IMPLEMENTAÇÃO DA NORMA ISO 27001

World leader in Risk Management and Compliance

solutions. Create value and minimize your risks through
our on-demand management systems.

Real ISO Corp.

626, Glenn Curtiss
Uniondale, 11556
New York – USA
www.realiso.com
Modus Operandi
ISO 27001 - Training

Implementation Guide – Part One

Informative Aspects

Guide Objectives:

» General view of Information Security

» Focus on security management
» Understanding an ISMS
» Understanding Risk Analysis
» Study of Information Security management
processes
 General aspects
Modus Operandi of
Information Security
What does
Information Security mean?

» Foreign hackers capturing CC numbers

» Large corporation websites being
distorted for political reasons
» Virus attacks that render large corporations inactive
» Digital spies capturing and selling information
on competition and huge databases
» Young people invading systems not knowing the true
information value
What does
Information Security mean?

Old-fashioned view!!!
» Decision-Taking

Control Information

Decision-Making

» A good decision depends on

the quality of information
Information Security

Far beyond firewall!

» Security does not depend upon IT alone

» Assuring security does not mean simply
ensuring information secrecy
» Proper decisions depend on accurate
information
» Security may generate perceivable value
What is information?

» On paper: Memos, standards, formulas,

designs, strategies.

» On digital media: Disks, tapes, CDs, transmitted

files.

» Sound: Meeting recording, messages left on

telephone switchboards, cell phone mailbox.

» Image: Document photos, identification photos,

facilities photos, videotapes, digital videos.
Resources

» Processing: Ability to handle information

and generate results

» Storage: Ability to store information.

Does not change information

» Communication: Ability to transmit

information. Should not change transmitted
information
Last Paradigm:
Responsibility
» Due Diligence: shows that the company is
carrying out security activities on a steady basis.
» Due Care: development of information
security policies, risk analysis, and an ISMS.
Shows that Management has taken the required
decisions and actions to protect the company.

» Warning: Not carrying out “Due Diligence” and “Due

Care” may characterize administrative negligence.
Basic Principles

» Confidentiality: given information that

may not be made available or disclosed for people,
entities or processes without permission. A concept
to ensure that sensitive, confidential information
is limited to an appropriate group of individuals or
organizations.

» Integrity: the condition by which information or

information resources are protected from
unauthorized changes. Information accuracy and
completeness.
Basic Principles

» Availability: information is to be delivered to

the right people, when needed.
ISO 27001

Framework and Implementation

What is ISO 27001?

» A standard with the requirements for a

company to implement an information security
management system

» It was originated from BS 7799, created by

BSI – British Standard Institute

» Business process-oriented and not technology

infrastructure-oriented

» Based on PDCA management cycle

What is ISO 27001?

» Determines that a company must have an

ISMS – IS Management System

» May be applied to any company type

» Enables a company to have its ISMS

certificated

» In line with ISO 9000, ISO 14000 standards

What ISO 27001 is NOT?

» A technical standard

» A standard developed for IT area

» A guide for best practices. For that

ISO 27002 is available

» A methodology for information security

management
IS Management System - PDCA

» Understanding security requirements

Assess business risks and requirements

» Implementing and operating controls

Technological, physical, and administrative

» Monitoring and reviewing System performance

Indicators and objective metrics

» Improving on an ongoing basis

Corrective and preventive actions
ISO 27001 Application

Why implementing an ISMS?

» The System was developed with the aim of

suiting and providing security controls that
properly protect the company’s information assets,
increasing reliability of customers and other
concerned parties
ISO 27001 Application

Basic Requirements

» However, the following items may not be

disregarded:
» 4 – Information Security Management System
» 5 – Management Responsibility
» 6 – Internal ISMS Audits
» 7 – Management Review of the ISMS
» 8 – ISMS Improvement
Information Security
Management System
The Security Management System should:

» Follow PDCA model

» Consider business context and Information

risks

» Be business process-oriented

» Comply with the standard requirements

Implementing ISMS -

Starting Point
System Scope

Which processes will my system act upon?

» The scope defines which information assets

the system will act upon

» It is interesting to define scope through business

process approach

» Scope definition should be clear and allow

identification of locations and assets involved
Information Security Policy

Management System guidelines

» Policy should reflect the company’s philosophy

with regard to its information security

» It should provide directions to all concerned

parties

» It should consider business requirements and

applicable regulatory requirements
Information Security Policy

Strategic Line-up

» Which are the main company’s strategies?

» How does information security relate to these

strategies?

» Which are the company’s security objectives?

Risk Analysis

Security Requirements for a Company

» Information Security risks

» Regulatory and Contractual Obligations
» Set of principles, objectives and business
requirements needed for information processing
Risk Analysis

National and International Standards References

» ISO 13335-1 and ISO 13335-2

» ISO Guide 73 – Risk management Vocabulary

» AS NZS 4360
What are Risks?

