Scribd Logo
Upload

Welcome to Scribd!

  • ISO27001 Introduction

    Uploaded by

    Yudhis Cahyo Eko
    16 views33 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    16 views33 pages

    ISO27001 Introduction

    Uploaded by

    Yudhis Cahyo Eko

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 33

    ISO/IEC 27001:2005

    A brief introduction

    Dimitris Petropoulos Managing Director ENCODE Middle East


    September 2006

    Information
    Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Printed or written on paper Stored electronically Transmitted by mail or electronic means Spoken in conversations

    What is Information Security


    ISO 27001 defines this as the preservation of:

    security

    Threats
    security
    Safeguarding the accuracy and completeness of information and processing methods

    Information security

    Ensuring that information is accessible only to those authorized to have access

    Integrity

    Confidentiality

    Risks
    Ensuring that authorized users have access to information and associated assets when required

    Availability

    Vulnerabilities

    security

    Achieving Information Security


    4 Ps of Information Security
    Policy & Procedures

    People

    Products

    Drivers & Benefits of compliance with the standard

    ISO27001 Drivers
    Internal Business Drivers
    Corporate Governance Increased Risk Awareness Competition Customer Expectation Market Expectation Market Image

    Regulators
    9% 18% 38%

    Reasons for seeking Certification according to a BSI-DISC survey

    35%

    Best Practice Business Security Competitive Advantage Market Demand

    Benefits of compliance [1]


    Improved effectiveness of Information Security Market Differentiation Provides confidence to trading partners, stakeholders, and customers (certification demonstrates 'due diligence') The only standard with global acceptance Potential lower rates on insurance premiums Compliance with mandates and laws (e.g., Data Protection Act, Communications Protection Act) Reduced liability due to unimplemented or enforced policies and procedures

    Benefits of compliance [2]


    Senior Management takes ownership of Information Security Standard covers IT as well as organization, personnel, and facilities Focused staff responsibilities Independent review of the Information Security Management System Better awareness of security Combined resources with other Management Systems (eg. QMS) Mechanism for measuring the success of the security controls

    ISO27001 Evolution

    ISO27001/ISO17799/BS7799: History
    1995 1998 1999 Dec 2000 2002 2005
    BS 7799 Part 1

    BS 7799 Part 2 New issue of BS 7799 Part 1 & 2

    ISO 17799:2000 New BS 7799-2 New ISO 17799:2005 released ISO 27001:2005 released

    ISO 27001, ISO17799 & BS7799 Standards


    ISO/IEC 17799 = BS 7799-Part 1 Code of Practice for Information Security Management
    Provides a comprehensive set of security controls Based on best information security practices It cannot be used for assessment and registration

    ISO 27001 = BS 7799-Part 2 Specification for Information Security Management Systems


    Specifies requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS) Specifies requirements for security controls to be implemented Can be used for assessment and registration

    Why BS7799 moved to ISO27001


    Elevation to international standard status More organizations are expected to adopt it Clarifications and Improvements made by the International Organization for Standardization Definition alignment with other ISO standards (such as ISO/IEC 13335-1:2004 and ISO/IEC TR 18044:2004)

    The ISO 27000 series

    ISO 27000 ISO 27001 ISO 27002 ISO 27003 ISO 27004 ISO 27005 ISO 27006

    principles and vocabulary (in development) ISMS requirements (BS7799 Part 2) ISO/ IEC 17799:2005 (from 2007 onwards) ISMS Implementation guidelines (due 2007) ISMS Metrics and measurement (due 2007) ISMS Risk Management 27010 allocation for future use

    ISO 27001 Overview

    What is ISO27001?
    An internationally recognized structured methodology dedicated to information security A management process to evaluate, implement and maintain an Information Security Management System (ISMS) A comprehensive set of controls comprised of best practices in information security Applicable to all industry sectors Emphasis on prevention

    ISO27001 Is Not
    A technical standard Product or technology driven An equipment evaluation methodology such as the Common Criteria/ISO 15408
    But may require utilization of a Common Criteria Equipment Assurance Level (EAL)

    Holistic Approach
    ISO 27001 defines best practices for information security management A management system should balance physical, technical, procedural, and personnel security Without a formal Information Security Management System, such as a BS 7799-2 based system, there is a greater risk to your security being breached Information security is a management process, not a technological process

    ISO 27001:2005 - PDCA


    4. Maintain and improve the ISMS Take corrective and preventive actions, based on the results of the management review, to achieve continual improvement of the ISMS.

