WHAT iIS iAN iISMS?

● An iISMS iis ia isystematic iapproach ito imanaging isensitive icompany iinformation iso
ithat iit iremains isecure. iIt iincludes ipeople, iprocesses iand iIT isystems iby iapplying ia

irisk imanagement iprocess.

● It ican ihelp ismall, imedium iand ilarge ibusinesses iin iany isector ikeep iinformation
iassets isecure.

How ithe istandard iworks

● Most iorganizations ihave ia inumber iof iinformation isecurity icontrols.
● However, iwithout ian iinformation isecurity imanagement isystem i(ISMS), icontrols
itend ito ibe isomewhat idisorganized iand idisjointed, ihaving ibeen iimplemented ioften

ias ipoint isolutions ito ispecific isituations ior isimply ias ia imatter iof iconvention.

● Security icontrols iin ioperation itypically iaddress icertain iaspects iof iIT ior idata
isecurity ispecifically; ileaving inon-IT iinformation iassets i(such ias ipaperwork iand

iproprietary iknowledge) iless iprotected ion ithe iwhole.

● Moreover, ibusiness icontinuity iplanning iand iphysical isecurity imay ibe imanaged
iquite iindependently iof iIT ior iinformation isecurity iwhile iHuman iResources ipractices

imay imake ilittle ireference ito ithe ineed ito idefine iand iassign iinformation isecurity

iroles iand iresponsibilities ithroughout ithe iorganization.

● ISO/IEC i27001 irequires ithat imanagement:

● Systematically iexamine ithe iorganization's iinformation isecurity irisks,
itaking iaccount iof ithe ithreats, ivulnerabilities, iand iimpacts;

● Design iand iimplement ia icoherent iand icomprehensive isuite iof

iinformation isecurity icontrols iand/or iother iforms iof irisk itreatment i(such

ias irisk iavoidance ior irisk itransfer) ito iaddress ithose irisks ithat iare

ideemed iunacceptable; iand

● Adopt ian ioverarching imanagement iprocess ito iensure ithat ithe

iinformation isecurity icontrols icontinue ito imeet ithe iorganization's

iinformation isecurity ineeds ion ian iongoing ibasis.

● What icontrols iwill ibe itested ias ipart iof icertification ito iISO/IEC i27001 iis idependent
ion ithe icertification iauditor. i

● This ican iinclude iany icontrols ithat ithe iorganisation ihas ideemed ito ibe iwithin ithe
iscope iof ithe iISMS iand ithis itesting ican ibe ito iany idepth ior iextent ias iassessed iby

ithe iauditor ias ineeded ito itest ithat ithe icontrol ihas ibeen iimplemented iand iis

ioperating ieffectively.

● Management idetermines ithe iscope iof ithe iISMS ifor icertification ipurposes iand imay
ilimit iit ito, isay, ia isingle ibusiness iunit ior ilocation. i
 ● The iISO/IEC i27001 icertificate idoes inot inecessarily imean ithe iremainder iof ithe
iorganization, ioutside ithe iscoped iarea, ihas ian iadequate iapproach ito iinformation

isecurity imanagement.

● Other istandards iin ithe iISO/IEC i27000 ifamily iof istandards iprovide iadditional
iguidance ion icertain iaspects iof idesigning, iimplementing iand ioperating ian iISMS,

ifor iexample ion iinformation isecurity irisk imanagement i(ISO/IEC i27005).

The iPDCA iCycle

● The i2002 iversion iof iBS i7799-2 iintroduced ithe iPlan-Do-Check-Act i(PDCA) icycle
ialigning iit iwith iquality istandards isuch ias iISO i9000. i27001:2005 iapplied ithis ito iall

ithe iprocesses iin iISMS.

● Plan i(establishing ithe iISMS)

○ Establish ithe ipolicy, ithe iISMS iobjectives, iprocesses iand iprocedures
irelated ito irisk imanagement iand ithe iimprovement iof iinformation isecurity ito

iprovide iresults iin iline iwith ithe iglobal ipolicies iand iobjectives iof ithe

iorganization.

○ Do i(implementing iand iworkings iof ithe iISMS)

○ Implement iand iexploit ithe iISMS ipolicy, icontrols, iprocesses iand
iprocedures.

○ Check i(monitoring iand ireview iof ithe iISMS)

○ Assess iand, iif iapplicable, imeasure ithe iperformances iof ithe iprocesses
iagainst ithe ipolicy, iobjectives iand ipractical iexperience iand ireport iresults ito

imanagement ifor ireview.

