A Glance into ISO 27001 and BS 25999

Nalin Wijetilleke MBA,CISA,PMP,CBCP,BS7799LA

 Agenda
• Information & Standards – an introduction
• ISO 27001 – an overview
• BS25999 – a quick walkthrough
• Wrap-up
What is the life blood of
any organization?

Information

Can be in various forms

Some information is valuable
as well as sensitive!
Must maintain it’s

Confidentiality
Integrity

Availability
 Information is an
Sy
es s Fa ste
A cc ilu m
te o l
o r re s
Rem Cont

Asset

at ybe s/
C use
ta r
r

ck
Vi
Thr
Theft

e
Data

Threat
at

at
re
Th
Information Security
protects assets from wide range of threats
in order to ensure business continuity,
minimize business damage and maximize
ROI and business opportunities
Why do you need a management code of
practice and a standard?

• To achieve effectiveness and efficiency in

handling & protecting Information
• Security that is achieved by technical means should
be supported by appropriate management practice

• To benchmark against international organizations

• Agreed Repeatable way of doing things

ISO 27001

• Published in October 2005 replacing BS7799

part 2
• Belong to the family of IS security standards –
ISO 27000

• Objective is to establish, implement, operate,

monitor an Information Security Management
System

• Design and implementation is according to the

needs and objectives of the organization
 39 Control Objectives
ISO 27001 Domains
ISO 27001
1. Security Policy Controls
2. Security Organization
3. Asset Classification & Controls
4. Personal Security
5. Physical & Environment Security 133
6. Communications & Operations Management
7. Access Control
8. System Development & Maintenance
9. Information Security Incident Reporting
10.Business Continuity Management
11.Compliance
Implementing ISO 27001

PDCA cycle

Dr Edwards Deming
ISO 27001 is NOT

• about IT Controls
• on how to implement the stated controls
• on total enterprise Risk management
• about reacting to information security incidences or failures
• about aimlessly introducing security controls even though
‘best practices’
Challenges in implementing ISO 27001

• Lack of understanding of Information Security Risks at

Corporate level
• Assumption of current practices as Best practices
• Fail to justify the investment on establishing Information
Security Governance framework
• Non availability of a champion/evangelist
• Inability to sustain the practice/certification
International ISMS Register - UAE
• Dubal
• Dubai Holding
• GPO – Electronic Document Processing Center
• Department of Health & Medical Services – Govt of Dubai
• Mashreqbank
• NBD
• Network International (member of Emirates-NBD Holding Co)
• Paramount Computers
• RAKBANK

Reference : http://www.iso27001certificates.com/
 BS 25999 is on

Business
Continuity
Management
BS 25999
• BS25999 part 1 – code of practice (released
in Dec last year) Part 2 – BCM Specifications
released on November 20th 2007
• Specify Best Practice and not the general practice

• Objective is to establish, Best Practice framework to

guide business

• Design and implementation is according to the needs and

objectives of the organization
PDCA Model applied to BCM Implementation process
 BCM Life Cycle
1. Setup the Program
 BCM Life Cycle
1. Setup the Program
2. What have you got –
structure, functions, risks
 BCM Life Cycle
1. Setup the Program
2. What have you got –
structure, functions, risks
3. How do you recover – who,
what & when
 BCM Life Cycle
1. Setup the Program
2. What have you got –
structure, functions, risks
3. How do you recover – who,
what & when
4. Recovery Planning
 BCM Life Cycle
1. Setup the Program
2. What have you got –
structure, functions, risks
3. How do you recover – who,
what & when
4. Recovery Planning
5. Conduct Test, record and
improve
 BCM Life Cycle
1. Setup the Program
2. What have you got –
structure, functions, risks
3. How do you recover – who,
what & when
4. Recovery Planning
5. Conduct Test, record and
improve
6. Build Culture
BS25999 Domains

Clause 1 - Scope and applicability

Clause 2 - Terms and definitions for the BS25999 perspectives
Clause 3 - Overview of Business Continuity Management (BCM)
Clause 4 - The business continuity Management Policy
Clause 5 - BCM Program management
Clause 6 Understanding the organization
Clause 7 Determining the Business Continuity Strategy
Clause 8 Developing & implementing a BCM response
Clause 9 BCM Exercising maintaining and reviewing BCM
arrangements
Clause 10 Embedding BCM in the organizations culture.
BS25999 Benefits
• Demonstrate an accepted level of
preparedness for a crisis or a
disaster
• Clear business advantage
• Best practice and not general
practice
• It is a single reference point
• Scalable and straightforward
• Allows confidence in the supply
chain
• Other….
 Wrap-up
• Standards evolution is based on its maturity, General they are born
as PAS (Publicly available specification) and become BS and finally
ISO
• ISO 27001 & BS 25999 are standards leading to better governance
• They are Best practices and not general practices
• Standards are scalable and straightforward, applicable to small,
SME or a large organization
• They are also applicable globally in an industry
• BS25999 is the most latest standard and has10 domains to address
nalindw2000@yahoo.com