    1. Establish the ISMS Establish security policy, objectives, targets, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organizations overall policies and objectives.

    3. Monitor and review the ISMS Assess and, where applicable, measure process performance against security policy, objectives and practical experience and report the results to management for review.

    2. Implement and operate the ISMS Implement and operate the security policy, controls, processes and procedures.

    ISO 27001:2005 Structure


    Five Mandatory requirements of the standard: Information Security Management System Management Responsibility
    General requirements Establishing and managing the ISMS (e.g. Risk Assessment) Documentation Requirements Management Commitment Resource Management (e.g. Training, Awareness)

    Internal ISMS Audits Management Review of the ISMS ISMS Improvement

    Review Input (e.g. Audits, Measurement, Recommendations) Review Output (e.g. Update Risk Treatment Plan, New Recourses) Continual Improvement Corrective Action Preventive Action

    The 11 Domains of Information Management


    Overall the standard can be put in :
    Security Policy Organization of Information Security Human Resources Security Physical & Environmental Security Access Control Business Continuity Management Compliance Communications & Operations Management Asset Management

    Domain Areas 11, Control Objectives 39, and Controls 133

    Information Systems acquisition, development and maintenance

    Information Security Incident management

    ISO27001 vs BS7799

    ISO27001 vs BS7799 [1]


    BS7799
    Security Policy Security Organisation Asset Classification & Control Personnel Security Physical & Environmental Security Communications & Operations Management Access Control Systems Development & Maintenance

    ISO 27001
    Security Policy Organising Information Security * Asset Management * Human Resources Security * Physical & Environmental Security * Communications & Operations Management * Access Control Information Systems Acquisition, * Development and Maintenance Information Security Incident Management Business Continuity Management Compliance

    Business Continuity Management Compliance

    * - new control/s added

    ISO 27001 Implementation

    Implementation Process
    Assemble a Team and Agree to Your Strategy Define Scope Review Consultancy Options

    Identification of Information Assets

    Determination of Value of Information Assets

    Identification of Legal, regulatory & contractual requirements

    Determination of Risk

    Determination of Policy(ies) and the Degree of Assurance Required from the Controls

    Identification of Control Objectives and Controls Statement of Applicability

    Definition of Security Strategy & Organisation

    Definition of Policies, Completion of Implementation of Standards, and ISMS Policies, Standards, Procedures to Documentation Implement the and Procedures Requirements Controls Update Statement of Applicability

    Defining Scope and Participants

    Contracts and agreements

    ISMS Documentation
    Management framework policies relating to Level 1 ISO 27001

    Security Manual Policy, Organisation, risk assessment, statement of applicability Procedure Work Instructions, checklists, forms, etc. Records

    Level 2

    Describes processes who, what, when, where Describes how tasks and specific activities are done

    Level 3

    Level 4

    Provides objective evidence of compliance to ISMS requirements

    Implementation Issues
    Develop Documentation
    Educate Personnel

    Develop Security Select External Disseminate Policy Newsletter Consultant Approval by Continue Awareness Conduct Awareness CEO Acquire Policy Tool Sec Awareness Material

    Enforce Policy
    ISO27001 Internal Assessment ISO27001 External Assessment

    Monitor & Measure Compliance Develop other missing controls (Physical, BCP etc.) Update Security Technologies (if needed)

    Security Awareness Program is a very important issue. A Tool is essential to make security policies visible across the organization and to translate policy objectives into actual compliance.

    Registration Process
    Audit and Review of Information Security Management System

    Choose a Registrar

    Initial Inquiry

    Optional Quotation Provided Application Submitted Client Manager Appointed PreAssessment

    Phase 1 Undertake a Desktop Review

    Phase 2 Undertake a Full Audit

    Registration Confirmed Upon Successful Completion

    Continual Assessment Internal External Continuing (every 6 months) Re-Assessment (every 3 years)

    Critical Success Factors


    Security policy that reflects business objectives Implementation approach consistent with company culture Visible support and commitment from management Good understanding of security requirements, risk assessment and risk management Effective marketing of security to all managers and employees Providing appropriate training and education A comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement Use of automated Security Policy Management tool.

    Closing Remarks

    ISO27001 can be
    Without genuine support from the top a failure Without proper implementation a burden With full support, proper implementation and ongoing commitment a major benefit

    Thank you for your time


    For more information please contact:

    ENCODE Middle East


    P.O. Box 500328 Dubai Internet City Dubai UAE Tel.: +971-4-3608430 http://www.encodegroup.com info_me@encodegroup.com

    _ www.encodegroup.com

    You might also like