» Risks are events that negatively impact the

organization’s ability to achieve their goals
as far as the probability of their occurrence
and the related consequences are concerned

» Analyze risks means identifying and

quantifying these events so that specific
actions may be planned and developed
Risk Analysis

Objectives

» To identify the main risks to information security

in a systematic way
» To ensure compliance of Security Management
process with ISO 27001 standard
» To present in a quantified way the events that
may prevent the organization to achieve their goals
– Security Policy
Risk Analysis

Objectives

» To provide an overview of the aspects that need

to be managed to assure compliance to the
Security Policy

Risk Management is one of the main ways to ensure

safety for diverse market segments
Risk Analysis

Methodology

» What are the risks of non-compliance with

Security Policy?
» Analysis of risks:
» Technological
» Physical
» Administrative
Risk Analysis

Methodology

» Business focus:
» What are the risks really impacting my business
» Every organization area must be involved
» Direct participation of managers and those individuals
responsible for information assets
Risk Analysis

Methodology

» Identification and evaluation through:

» On-site analyses
» Interviews and meetings
» Authorized simulations
» Interim results must be submitted to approval
Risk Analysis

Business Processes

» Information flow
» Consider the point where information is generated
or starts to be part of the processes
» Consider emergence, life and destruction of
information
» Identify flow main components
Risk Analysis

Information Assets

» Information flow components

» Examples of assets:
» Computers, telephone, fax
» People, outsourced resources
» Forms, documents, reports
» Evaluate asset importance for the company
» Information flow

Clientes
Customers

Atendente
Mainframe
Telemarketing
Telemarketing
Operator
Telefone
Phone Telefone
Telephone

Central Telefônica
Telephone Switchboard

Hub

Estação de Trabalho
Workstation
Softwares: 1 -SysCall
2- Correio Eletrônico

Internet
Router
Server Internet
Firewall

Example of Information Flow

Risk Analysis

Information Assets

» Identify main components

» Equipment, software, services, etc.

» Identify main network and information transmission

segments

» Identify main information transmitted through flows

Risk Analysis –
Identifying Security Risks
Risk Analysis

Threats and Vulnerabilities

» Threat: risk agent

» Hackers, spies, computer virus

» Vulnerabilities: fault enabling threat action

» Software flaws, design errors, security gaps
Risk Analysis

Threats and Vulnerabilities

» Events = association of threats and vulnerabilities

» Identify potential events for each information asset

» Evaluate possible scenarios

» Earthquake?
Risk Analysis

Threats and Vulnerabilities

» Remind: potential events considering

Information Security Policy

» What are the possibilities of non-compliance with the

Security Policy?
Risk Analysis - Exercise

Threats and Vulnerabilities

» Gather into groups of 3

» Identify possible events by considering the already

defined Security Policy

» We will be discussing these events with the other groups

within 30 minutes
Risk Analysis Methodology

Consequences (impact)

» What is the damage to the company if the event really

takes place?
» This estimation must consider:
» Revenue and financial losses
» Penalties and indemnifications
» Impact to the company’s image
» Evaluate damage in face of loss of reliability, integrity
and availability
Risk Analysis Methodology -
Exercise
Consequences (impact)

» Gather into groups of 3

» Identify the impact of identified events considering

the impact to reliability, integrity and
availability

» We will be discussing these impacts with the

other groups within 20 minutes
Risk Analysis Methodology

incident History

» Identification of the probability for the listed

events to occur

» Determining factors:
» Internal history (many times insufficient)
» External history (statistics and surveys)
Risk Analysis Methodology

Incident History

» Participation of the company management

» What is the frequency by which the issues
occur

» Great impact on the final risk rate

» Probability is one of the risk determining
factors
Risk Analysis Methodology -
Exercise
Probability

» Gather into groups of 3

» Determine metrics for probability definition

» Determine the probability for listed events to

occur

» We will be discussing within 20 minutes

Risk Analysis Methodology

Result: Risks

» Risks are the result from threats and vulnerabilities,

when considering their probability to occur and related
damages
» Risks must be quantified into a numeric scale
» Asset value must always be considered
Risk Treatment - Exercise

Consolidating Results

» Gather into groups of 3

» Define the best way to get risk final score

» Quantify mapped risks up to now

» Results will be discussed with the other groups

 Risk Analysis
Modus Operandi –
Risk Treatment
Risk Treatment

Risk Acceptance Criteria

» Companies have distinct profiles

» Daring: speed, greater risk
» Conservative: stability, lower risk
» Risk acceptance criteria must be defined
» Management decision
» Risks must be advertently accepted or handled
Risk Treatment

Treatment Options

» Apply controls for risk reduction

» Recognize and accept risks as per predefined criteria
» Avoid risks
» Transfer risks
IMPLEMENTAÇÃO DA NORMA ISO 27001

