Information Security Management Systems An ISO 27001 Introduction

Mahmood Justanieah ISACA-Jeddah Technical Meeting 18-March-2009

Slide 1

19h00

19h45: 20h00

Information Security ISO 27001: 2005 and ISO 27002:2005 Control objectives and controls Deffrinces between ISO 27001 & other Standards ITIL, Cobit, ISO 20000

Questions & Answers Closure

Slide 2

Section 1 Information Security

Slide 3

Scenario
Compliance requirements, new notification laws and the growing of

breaches have made organizations aware they need a structured approach to data security.

Organizations are increasingly dependent on information assets Information users (internal & external) are demanding increased

availability growing

The number of incidents that threaten the continuity of operations is A single security breach can:

destroy a companys Image depress the value of the business erode the bottom line; and compromise future earnings

Slide 4

Data breach costs

For 2007, per-record compromised costs continued to increase (2007 Annual The average total cost per reporting company was more than 6.3 million US

Study: US Cost of Data Breach- research conducted by Ponemon Institute LLC). Dollars per breach and ranged between 225.000 to almost 35 million

Slide 5

Cause of data breach

Lost or stolen laptops and other devices such as USB flash drivers were the

most significant source of a data breach. (2007 Annual Study: US Cost of Data Breach- research conducted by Ponemon Institute LLC)

Slide 6

Risks and Threats

Data Breach

Non-Compliance

Media attention Breach notifications Brand degradation Government Agency Audit

Restrictions on business activities Loss of a contract New privacy controls Publicly named through a Commissioners order or legal proceedings

Customer Complaint

Government Agency s finding/order Litigation Loss of customer

Over-Compliance

Unnecessary restrictions on business activities Decreased customer satisfaction Competitive disadvantage

Slide 7

Information as an Asset
Information is:

An asset that, like other important business assets, is essential to an organizations business and consequently needs to be suitably protected.
Source: ISO/IEC 27002:2005 Section 0.1
Asset Definition:

anything that has value to the organization

Source: ISO/IEC 27001:2005, 3.1

Slide 8

Information Security not IT Security

Information must be protected throughout its entire lifecycle:

Creation Storage Processing Distribution

Information must be protected independent from its format or media Not IT

Paper document (on desks, in waste bins, left on photocopiers) Whiteboards conversations overheard Conversations on public transports People

Slide 9

Information Security
Information Security

preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved
Source: ISO/IEC 27001:2005
Confidentiality: Ensuring that information is accessible only to those

authorized to have access. Clause 3.3 of ISO/IEC 27001

Integrity: Safeguarding the accuracy and completeness of information and

process methods. Clause 3.8 of ISO/IEC 27001

Availability: Ensuring that authorized users have access to information and

associated assets when required. Clause 3.2 of ISO/IEC 27001

Slide 10

Information Security Management System

Information Security Management System (ISMS)

That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security Is a Management Process and Not a technological process Strategic decision of an organization Design and implementation
Needs and objectives Security requirements Processes employed Size and structure of the organization

Scaled with needs

Slide 11

Section 2 ISO 27001: 2005 and ISO 27002:2005

Slide 12

The History of ISO 27001

1992 1995 1996
Support and compliance tools begin to emerge, such as COBRA. David Lilburn Watson becomes the first qualified certified BS7799 Auditor

The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management'. This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS7799.

1999

The first major revision of BS7799 was published. This included many major enhancements. Accreditation and certification schemes are launched. LRQA and BSI are the first certification bodies.

2000

In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799).

Slide 13

The History of ISO 27001

2002 A second part to the standard is published: BS7799-2. This is an Information Security Management Specification, rather than a code of practice. It begins the process of alignment with other management standards such as ISO 9000. 2005 A new version of ISO 17799 is published. This includes two new sections, and closer alignment with BS7799-2 processes.. 2005 ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a specification for an ISMS (information security management system), which aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001.

