You are on page 1of 27

HOW TO IMPLEMENT AN INFORMATION SECURITY

MANAGEMENT SYSTEM (ISMS)

Presented by:
• Sharon O’Reilly
• IT Governance Europe
• August 20th 2018

IT Governance: GRC one-stop-shop

Copyright IT Governance Ltd - v 0.1

processes.v 0.Today’s discussion • Adopting a comprehensive.1 . and technology in information security • The nine-step approach to implementing an ISMS • Using ISO 27001 as the global standard for best-practice information security • Risk assessments and controls and implementing controls • Testing your ISMS and developing documentation • The benefits of obtaining independent assurance Copyright IT Governance Ltd . risk-based approach to information security • Securing organization-wide commitment • The importance of people.

HOW TO ADOPT A COMPREHENSIVE. RISK-BASED APPROACH TO INFORMATION SECURITY .

consistently. and technology. • An ISMS is a documented. processes. • An ISMS can help you meet data security compliance obligations for a number of laws.1 . and improve your organization's information security.v 0. • An ISMS helps you manage all your security practices in one place. it should have an ISMS.What is an ISMS? • If your organization is concerned about data protection and data security compliance. relying on people. including the GDPR etc. monitor. systematic approach. Copyright IT Governance Ltd . that helps to manage. audit. and cost-effectively.

AND TECHNOLOGY IN INFORMATION SECURITY .Three pillars of cybersecurity Securing organization-wide commitment THE IMPORTANCE OF PEOPLE. PROCESSES.

• ISO 27001 keeps confidential information secure. • ISO 27001 is one of the fastest-growing management standards in the world. • Achieving accredited certification to ISO 27001 demonstrates that your organization is following information security best practice.v 0. Copyright IT Governance Ltd .1 . helps you comply with regulations and gain a preferred supplier status – giving you a competitive advantage.Using ISO 27001 as the global best-practice information security standard • ISO/IEC 27001:2013 (ISO 27001) is the international standard that provides specifications for a best-practice ISMS. with certifications growing at an annual rate of 20%.

which develops and publishes ISO standards.Securing organization-wide commitment – staff ISO – the International Organisation for Standardisation. currently lists ISO 27001 as one of the three most popular ISO standards. . and organisations around the globe are recognising this and using ISO 27001 to help to protect their assets and their reputations. Information security management is now a business essential.

SECURING ORGANIZATION-WIDE COMMITMENT .

organizations can make staff aware of the daily cyber risks they face. the ‘people’ factor is often overlooked. and thought-provoking activities. and suggest actions and procedures to minimize such risks. • Using engaging training. • When organizations look to initiate an ISMS. . • Staff awareness can provide basic knowledge of information security best practices to reduce preventable mistakes. • Management should lead from the top down and provide the necessary budget and resources to make the ISMS happen. tools.Securing organization-wide commitment – staff • An ISMS can only function through senior leadership commitment.

* PwC Global State of Information Security Survey 2017 .Securing organization-wide commitment – the board • Only 28% of UK boards are involved in setting security strategy. • Effective cybersecurity is an ongoing process. Armed with the right information. as well as reviewing specific plans associated with each approach.* • An ISMS can give the board improved visibility over its security regime. • Regular communication between management and the board on cyber security is critical to protect company interests and ensure accountability. or transfer (such as through cyber insurance). • The board must also ensure that the CISO is reporting at the appropriate levels within the organization. accept. the board can play an essential role in preventing issues before they arise. • Discussions at board level should include identifying which risks to avoid. mitigate.

what is our insured? security frameworks or awareness program? response plan? standards? Are supplier risks and Is our information When did we last test Do we have visibility risks in the supply chain security budget being our recovery into the network? part of our risk spent appropriately? procedures? register? .Questions the board should be asking the CISO Are we conducting How do we What are the top risks Are we testing our regular information demonstrate facing our systems before a security risk compliance with our organization? problem arises? assessments? cybersecurity controls? Do we comply with Do we have an effective In the event of a data Are we adequately leading information information security breach.

How are we protecting them? Annex A plus other controls if A. ASSETS Q. I and A of ASSETS. What are we protecting? them against? A. By applying appropriate appropriate treatments/controls based on Many are ACCESS related controls risk appetite and context. processes.ISMS overview CONTEXT AND SCOPE Q. What are we protecting Q. those risks. What type of treatments/controls might we apply? C I A A. RISKS – in order to protect In order to protect assets we must against risks we must identify identify them. records. procedures. forms. A. Management systems (to control the controls) Q. Policies. CONTINUAL IMPROVEMENT . The C.

