Risk and Compliance.Percentage of organizational functions/business units for which a comprehensive strategy has been implemented tomaintain information security risks within thresholdsexplicitly accepted by management.Percentage of employees who have (a) been assigned,and (b) formally accepted, information security rôles andresponsibilities.6.2External partiesInventory network connections and significant information flowsto third parties, then risk assess them and review theinformation security controls in place against the requirements.This is bound to be scary, but it's 100% necessary!Consider requiring ISO/IEC 27001 certificates of criticalbusiness partners such as IT outsourcers, providers of Percentage of 3
-party connections that have beenidentified, risk-assessed and deemed secure.
Copyright © 2007, ISO27001security forum
Page 3 of 16

Activity (16)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
eledum liked this
sofiapine liked this
sausarjs liked this
rodje1 liked this
dump_mail liked this
pguiao liked this
angel_azazel8706 liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->