Slide 14

ISO 27001
There are two closely related standards:

ISO/IEC 27001 is a standard specification for requirements of an Information Security Management Systems (ISMS). ISO/IEC 27002:2005 is the standard code of practice and can be regarded as a comprehensive catalogue of good security things to do.
ISO/IEC 27001 Specifies requirements:

For establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS

Designed to:

Ensure adequate security controls to protect information assets, documenting ISMS Give confidence to customers & interested parties

Slide 15

Other related standards

ISO/IEC 27006 - Information technology -- Security techniques - Requirements for bodies providing audit and certification of information security management systems ISO/IEC FDIS 27011 - Information technology -- Information security management guidelines for telecommunications SSE-CMM, Software Security Engineering Capability Maturity Model, now

released as ISO 21827: 2002

Helps organizations determine their security maturity relative to a set of capability metrics

Under development
ISO/IEC 27000 - an introduction and overview for the ISMS Family of Standards, plus a glossary of common terms ISO/IEC 27003 - ISMS implementation guide ISO/IEC 27004 - information security management measurements ISO/IEC 27005 - information security risk management ISO/IEC 27007 - guideline for auditing ISMSs ISO/IEC 27011 - guideline for ISMSs in the telecommunications industry ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry

Slide 16

Process Approach
ISO 27001 has adopted a Process Approach, which means an organization Any activity using resources and managed in order to enable the

needs to identify and manage many activities in order to function effectively

transformation of Inputs into Outputs, can be considered to be a Process

Inputs >>>>>>> Process >>>>>>> outputs*

*Often, outputs from one process provide inputs into the next

Process approach for ISMS encourages users to emphasize the importance of:

understanding an organizations information security requirements and the need to establish POLICY and OBJECTIVES for information security implementing and operating CONTROLS to manage an organizations information security risks in the context of the organizations overall business risks monitoring and reviewing the performance and effectiveness of the ISMS, and CONTINUAL IMPROVEMENT based on objective measurement

Slide 17

PDCA
Plan, Do, Check, Act is to be applied to structure all ISMS processes Figure illustrates how an ISMS takes the information security

requirements and expectations of the interested parties and, through the necessary actions and processes, produces information security outcomes that meets those requirements and expectations

Slide 18

PDCA
The continuous change of the company, technology and society

requires a process of continuously evaluating the effectiveness and efficiency of all security controls and adopting the security system to changing requirements.

This results in a control loop known as PDCA model:

Plan and implement security controls Operate security controls Monitor the security system and the world around you Initiate necessary change of the security system

Slide 19

Compatibility with other management systems

ISO 27001 is aligned with ISO 9001:2000 and ISO 14001:2004 in order

to support consistent and integrated implementation and operation with related management standards.

ISO 27001 illustrates the relationship between its requirements, ISO

9001:2000 and ISO 14001:2004.

This International Standard is designed to enable an organization to

align or integrate its ISMS with related management system requirements.

Slide 20

Compliance to ISO/IEC 27001

All clauses in ISO/IEC 27001 are mandatory

Risk treatment plan based on risk assessment Documentation supporting various clauses Statement of applicability based on scoping, justifying the choice of controls Annex A lists mandatory controls to choose from Valid justification must be documented to eliminate a control Chosen controls must be documented for audit purposes

Certification to the standard requires that all clauses be implemented

Slide 21

Process Flow for Information Security

Step 1
Define the information security policy

Information Security policy

Step 2

Define the scope of ISMS

Scope of ISMS

Step 3

Information Assets Undertake risk assessment Risk assessment

Threats, Vulnerabilities, Impacts

Results and conclusions

Step 4

Organizations approach to risk management Degree of assurance required

Manage the risk

Areas of risk to be managed

Selected control options

Step 5

Control Objectives and controls Additional Controls

Select control objectives and controls to be implemented

Statement of Applicability

Slide 22

Implementation of an ISMS - Plan

Establish and manage the ISMS

Scope and boundaries Policy / objectives Define risk assessment approach Identify risks Analyse and evaluate the risks Identify and evaluate options for treatment of risks Select control objectives & controls (Annex A) Obtain management approval of the proposed residual risks Obtain management authorisation to implement and operate the ISMS Prepare a Statement of Applicability