Risk Treatment

Selection of Controls

» Conformance with the risk acceptance criteria

» Risks should be selected that will be handled by

application of controls

» ISO 17799:2005

» Additional controls may be used

» Documenting Security Controls
SC – Security Control

Objectives – Related Risks

Description – How control is

applied

Control Metrics – What are the Example of content for a

evaluation metrics and the
service levels which the control
Security Control document
must conform to

Evaluation of Results – where is

information evidencing control
effectiveness
Risk Treatment

Risk Treatment Plan

» Document indicating responsibilities for risk treatment

» Must indicate Residual Risk
» Must indicate deadlines
» Must describe how risks will be treated
» Document required in the course of the certification
process
Risk Treatment

Residual Risk

» Control implementation may be in two ways:

» By minimizing impact
» By minimizing probability

» Residual Risk is the new risk value after control

implementation
Risk Treatment - Exercise

Documenting Controls

» Gather into groups of 3

» Select one or more controls from Attachment A of
ISO 27001 standard
» Document and identify metrics as per items
presented in CS document
» Results will be discussed with the other groups
within 20 minutes
Risk Treatment

Statement of Applicability (SoA)

» Describes all controls in Attachment A of the standard

» Identifies the ones that are applied and those
that are not
» Justifies non-implementation of discarded controls
» Justifies implementation of selected controls
» Indicates additional controls
» Indicates where control application is described
Risk Treatment - Exercise

Statement of Applicability

» Gather into groups of 3

» Prepare a statement of applicability
» Results will be discussed with the other groups within
45 minutes
» Risk Management

Security Policy

Monitor and Review

Identify Risks
Risk Communication

 Quantify Risks

Evaluate Risks

Treat Risks
IMPLEMENTAÇÃO DA NORMA ISO 27001

Risk Management

ISO Guide 73
IMPLEMENTAÇÃO DA NORMA ISO 27001

Modus Operandi
Documentation and
Responsibilities
Documentation

Documentation Requirements

» Statements of Security Policy and

security objectives
» System scope as well as procedures and
controls supporting the system
» Risk Analysis Report and Risk Treatment Plan
Documentation

Documentation Requirements

» Procedures required to ensure effectiveness,

operation and control for your security processes
» Remaining records required by ISO 27001
» Statement of Applicability
Documentation

Document Control

» System for document approval

» Document review and update
» Identification of changes and revision traceability
» Make sure the latest document version is always
in place wherever it is used
Documentation

Document Control

» Control of document distribution

» Ensure external document source
identification
» Ensure document access control!
Documentation

Record Control

» Records are documents evidencing that a

given control or procedure has been performed
» Records have usually date and represent
instances of a same document
» Examples of records:
» Completed forms
» Minutes of Meetings
» System Logs
Documentation

Record Control

» The standard requires maintenance of records

evidencing that System has been executed
» Records must be kept secure for predetermined
periods
» Record maintenance requirements must be
clearly identified
» Document hierarchy

SM Security Management

SC Security Control

SI Security Instruction

SR Security Record

Example of document arrangement

» Relationship among documents

SM – Security Management

SC - Control SC - Control SC - Control

SI SI SI SI SI SI

SR SR SR SR SR SR SR SR SR SR SR SR

Document Arrangement

Example of document arrangement

Document Control - Exercise

Controls x Instructions x Records

» Gather into groups of 3

» Select one or more controls from previous tasks
» Briefly describe the possible content for the control
document. Create some instructions for this control
» Results will be discussed with the other groups
within 30 minutes
Management Responsibility

Commitment with the System

» Management must set a Security Policy

» They must make sure that security objectives
and plans are in place
» They must define security roles and
responsibilities
Management Responsibilities

Commitment with the System

» Management must communicate to the whole

organization the importance of achieving security
objectives through compliance with Policy and
individual responsibilities
» For these objectives to be met Management must
provide the required resources
Management Responsibilities

Commitment with the System

» Management must define the acceptable risk

level according to methodology

» Management must periodically review

the system in search of improvement
opportunities

» Management must monitor and check

efficiency of ISMS and Security Controls
Management Responsibilities

Resource Management

» Management must provide the required resources

to establish, implement, operate and maintain the
System
» They must provide resources to make sure
proper application of controls and compliance
to regulatory and contractual requirements
» They must assure a periodic critical analysis and
System improvement
Management Responsibilities

Training, Culture and Capabilities

» Management must make sure that individuals

have the required capability to perform their
assigned tasks
» The organization culture level must be
periodically evaluated and improvement actions
performed
» Records must be kept of all training and
remaining qualification services
Training

Capability and responsibility

» Each function must have clearly defined

responsibilities – Job Description
» It must be assured that individuals performing
these functions have due skills to perform them
» Training must be carried out in line with the
required skills
» Security Awareness
Maintenance