THE NINE-STEP APPROACH TO IMPLEMENTING AN ISMS .

and evaluation comprehensive. and review 9) Certification Conduct a needs analysis Monitoring. monitor. analysis. assess their effectiveness. measurement.The nine-step approach to implementing an ISMS 1) Project mandate 2) Project initiation 3) ISMS initiation Assemble information Set up a project team Establish documentation structure Establish senior-level commitment Assemble project team Review senior-level commitment Draw up a RACI matrix Set information security goals 5) Baseline security criteria 6) Risk management 4) Management framework Identify the practices you already Establish risk assessment framework Identify the scope of the ISMS have in place. and available Establish a staff awareness program Internal audit Ensure you have records of internal audits and testing Management review Ensure management involvement . Select risk management options Formalize an information security policy and ensure that they continue Define risk acceptance criteria Define communication strategy Create a Statement of Applicability (SoA) Identify competence requirements 7) Implementation 8) Measure. Ensure documentation is complete.

RISK ASSESSMENTS AND CONTROLS .

• SoA and risk treatment plan • There are 4 ways to treat risks – avoid. and select risk treatment options. and sits at the core of an ISO 27001 ISMS. evaluate risks. Copyright IT Governance Ltd .1 . transparent. • These controls are divided into 14 different categories. analyze risks. traceable. top management-driven process. share. • ISO 27001 includes a set of 114 controls in Annex A that are designed to mitigate information security risks. • A risk assessment should be repeatable. and consistent.v 0. your own control set. modify. formal. identify risks.Risk assessments and controls Risk assessment Controls • The risk assessment process determines the controls • An information security risk assessment is a that have to be deployed in your ISMS. • There are five simple steps that you should take to conduct a successful risk assessment: establish a • The Standard does not specify that you should use risk management framework. or retain.

6 Organization of A.11 Physical and environmental security A.9 Access control A. A.10 Cryptography A. 14 controls sets of Annex A A.v 0.16 Information security information security security incident management A.13 Communications A.17 Information security development. and aspects of business maintenance continuity management A.18 Compliance Copyright IT Governance Ltd .1 .12 Operations Security A.14 System acquisition.8 Asset management A.15 Supplier security policies relationships A.5 Information and A.7 HR security A.

TESTING YOUR ISMS AND DEVELOPING DOCUMENTATION .

requirements.Developing documentation Ensure your ISMS has: • Structure for framework of documented information • Templates for different types of documented information • Determined roles and responsibilities • Determined revisions.v 0. and arrangements Copyright IT Governance Ltd .1 . approvals.

• Internal audits check conformity to ISO 27001 and controlled (documented) ISMS processes.v 0. • The internal audit is an essential element of this process. Copyright IT Governance Ltd .1 .Internal audit • Implementing an ISMS requires ongoing maintenance and review to meet the Standard’s requirements in Clauses 8 and 9.

1 .no special preparation should be necessary. • The auditor audits your organization’s ISMS with respect to ISO27001.Certification audit • The certification process requires an external review by an auditor. and references an SoA. • The auditor works for an accredited certification body. details the scope of the ISMS. • Successful audit results in a certificate. • Accredited certification is essential. Copyright IT Governance Ltd . • Undergoing audits should become second nature .v 0.

THE BENEFITS OF OBTAINING INDEPENDENT ASSURANCE .

v 0.IT Governance ISO 27001 classroom courses ISO 27001 Certified ISMS ISO 27001 Certified ISMS Foundation >> Lead Implementer >> Copyright IT Governance Ltd .1 .

contractual. and existing customers associated with data reputation regulatory breaches requirements Improve structure Reduce the need for Obtain an independent and focus frequent audits opinion about your security posture . The benefits of obtaining independent assurance Win new business Avoid the financial Protect and Comply with business. and retain your penalties and losses enhance your legal.

eu https://www.1 .itgovernance.eu/en-ie/speak-to-an-iso- 27001-expert-ie Call us at +353 (0) 1 518 0150 Join us on LinkedIn Follow us on Twitter Like us on Facebook /company/it-governance /itgovernance /ITGovernanceLtd Copyright IT Governance Ltd – v 0.itgovernance.eu/en-ie Contact an ISO 27001 specialist Email us servicecentre@itgovernance.How to get in touch Visit our website https://www.

Questions .