Slide 23

Implementation of an ISMS - Do
Implement and operate the ISMS

Formulate risk treatment plan Implement risk treatment plan Define how to measure effectiveness of selected controls Implement controls selected to meet control objectives Implement training and awareness Manage operations and resources Implement procedures and other controls

Slide 24

Implementation of an ISMS - Check

Monitor and review the ISMS

Execute monitoring procedures and other controls Undertake regular reviews of the effectiveness of the ISMS Measure effectiveness of controls Review risk assessments at planned intervals Review level of residual risk and identified acceptable risk Internal ISMS audits / Management review Update security plans Record actions and events

Slide 25

Implementation of an ISMS - Act

Maintain and improve the ISMS

Implement identified improvements Take appropriate corrective and preventive actions Communicate the actions and improvements Ensure improvements achieve intended objectives

Slide 26

Section 3 Control objectives and Controls

Slide 27

The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldnt stake my life on it. Gene Spafford Director, Computer Operations, audit, and Security Technology (COAST - Computer Operations, Audit and Security Technology) Purdue University
Slide 28

Purpose of controls in ISO/IEC 27002/27001

27002 specifies aspects of an effective information protection

program suitable to the needs of business and industry confidentiality of corporate information assets maintains within the organization.

Protection in 27002 is based on assuring integrity, availability, and Assurance is attained through controls that management creates and Ten of the controls are considered "Key Controls" because they are

either legislatively required or considered fundamental building blocks

Slide 29

ISO 27002 domains

Security Policy Organization of Information Security Asset management Human resources security Physical and environmental security Communications and Operations Management Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance

Slide 30

Selection of Controls
Additional control objectives and controls:

Organization might consider that additional control objectives and controls are necessary

Not all the controls will be relevant to every situation:

Consider local environmental or technological constraints In a form that suits every potential user in an organization

Slide 31

Choice of controls Controls considered to be essential to an organization from a legislative point of view include:
intellectual property rights (see 15.1.2) safeguarding of organizational records (see 15.1.3) data protection and privacy of personal information (see 15.1.4).
Controls considered to be common best practice for information

security include:

information security policy document (see 5.1.1) allocation of information security responsibilities (see 6.1.3) information security education and training (see 8.2.2) reporting information security events (see 13.1.1) Information security aspects of business continuity management (see 14.1)

Slide 32

Section 4 Differences with Other Standards ITIL, ISO 20000, Cobit

Slide 33

Definitions
COBIT Cobit stands for Control Objective over Information and Related Technology. Cobit issued by ISACA (Information System Control Standard) a non profit organization for IT Governance. The Cobit main function is to help the company, mapping their IT process to ISACA best practices standard. Cobit usually choosen by the company who performing information system audit, whether related to financial audit or general IT audit. ITIL ITIL stands for Information Technology Library. ITIL issued by OGC, is a set of framework for managing IT Service Level. Although ITIL is quite similar with COBIT in many ways, but the basic difference is Cobit set the standard by seeing the process based and risk, and in the other hand ITIL set the standard from basic IT service.

Slide 34

Comparison
ISO27001 ISO27001 is much more different between COBIT and ITIL, because ISO27001 is a security standard, so it has smaller but deeper domain compare to COBIT and ITIL. Here is the detail table of comparison between this three standard
AREA Function COBIT Mapping IT Process 4 Process and 34 Domain ISACA Information System Audit Accounting Firm, IT Consulting Firm ITIL ISO27001

Mapping IT Information Service Level Security Management Framework 9 Process OGC 10 Domain ISO Board

Area Issuer Implementat ion

Compliance Manage to security Service Level standard IT Consulting firm, Security Firm, Network Consultant

Consultant

IT Consulting firm

Slide 35

Slide 36

Q&A
Slide 37

Mahmood.Justanieah@bureauveritas.com

Slide 38