○ Act i(update iand iimprovement iof ithe iISMS)

○ Undertake icorrective iand ipreventive iactions, ion ithe ibasis iof ithe iresults iof
ithe iISMS iinternal iaudit iand imanagement ireview, ior iother irelevant

iinformation ito icontinually iimprove ithe isaid isystem.

○ All ireferences ito iPDCA iwere iremoved iin iISO/IEC i27001:2013. iIts iuse iin ithe
icontext iof iISO/IEC i27001 iis ino ilonger imandatory.

History iof iISO/IEC i27001

● BS i7799 iwas ia istandard ioriginally ipublished iby iBSI iGroup[4] iin i1995.
● It iwas iwritten iby ithe iUnited iKingdom iGovernment's iDepartment iof iTrade iand
iIndustry i(DTI), iand iconsisted iof iseveral iparts.

● The ifirst ipart, icontaining ithe ibest ipractices ifor iinformation isecurity imanagement,
iwas irevised iin i1998; iafter ia ilengthy idiscussion iin ithe iworldwide istandards ibodies,

iit iwas ieventually iadopted iby iISO ias iISO/IEC i17799, i"Information iTechnology i-

iCode iof ipractice ifor iinformation isecurity imanagement." iin i2000. iISO/IEC i17799
 was ithen irevised iin iJune i2005 iand ifinally iincorporated iin ithe iISO i27000 iseries iof
i

istandards ias iISO/IEC i27002 iin iJuly i2007.

● The isecond ipart iof iBS7799 iwas ifirst ipublished iby iBSI iin i1999, iknown ias iBS i7799
iPart i2, ititled i"Information iSecurity iManagement iSystems i- iSpecification iwith

iguidance ifor iuse." iBS i7799-2 ifocused ion ihow ito iimplement ian iInformation isecurity

imanagement isystem i(ISMS), ireferring ito ithe iinformation isecurity imanagement

istructure iand icontrols iidentified iin iBS i7799-2. iThis ilater ibecame iISO/IEC

i27001:2005. iBS i7799 iPart i2 iwas iadopted iby iISO ias iISO/IEC i27001 iin iNovember

i2005.

● BS i7799 iPart i3 iwas ipublished iin i2005, icovering irisk ianalysis iand imanagement. iIt
ialigns iwith iISO/IEC i27001:2005.

● Very ilittle ireference ior iuse iis imade ito iany iof ithe iBS istandards iin iconnection iwith
iISO/IEC i27001.

Certification
● An iISMS imay ibe icertified icompliant iwith iISO/IEC i27001 iby ia inumber iof iAccredited
iRegistrars iworldwide.

● Certification iagainst iany iof ithe irecognized inational ivariants iof iISO/IEC i27001 i(e.g.
iJIS iQ i27001, ithe iJapanese iversion) iby ian iaccredited icertification ibody iis

ifunctionally iequivalent ito icertification iagainst iISO/IEC i27001 iitself.

● In isome icountries, ithe ibodies ithat iverify iconformity iof imanagement isystems ito
ispecified istandards iare icalled i"certification ibodies", iwhile iin iothers ithey iare

icommonly ireferred ito ias i"registration ibodies", i"assessment iand iregistration

ibodies", i"certification/ iregistration ibodies", iand isometimes i"registrars".

● The iISO/IEC i27001 icertification,[5] ilike iother iISO imanagement isystem

icertifications, iusually iinvolves ia ithree-stage iexternal iaudit iprocess idefined iby ithe

[6] [7]
iISO/IEC i17021 iand iISO/IEC i27006 istandards:

● Stage i1 iis ia ipreliminary, iinformal ireview iof ithe iISMS, ifor iexample
ichecking ithe iexistence iand icompleteness iof ikey idocumentation isuch ias

ithe iorganization's iinformation isecurity ipolicy, iStatement iof iApplicability

i(SoA) iand iRisk iTreatment iPlan i(RTP). iThis istage iserves ito ifamiliarize

ithe iauditors iwith ithe iorganization iand ivice iversa.

● Stage i2 iis ia imore idetailed iand iformal icompliance iaudit, iindependently

itesting ithe iISMS iagainst ithe irequirements ispecified iin iISO/IEC i27001.

iThe iauditors iwill iseek ievidence ito iconfirm ithat ithe imanagement isystem

ihas ibeen iproperly idesigned iand iimplemented, iand iis iin ifact iin ioperation

i(for iexample iby iconfirming ithat ia isecurity icommittee ior isimilar

imanagement ibody imeets iregularly ito ioversee ithe iISMS). iCertification

iaudits iare iusually iconducted iby iISO/IEC i27001 iLead iAuditors. iPassing
 this istage iresults iin ithe iISMS ibeing icertified icompliant iwith iISO/IEC
i

i27001.