Processes
Technology
Awareness

Disclosure
Perimeter People

Training
Responsibilities - Exercise

Basic Responsibilities

» Gather into groups of 3

» Briefly describe responsibilities of the following roles
» Process Manager, Asset Manager, Area
Manager; Control Manager; Security Officer
» Results will be discussed with the other groups
within 30 minutes
ISMS Monitoring

Performance evaluation

» The organization must carry out monitoring routines

and other controls to:
» Detect errors in process results
» Identify incidents and security flaws
» Check if security routines are being carried out
» Determine whether actions reflect business
priorities
ISMS Monitoring

System Efficiency

» The organization must carry out monitoring routines

and other controls to:
» Check if ISMS procedures are being efficient
» Check if security controls are being efficient
» Check if security objectives are being met
» Residual Risk and Security Incidents

Risks
identified but
not treated

Information
Security
Incidents
Risks not Residual risk
considered in after
the Risk treatment
Analysis
ISMS Monitoring

Risk Management

» The organization must periodically review risks

by considering changes in:
» the organization
» technology
» business objectives and processes
» identified threats
» external events such as changes in the political
social or economical scenario
Internal Audit

Process-oriented

» Audits of all areas, business processes, procedures

and controls
» Checking of compliance with ISO 27001 and
regulatory / contractual requirements
» Checking of compliance with security requirements
» Checking of effective implementation and
maintenance of security controls
Internal Audit
Basic Aspects

» It is important to keep trained and skilled internal

auditors to audit ISMS
» Experts to check technical compliance
» Audits must be planned:
» Audit Schedule
» Previous audit results must be considered when
planning audits
Auditors should never audit their own work
» Audit Schedule

Technical
Physical and knowledge
Technological
Controls

Knowledge of Administrative Information

processes and Controls Security Knowledge of
standards Management Management
Systems

Example of audit segregation

Internal Audit

Audit Performance

» They must be focused on the audit scope

» There must be an opening meeting
» Non-compliances found must be recorded
as well as notes and incidents
» The audited ones must formally acknowledge the audit
results
Internal Audit

Audit Techniques

» Sampling audit
» Interviews with managers and employees
» Reading of controls and procedures and requesting
of records
» Checking of work routine performance
» Simulation of scenarios
Management Critical Analysis of
the System
General Aspects

» This critical analysis must be carried out in order

to assure system applicability and to identify
improvement opportunities
» It is indicated to take place at least yearly
» System effectiveness and efficiency must be
critically analyzed against target objectives
Management Critical Analysis
of the System
Input Data

» Results of internal audits and remaining

critical analyses
» Feedback from the concerned parties
» Techniques, products or procedures that may be
used by the System to increase efficiency
» Status of improvement actions and non-compliances
» Vulnerabilities and threats non-properly addressed
in the last risk analysis
Management Critical Analysis
of the System
Input Data

» Results of security control efficiency monitoring

» Security strategic objectives and general ISMS
indicators
Management Critical Analysis
of the System
Output Data

» Follow-up of actions generated in previous meetings

» Any change that may impact the system
» Recommendations for system improvement
» Plan with actions, objectives and persons in charge
» Security goals for the period
» Is ISMS properly implemented?
» Critical Analysis Schedule

Input Data Output Data

Critical Analysis Improvement Actions
System Efficiency
Management
Audit Results
New Risks
Business changes
System Improvement

Ongoing Improvement

» Most similar features among ISO standards

» Critical analysis actions, efficiency monitoring and
audit should generate improvement actions
» Corrective and preventive actions must be considered

The organization must be capable of showing its ability to

improve system with time
System Improvement

Corrective Actions

» Identification and elimination of non-compliance

causes
» Assurance that non-compliance will not recur
» Base for System improvement actions
» Results of corrective actions must be recorded
» Corrective action results must be periodically revised
System Improvement

Preventive Actions

» Pro-activity: identifying non-compliances in advance

» Implementing preventive actions
» Results of such actions must be recorded
» Evaluated risks and possibility of changes in the
initial scenario must be considered
The cost for preventive actions is generally lower than
the cost for corrective actions
» Ongoing Improvement

Optimal security level is achieved after several PDCA “turns”

Certification Audit

Required actions

» Full “turn” on PDCA

» Internal Audit and identification of the
required improvements
» Evidences proving system life for approximately
3 months
» Evidences that Management critically analyzed
ISMS and found it adequate to their needs
Certification Audit

Audit System

» Pre-audit
» Certification Audit
» Periodical audits
 IMPLEMENTAÇÃO DA NORMA ISO 27001

World leader in Risk Management and Compliance

solutions. Create value and minimize your risks through
our on-demand management systems.

Real ISO Corp.

626, Glenn Curtiss
Uniondale, 11556
New York – USA
www.realiso.com