Leading international standard for information security management Till the end of year 2009, more than 12,000 organizations worldwide certified against this standard Its purpose is to protect the confidentiality, integrity and availability of information
2 2011 27001Academy www.iso27001standard.com ISO 27001 It is not a technical standard that would describe the ISMS into technical detail It does not focus only on information technology, but also on other important assets at the organization
3 2011 27001Academy www.iso27001standard.com ISO 27001 Focuses on all business processes and business assets Focuses on reducing the risks for information that is valuable for the organization Information may or may not be related to information technology, may or may not be in a digital form 4 2011 27001Academy www.iso27001standard.com ISO 27001 benefits Best framework for complying with information security legislation Better organizational image because of the certificate issued by certification body Lower costs because of the prevented incidents The operations in the organization are optimized because the responsibilities and business processes are clearly defined 5 2011 27001Academy www.iso27001standard.com Process of ISO 27001 implementation Phase 1 - Planning Phase 2 - Implementing Phase 3 - Checking Phase 4 - Improving 6 2011 27001Academy www.iso27001standard.com Planning the ISMS Policy and objectives Risk assessment & risk treatment Risk Assessment Report Statement of Applicability 7 2011 27001Academy www.iso27001standard.com Implementing the ISMS 4 mandatory procedures Risk Treatment Plan Implement all controls Conduct trainings, awareness
8 2011 27001Academy www.iso27001standard.com Checking the ISMS Execute monitoring and reviewing procedures Measuring the effectiveness of controls Internal audit Management review 9 2011 27001Academy www.iso27001standard.com Improving the ISMS Corrective actions Preventive actions 10 2011 27001Academy www.iso27001standard.com Requirements for successful implementation Management support (available people + funding) Project team Awareness of employees 11 2011 27001Academy www.iso27001standard.com Duration of implementation For very small organizations (less than 10 employees) - up to 4 months For small organizations (10 to 50 employees) - up to 8 months For middle sized organizations (50 to 500 employees) - up to 12 months For large organizations (500 or more employees) - up to 18 months 12 2011 27001Academy www.iso27001standard.com Cost of implementation It is not possible to calculate the cost before the risk assessment is completed and applicable controls are identified Majority of investment is usually not in technology, but in employees that are implementing the ISMS (invested time + trainings) 13 2011 27001Academy www.iso27001standard.com For more information: www.iso27001standard.com