● Ongoing iinvolves ifollow-up ireviews ior iaudits ito iconfirm ithat ithe
iorganization iremains iin icompliance iwith ithe istandard. iCertification

imaintenance irequires iperiodic ire-assessment iaudits ito iconfirm ithat ithe

iISMS icontinues ito ioperate ias ispecified iand iintended. iThese ishould

ihappen iat ileast iannually ibut i(by iagreement iwith imanagement) iare ioften

iconducted imore ifrequently, iparticularly iwhile ithe iISMS iis istill imaturing.

ISO/IEC i27001:2005 iDomains

● Note ithat ithe i2005 iversion iof iISO/IEC i27001 iis iobsolete iand ino ilonger iin iuse.
● A.5 iSecurity iPolicy
● A.6 iOrganisation iof iinformation iSecurity
● A.7 iAsset iManagement
● A.8 iHuman iResources
● A.9 iPhysical iand ienvironmental isecurity
● A.10 iCommunications iand ioperations imanagement
● A.11 iAccess iControl
● A.12 iInformation isystems iacquisition, idevelopment iand imaintenance
● A.13 iInformation isecurity iincident imanagement
● A.14 iBusiness icontinuity imanagement
● A.15 iCompliance

Structure iof ithe istandard

● The iofficial ititle iof ithe istandard iis i"Information itechnology i— iSecurity itechniques
i— iInformation isecurity imanagement isystems i— iRequirements"

● ISO/IEC i27001:2013 ihas iten ishort iclauses, iplus ia ilong iannex, iwhich icover:
○ 1. iScope iof ithe istandard
○ 2. iHow ithe idocument iis ireferenced
○ 3. iReuse iof ithe iterms iand idefinitions iin iISO/IEC i27000
○ 4. iOrganizational icontext iand istakeholders
○ 5. iInformation isecurity ileadership iand ihigh-level isupport ifor ipolicy
○ 6. iPlanning ian iinformation isecurity imanagement isystem; irisk iassessment;
irisk itreatment

○ 7. iSupporting ian iinformation isecurity imanagement isystem

○ 8. iMaking ian iinformation isecurity imanagement isystem ioperational
○ 9. iReviewing ithe isystem's iperformance
○ 10. iCorrective iaction
○ Annex iA: iList iof icontrols iand itheir iobjective
How ito iimplement ian iISMS

● Implementing ian iISO i27001-compliant iISMS iwill iinclude ithe ifollowing ikey
ielements:

○ Scope ithe iproject

○ Get iboard icommitment iand isecure ibudget
○ Identify iinterested iparties, iand ilegal, iregulatory iand icontractual irequirements
○ Conduct ia irisk iassessment
○ Review iand iimplement ithe irequired icontrols
○ Develop iinternal icompetence
○ Develop imanagement isystem idocumentation
○ Conduct istaff iawareness itraining
○ Measure, imonitor, ireview iand iaudit ithe iISMS

ISO i27001 iclauses iand icontrols

● Part of the ISO 27000 family of standards, ISO 27001 consists of 114 controls
i i i i i i i i i i i i i

(from iAnnex iA) iand i10 imanagement isystem iclauses ithat itogether isupport ithe
i

iimplementation iand imaintenance iof ian iISMS.

● While iISO i27001 ioffers ithe ispecification, ithe iStandard iis isupported iby iits icode iof
ipractice ifor iinformation isecurity imanagement, iISO/IEC i27002:2013.

● ISO/IEC i27001: i2013 icontrols

■ A.5 iInformation isecurity ipolicies
■ A.6 iOrganisation iof iinformation isecurity
■ A.7 iHuman iresources isecurity
■ A.8 iAsset imanagement
■ A.9 iAccess icontrol
■ A.10 iCryptography
■ A.11 iPhysical iand ienvironmental isecurity
■ A.12 iOperational isecurity
■ A.13 iCommunications isecurity
■ A.14 iSystem iacquisition, idevelopment iand imaintenance
■ A.15 iSupplier irelationships
■ A.16 iInformation isecurity iincident imanagement
■ A.17 iInformation isecurity iaspects iof ibusiness icontinuity imanagement
■ A.18 iCompliance