Professional Documents
Culture Documents
Iso 27001 PDF
Iso 27001 PDF
Guide Objectives:
Old-fashioned view!!!
» Decision-Taking
Control Information
Decision-Making
» A technical standard
Basic Requirements
» Be business process-oriented
Starting Point
System Scope
Strategic Line-up
» AS NZS 4360
What are Risks?
Objectives
Objectives
Methodology
Methodology
» Business focus:
» What are the risks really impacting my business
» Every organization area must be involved
» Direct participation of managers and those individuals
responsible for information assets
Risk Analysis
Methodology
Business Processes
» Information flow
» Consider the point where information is generated
or starts to be part of the processes
» Consider emergence, life and destruction of
information
» Identify flow main components
Risk Analysis
Information Assets
Clientes
Customers
Atendente
Mainframe
Telemarketing
Telemarketing
Operator
Telefone
Phone Telefone
Telephone
Central Telefônica
Telephone Switchboard
Hub
Estação de Trabalho
Workstation
Softwares: 1 -SysCall
2- Correio Eletrônico
Internet
Router
Server Internet
Firewall
Information Assets
Consequences (impact)
incident History
» Determining factors:
» Internal history (many times insufficient)
» External history (statistics and surveys)
Risk Analysis Methodology
Incident History
Result: Risks
Consolidating Results
Treatment Options
Risk Treatment
Selection of Controls
» ISO 17799:2005
Residual Risk
Documenting Controls
Statement of Applicability
Security Policy
Quantify Risks
Evaluate Risks
Treat Risks
IMPLEMENTAÇÃO DA NORMA ISO 27001
Risk Management
ISO Guide 73
IMPLEMENTAÇÃO DA NORMA ISO 27001
Modus Operandi
Documentation and
Responsibilities
Documentation
Documentation Requirements
Documentation Requirements
Document Control
Document Control
Record Control
Record Control
SM Security Management
SC Security Control
SI Security Instruction
SR Security Record
SM – Security Management
SI SI SI SI SI SI
SR SR SR SR SR SR SR SR SR SR SR SR
Document Arrangement
Resource Management
Processes
Technology
Awareness
Disclosure
Perimeter People
Training
Responsibilities - Exercise
Basic Responsibilities
Performance evaluation
System Efficiency
Risks
identified but
not treated
Information
Security
Incidents
Risks not Residual risk
considered in after
the Risk treatment
Analysis
ISMS Monitoring
Risk Management
Process-oriented
Technical
Physical and knowledge
Technological
Controls
Audit Performance
Audit Techniques
» Sampling audit
» Interviews with managers and employees
» Reading of controls and procedures and requesting
of records
» Checking of work routine performance
» Simulation of scenarios
Management Critical Analysis of
the System
General Aspects
Ongoing Improvement
Corrective Actions
Preventive Actions
Required actions
Audit System
» Pre-audit
» Certification Audit
» Periodical audits
IMPLEMENTAÇÃO DA NORMA ISO 27001